Securing pihole in the cloud

I am running pihole on a server in the cloud, and I want to make sure I am securing the server so I am not a part of DNS amplification attacks.

My configuration:

I have a server that has both pihole and Wireguard (a VPN server) running. Pihole is configured with a blocklist and then sends requests to cloudflare DNS. Pihole does not have DHCP activated.

At home, my router points to pihole’s external IP address for DNS.

When I’m not home, I connect to Wireguard VPN (port 51820) and wireguard is configured to use pihole for DNS.

Security

I knew when I started this configuration that putting a DNS server in the cloud, it needs to be secured. Otherwise, I would be part of DNS amplification attacks. I waited a few days to see what that would look like.

Starting a few days ago, I noticed tons of traffic from external clients. To stop this, I set port 53 to only allow connections from my home IP address.

This has worked for me at home, but of course I am no longer able to connect outside of my home.

My primary use case is connecting my phone when I’m on a cellular network. Is this possible at all, to, for example, whitelist a range of IPs in my region?

Outside of that, are there any suggestions on how I could work around this problem?

Or, in general any security advice or best practices for securing pihole in the cloud?

Thank you!

1 Like

Could you set up your home network to seamlessly use a VPN to connect to Pi-hole? That way, you could completely disable public access to your DNS server and only allow it through VPN.

I’m not sure what you mean by that.

On my home network currently all devices are working fine connecting to pihole (phones, computers, smart TV). This is without a VPN, I just whitelisted the IP.

The main issue is how can I connect my phone (where the IP will be changing) to pihole without leaving pihole open to DNS attacks.

Don’t - you want to keep Pi-hole as close to you as possible.

Your current setup quite possibly means that all your network’s DNS requests travel through the internet unencrypted - easy prey for any eaves-dropper happening to listen in on it, allowing them to produce a complete profile of all websites you connect to. Theoretically, it is also possible to intercept that traffic and produce false IP adddress answers for your queried hostnames.

Keeping Pi-hole inside your local home network means you’ll benefit from faster DNS resolution (to a larger part thanks to Pi-hole caching sucessfully resolved domains), as well as more reliable and more secure connections to Pi-hole.

I’d recommend following Scott_S advice:
Install a Virtual Private Network in your home network.
This will extend your local network (by means of encrypted communication through a só-called VPN tunnel) to authenticated access from the internet, alllowing you to connect outside clients (e.g. your phone) to your local network.
Refer to Pi-hole’s documentation for a start: https://docs.pi-hole.net/guides/vpn/overview/
Feel free to come back with new questions should you encounter difficulties.

That’ll probably take some time until you get it up and running, especially if your doing it for the first time, what with finding a VPN software of your choice and such.

In the meantime, get Pi-hole back into your network as soon as possible.

To get some kind of ad protection / DNS-filtering on your mobile devices while being away from home, get some third-party solution like Blokada (also available through F-Droid) for your smartphones.
If that seems sufficient enough for your purposes, you might even forego installation and setup of a VPN.

I am not sure that i have complete knowledge about this topic but this site is helping me for reading some articles about this topic.

Thanks for the reply, I’m still not understanding.

In that scenario you mentioned, what would be the difference in VPN + pihole in the cloud or on my network? If it’s open to the internet (cellular network) then I will need to secure it either way.

I’ll check out the link you included though, the IP Tables section looks helpful. Thank you.

Before answering: Seems I’ve generously overlooked that you are already running a VPN - my bad. Depending on your setup, your connections may or may not be encrypted by VPN encryption, possibly invalidating or attenuating some of my remarks in that regard.

The difference is that rather than extending your local home network to include Pi-hole and your mobile devices, it seems you’ve setup a VPN on a an external cloud server that tries to include your home network and some external devices.

While there might be use cases that favour the latter setup, the former seems to be what you want to achieve, at least from what I understood you’ve described so far. Unless your router supports VPN, it is also less laborious to setup, since you have to install VPN clients only on your mobile devices, not all devices on your entire home network (I am not even sure you could do that for all your devices - consider Chromecast or Alexa: Do they sport a VPN client? I don’t have those, so I can’t know). This also means that less devices are paying the perfomance penalty associated with VPN connections.

Something’s wrong here, that shouldn’t be necessary: Since you connect to it only through VPN, your home network should already be part of that. Port 53 shouldn’t be publicly availabe at all.

I don’t know your exact setup, so I might be wrong, but I suspect it is somehow not quite what you want it to be.

I am not connecting only to pihole through VPN. I am connecting as a DNS server for all devices on my home network. For my cellphone, I am connecting through a VPN connection, but the DNS traffic is still sent over port 53. Unless there is some setting that I’m unaware of, (on iOS) all DNS traffic is sent through port 53 even if I’m connected to a VPN.

The reason I’m connecting to a VPN is so I can set a specific DNS server instead of using the carrier/ISP default DNS server.

iptables -A INPUT -s IP que tu souhaite laisser passer -j ACCEPT
iptables -A INPUT -s IP que tu souhaite laisser passer -j ACCEPT
iptables -A INPUT -s IP local du serveur ( moi :127.0.0.1 ) -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 53 -j DROP ( si ton dns connecté au port 53 )
iptables -A INPUT -p udp -m udp --dport 53 -j DROP

Surtout il faut bien que ton adresse ou tes adresses IP que tu souhaite laisser utiliser ton service soit dans les premières règles et ensuite avoir tes règles de blocage après celle valider car sinon tu bloque tout ^^

Ensuite il faut bien sauvegarder ta configuration car au reboot du serveur tu doit refaire les paramétrages

The problem with this is I don’t know the IP addresses I want to allow (the cellphone carrier changes the IP constantly)

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.