Thinking about hosting a "parapublic" instance of Pi-Hole

Sectorfive · January 21, 2024, 2:13pm

So, a few days ago I was hanging out with my family and friends in the room, and as the conversation was flowing we ended up talking about internet, spyware and adverts in general, that lead me to telling them about pi-hole and my pi-hole configuration. After that they wanted to use it too, but since they're old people, and other friends are not that tech savvy they won't be able to host it themselves, nor do they have the device to host it on. And I conveniently have an dedicated IPv4 address and a Ipv6 one.

Now, I know the dangers of opening port 53 to the public, someone could execute a DNS amplification attack so I was thinking of something else, I was thinking of mitigating it by having the instance be parapublic either by opening a port 53 but somehow configuring it so that it only replies to requests from whitelisted IP addresses or mac addresses if possible so that I don't have to mess with DDNS.

Is there any firewall I could utilize to do this or some other methods?

I was thinking of maybe using IPtables to limit IP addresses that can connect to port 53 on my network and also implementing rate limiting so that if requests are too fast or too big they get discarded.

Also another idea of mine is to run it on some other port rather than port 53, so that less internet scanners will find it, but I am not sure if all operating systems will support adding a port at the end of DNS IP in their respective network configuration panels.

I know some of you will probably propose using a VPN to do this, and while this would solve most of the problems, having them connect to the VPN and operate that would be a bit hard and it's not as convenient as simply having DNS configured and having to never touch it again, with VPN they would have to always connect to it, and they all have different device types, from Iphones to androids to macs and windows computers.

Bucking_Horn · January 21, 2024, 2:42pm

That's not a very promising approach, as port 53 is what any piece of software will use by default, unless you explicitly configure it otherwise.

The recommended way would be to setup a VPN (e.g. Wireguard) and configure your family as clients, allowing only authenticated access via encrypted connections.
Pi-hole's documentation has some recommendations how to operate Wireguard or the older OpenVPN with Pi-hole.

If that sounds too demanding, you could also consider to put your Pi-hole behind a DNS-over-TLS (DoT) proxy (which would listen on port 853, also standardised, and decrypt DoT requests and forward them to Pi-hole on port 53). Utilising DoT would mitigate the risk of DNS amplification attacks.

Not all client devices may allow you to configure to use that DoT instead of a DNS server. Current smartphone OSs should do so, though they may put different labels to it (e.g. Private or Secure DNS), but older machines, routers and IoT devices may not support it.

Sectorfive · January 21, 2024, 3:49pm

The most important is Windows, Android and Linux support, as far as I am aware, Linux and Android both support it, but I really don't know about Windows, I haven't used it in 10 years.

jfb · January 21, 2024, 6:22pm

Do they want it, or do you want them to have it?

Once you set them up with a Pi-hole (whether you host it or you install one at their house), you are the tech support.

This site doesn't work, this app won't launch, I can't play the games with the little freebies, etc.

As an option, you could just help them configure thier network DNS server to a filtered service and install uBlock Origin on their browsers. That gets you out of the loop for support.

tomporter518 · January 21, 2024, 8:11pm

Nothing gets you out of support, once family knows you are in the 'business'. :-/

system · January 28, 2024, 8:11pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.