So, a few days ago I was hanging out with my family and friends in the room, and as the conversation was flowing we ended up talking about internet, spyware and adverts in general, that lead me to telling them about pi-hole and my pi-hole configuration. After that they wanted to use it too, but since they're old people, and other friends are not that tech savvy they won't be able to host it themselves, nor do they have the device to host it on. And I conveniently have an dedicated IPv4 address and a Ipv6 one.
Now, I know the dangers of opening port 53 to the public, someone could execute a DNS amplification attack so I was thinking of something else, I was thinking of mitigating it by having the instance be parapublic either by opening a port 53 but somehow configuring it so that it only replies to requests from whitelisted IP addresses or mac addresses if possible so that I don't have to mess with DDNS.
Is there any firewall I could utilize to do this or some other methods?
I was thinking of maybe using IPtables to limit IP addresses that can connect to port 53 on my network and also implementing rate limiting so that if requests are too fast or too big they get discarded.
Also another idea of mine is to run it on some other port rather than port 53, so that less internet scanners will find it, but I am not sure if all operating systems will support adding a port at the end of DNS IP in their respective network configuration panels.
I know some of you will probably propose using a VPN to do this, and while this would solve most of the problems, having them connect to the VPN and operate that would be a bit hard and it's not as convenient as simply having DNS configured and having to never touch it again, with VPN they would have to always connect to it, and they all have different device types, from Iphones to androids to macs and windows computers.