Thousands of DNS requests for domain

Has anyone else seen activity like this? I've been receiving thousands of DNS requests for the . domain, all originating from China. Any ideas on how to block/prevent this behavior? I'm mostly worried about 50k requests blowing up my memory at this point.

Do you have any IOT devices on your network? Perhaps ones that have been sourced from cheap chinese sites?

Forgot to mention that I'm running pihole on a DigitalOcean droplet so it is externally accessible.

Block port 53 and use a VPN if running on a droplet. Open resolvers are bad.

Ah, yeah as @DL6ER mentioned, do that! Are they all coming from the same client?

See our nice wiki article on how to easily set up a VPN. I wrote the tutorial while working on an Ubuntu droplet.

They're coming in from one or two ip addresses, and using iptables -A INPUT -s <offending ip> -j DROP doesn't seem to be blocking the requests. I'm also unable to blacklist the . domain through pihole.

Wouldn't using OpenVPN on the droplet route all of my traffic through the droplet? I'm already hovering around 50% memory usage, and don't want to nuke my server. Also wouldn't the client only use the DNS when OpenVPN is active, and unfiltered when inactive?

Would using non-standard ports work? So on my clients I could add :3018 or whatever port?

Assuming you're using the base level package for your VPS, you should be fine when installing and using openVPN. It doesn't have a major memory impact.

Running OpenVPN itself might not, but wouldn't routing all my network traffic drive it up?

In standard configuration*: Yes.

[*]: Standard configuration is that the server tells the clients to route all traffic through him


I'm not eager to setup OpenVPN, as it would require per-device configuration rather than per-network config.

Is there a way to whitelist clients DNS queries while rejecting all other traffic?

Sure, you can explicitly ALLOW certain clients to be able to reach port 53 while DROPing all other requests using iptables.

How difficult would it be to implement a client white/blacklist that's accessible via the web ui? I'm very interested in the ability to blacklist malicious clients without having to maintain a whitelist of all of my device ip addresses.

Are you referring to OpenVPN? There won't be any OpenVPN specific settings on the Pi-hole web page. That would go certainly beyond the scope of the web interface of being something nice an comprehensive for Pi-hole matters.

See e.g. this: GitHub - Chocobozzz/OpenVPN-Admin: Install and administrate OpenVPN with a web interface (logs visualisations, users managing...)

Installing OpenVPN admin can cause problems with pihole? There will be conflict for port 80, right?

They say:

Web server (NGinx, Apache...)

so you may just clone this repo into a different folder in /var/www/html/ and use your existing lighttpd server for this. If that does not easily enough, you can of course also follow their instructions and change the port of the apache2 websever to something like 8080 afterwards. Or you could maybe configure it to use SSL only (port 443) and access it there. But I'm not an expert when it comes to apache2 configurations...

So, using port other than 80 just works fine...

No, not OpenVPN. I was referring to how pihole uses iptables to open a hole for DNS and web server on ports 53 and 80. I am attempting to ALLOW requests on port 53 from my ip address, while DENYing any other requests for port 53.

Since pihole prepends three rules to iptables (ALLOW all to port 53 udp/tcp and port 80 tcp, even before ufw rules), these rules supersede any custom firewall rules regarding these ports. Due to another unrelated issue, I have to run the basic\ command with the --unattended flag on ever boot. This command however readds the iptables rules if I have previously deleted them. I'm interested in seeing a way to opt-out of prepending the iptables rules, or a way to manage them (possibly including whitelisting ip's) via the web ui.

It would be better to resolve the need to run the installer on every boot. We can look at the firewall issue which should only fire if the ports are blocked, and if that logic needs to be adjusted, then we'll look at that. But first would be addressing the problem of adding the rulesets back in on every boot with the installer.

Also having similar issues, I noticed the other day 250,000 requests from a single IP and an identical amount for a single domain. There were also a few in the 10000-20000 request range from other IPs.

I'm running it on ubuntu in the cloud, so it was easy to block all the IPs making the requests ("ufw deny from" if anyone is wondering), and that worked for all but one - an ip in korea that for some reason ufw is refusing to block, or it's somehow getting through the block, anyone have any ideas for that? These are all going to a . domain too.

Edit: also not wanting to install a VPN as I use it on my entire networks both at home and at work and straight up refuse to entertain the idea of setting that up for 40+ devices (no router support), plus a few friends use it on their smart tvs and stuff so would like to still have the option open for them.