I am running Pi-Hole in a Docker container on a cloud instance. It is working correctly, but I cannot use it to query using dig.
$ dig A somedomain.com @31.23.23.23
...where 31.23.23.23 represents the IP address of the cloud instance. This address is the primary DNS server for my clients, but when I use the dig command without specifying the DNS server, it uses the second DNS server, which is 1.1.1.1.
I'm just curious to know why I cannot do this. I have noticed that I cannot use dig in this way with some public DNS servers either, although they work fine as upstream DNS servers from Pi-Hole.
If you'd be able to dig your Pi-hole via its public IP address, you would be running an open resolver, which poses a potential threat for all Internet users, e.g. by serving as a multiplier in a DNS Amplification attack.
The Pi-hole team strongly discourages Pi-hole’s usage as an open resolver , and we won't provide support in that case.
A sensible use case of setting up Pi-hole in the cloud is to be accessible for VPN clients via secure VPN connections. There's a wealth of choices available when picking a VPN for yourself, including Pi-hole's guide on Pi-hole and OpenVPN.
Thanks, but this does not explain why dig does not work as I would have expected.
This cloud instance is on gcloud and the firewall is only open to specific IP addresses (some of them dynamic) using a script which runs every 5 minutes. There are no ports that are open to anyone else but my home, my mum's house, my phone, etc.
Well, I wouldn't expect that to work at all, and I would be very alarmed if it did.
Filtering IP addresses does only provide a very basic intrusion protection by itself, as those may be spoofed or otherwise appropriated, especially if you use and allow dynamic IPs. They should only be considered as an additional layer of proctection, not as a sole measure.
VPNs offer proper means of actually authenticating a client before granting access.
As I mentioned, I do intend to use a VPN, but my router's OpenVPN implementation does not work with UDP packets for some reason. I will use IPsec, but I have not set it up yet.
Forgetting where this Pi-Hole container is running, what I am asking about is why dig does not work with Pi-Hole. With the answer to this question, I will possibly be closer to knowing why it doesn't work with some public DNS servers either.
Why would you be alarmed if dig could query Pi-Hole in this way? Does Pi-Hole work in some fundamentally different way to other DNS servers?
dig does work flawlessly with Pi-hole when used within the safe boundaries of your home network.
Pi-hole is meant to be run as a filtering DNS forwarder within a local private network, using some sort of public DNS as its upstream.
If it would work over a public network, you would be running an open resolver.
I am not able to reproduce your setup, but dig works properly with Pi-hole. In your case, it is likely that your remote Pi-hole is not receiving the request.
There is a possibility that the public servers are not responding at that time, for whatever reason. I have not found this to be a common occurrence.
Okay, it's good to hear that I can probably query Pi-Hole using dig, once I have the IPsec VPN set up.
I can use @1.1.1.1 or @8.8.8.8 with dig, but not the public DNS servers which I have found to be the fastest for my cloud instance by benchmarking, which are 158.43.192.1 and 158.43.240.4.
I've been wondering why that is. They work fine as the upstream DNS servers in Pi-Hole.