My Pi-Hole which is running on a VM has now about 1 million entries in its blocklist. I have all entries whitelisted i need to and now I want to use the pi-hole not only at home but also from my mobile phone. At first i forwarded port 53 (tcp and udp) from my fritzbox cable modem to my turris omnia router to my pi-hole VM.
In the mullvad-VPN app (for android) it is possbible to set a custom DNS server. Here I set my static external IP (on which this webserver is running to) and everything worked out fine. BUT: After a while (2 days or so) I started the discover foreign clients that where using my open port 53 for their DNS. After 3 or 4 days there many hundreds of clients using my pi-hole and slowing my network down. After some reading i was convinced i have done something stupid. One guy said “never, ever open port 53. you are vulnerable to DNS attacks”. 🙁
But i wanted to use my pi-hole so badly otg 🙂
Using a vpn to call home and use the pi-hole from there was no option because i didnt want to surf with my homes ip-address and wanted to use mullvad instead.
The solution was to limit the traffic to the pi-hole via firewall. tcpdump helped me with identifying the packets
sudo tcpdump -i ens192 -q udp port 53
Because even with the tcp and udp ports forwarded the source ip-adresses get forwarded to the pi-hole ! so it was just a job to block unwanted ip-adresses from my pi-hole. And as mullvad uses a certain set of ip-adresses for their vpn-service (at least in germany) i could pin down the ip-adresses i wanted to allow to connect to the pi-hole.
disable ipv6
sudo nano /etc/default/ufw
Edit the section in file, change variable IPV6 to no.
then back to the shell:
sudo ufw allow 22/tcp
sudo ufw allow from 10.42.23.1 to any port 53
sudo ufw allow from 185.0.0.0/8 to any port 53
sudo ufw allow from 193.0.0.0/8 to any port 53
sudo ufw allow from 194.0.0.0/8 to any port 53
sudo ufw allow http
The ufw settings look now like this:
make sure the entries are in the correct order because latter entries override former entries 😉

Now my tcpdump looks something like this:

nice and clean 😉
PS: dns3.digitalcourage.de is the DNS Server the Pi-Hole is using if its not using the locally installed unbound.