Pi-Hole on-the-go

My Pi-Hole which is running on a VM has now about 1 million entries in its blocklist. I have all entries whitelisted i need to and now I want to use the pi-hole not only at home but also from my mobile phone. At first i forwarded port 53 (tcp and udp) from my fritzbox cable modem to my turris omnia router to my pi-hole VM.

In the mullvad-VPN app (for android) it is possbible to set a custom DNS server. Here I set my static external IP (on which this webserver is running to) and everything worked out fine. BUT: After a while (2 days or so) I started the discover foreign clients that where using my open port 53 for their DNS. After 3 or 4 days there many hundreds of clients using my pi-hole and slowing my network down. After some reading i was convinced i have done something stupid. One guy said “never, ever open port 53. you are vulnerable to DNS attacks”. 🙁

But i wanted to use my pi-hole so badly otg 🙂

Using a vpn to call home and use the pi-hole from there was no option because i didnt want to surf with my homes ip-address and wanted to use mullvad instead.

The solution was to limit the traffic to the pi-hole via firewall. tcpdump helped me with identifying the packets

sudo tcpdump -i ens192 -q udp port 53

Because even with the tcp and udp ports forwarded the source ip-adresses get forwarded to the pi-hole ! so it was just a job to block unwanted ip-adresses from my pi-hole. And as mullvad uses a certain set of ip-adresses for their vpn-service (at least in germany) i could pin down the ip-adresses i wanted to allow to connect to the pi-hole.

disable ipv6

sudo nano /etc/default/ufw

Edit the section in file, change variable IPV6 to no.

then back to the shell:

sudo ufw allow 22/tcp 
sudo ufw allow from 10.42.23.1 to any port 53
sudo ufw allow from 185.0.0.0/8 to any port 53
sudo ufw allow from 193.0.0.0/8 to any port 53
sudo ufw allow from 194.0.0.0/8 to any port 53
sudo ufw allow http

The ufw settings look now like this:

make sure the entries are in the correct order because latter entries override former entries 😉

Now my tcpdump looks something like this:

nice and clean 😉

PS: dns3.digitalcourage.de is the DNS Server the Pi-Hole is using if its not using the locally installed unbound.

July 22, 2021 by Raspberry Pi Security 0

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Categories