Pi-Hole on-the-go

My Pi-Hole which is running on a VM has now about 1 million entries in its blocklist. I have all entries whitelisted i need to and now I want to use the pi-hole not only at home but also from my mobile phone. At first i forwarded port 53 (tcp and udp) from my fritzbox cable modem to my turris omnia router to my pi-hole VM.

In the mullvad-VPN app (for android) it is possbible to set a custom DNS server. Here I set my static external IP (on which this webserver is running to) and everything worked out fine. BUT: After a while (2 days or so) I started the discover foreign clients that where using my open port 53 for their DNS. After 3 or 4 days there many hundreds of clients using my pi-hole and slowing my network down. After some reading i was convinced i have done something stupid. One guy said “never, ever open port 53. you are vulnerable to DNS attacks”. 🙁

But i wanted to use my pi-hole so badly otg 🙂

Using a vpn to call home and use the pi-hole from there was no option because i didnt want to surf with my homes ip-address and wanted to use mullvad instead.

The solution was to limit the traffic to the pi-hole via firewall. tcpdump helped me with identifying the packets

sudo tcpdump -i ens192 -q udp port 53 

Because even with the tcp and udp ports forwarded the source ip-adresses get forwarded to the pi-hole ! so it was just a job to block unwanted ip-adresses from my pi-hole. And as mullvad uses a certain set of ip-adresses for their vpn-service (at least in germany) i could pin down the ip-adresses i wanted to allow to connect to the pi-hole.

disable ipv6

sudo nano /etc/default/ufw

Edit the section in file, change variable IPV6 to no.

then back to the shell:

sudo ufw allow 22/tcp 
sudo ufw allow from to any port 53
sudo ufw allow from to any port 53
sudo ufw allow from to any port 53
sudo ufw allow from to any port 53
sudo ufw allow http

The ufw settings look now like this:

make sure the entries are in the correct order because latter entries override former entries 😉

Now my tcpdump looks something like this:

nice and clean 😉

PS: dns3.digitalcourage.de is the DNS Server the Pi-Hole is using if its not using the locally installed unbound.