Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Adblocking through selfhosted DNS - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Adblocking through selfhosted DNS

2»

Comments

  • raindog308raindog308 Administrator, Veteran

    Shot2 said: As the DNS does not allow authentication per se, the 1st point screams for "ACL" (Access Control List either within the software, or with a firewall... or both).

    ...but would that work if I was on, say, my phone on cellular? It's DHCP and I have no idea what the ranges could be.

    Then again, I don't think there's a way to change DNS on cellular on an iPhone so perhaps this is irrelevant for me.

    dodedodo said: Running your own DNS would take some load off of the bigger DNS's,

    ...for one guy? Even for 100? I'm skeptical they'd notice.

    "Hey DNS ops, just want to give you a head's up that we're coming into raindog308's morning timezone and he usually surfs for a bit while he's on the john, so watch your monitors..."

  • @raindog308 said:

    Shot2 said: As the DNS does not allow authentication per se, the 1st point screams for "ACL" (Access Control List either within the software, or with a firewall... or both).

    ...but would that work if I was on, say, my phone on cellular? It's DHCP and I have no idea what the ranges could be.

    Then again, I don't think there's a way to change DNS on cellular on an iPhone so perhaps this is irrelevant for me.

    If the client address/range is unpredictable, forget about ACLs. Might still be feasible (but dirty) through clever firewall rules - port knocking, basically...

    dodedodo said: Running your own DNS would take some load off of the bigger DNS's,

    ...for one guy? Even for 100? I'm skeptical they'd notice.

    "Hey DNS ops, just want to give you a head's up that we're coming into raindog308's morning timezone and he usually surfs for a bit while he's on the john, so watch your monitors..."

    Nowadays large public dns systems (including the root servers) are designed to withstand (D)DoS in the multi-Gbps range; I doubt they care about a bunch of benevolent guys sparing them some bytes here and there...

  • http://optimal.com/

    https://noad.zone/

    https://alternate-dns.com/

    isnt one of the above way easier?

    Also, can you run privoxy on a router ?

  • @piohost said:

    @dodedodo said:

    dodedodo said: putting up a public DNS may open your server up to amplification attacks. You'd be irritating fellow internet citizen.

    piohost said: Maybe you can give some advice on how to stop this :)

    As Jpshua2216 said you could rate limit your dns request. You could also whitelist certain IP's, and maybe even setup a vpn so you can authenticate before using the dns? I don't know enough about dns hosting to tell you the exact steps though.

    Nice sounds good to me, im only playing with this on some small VPS i have at OVH so i really dont want to get them abused while im playing.

    Wouldn't OVHs Anti-DDoS system catch that?

  • GamerTech24GamerTech24 Member
    edited January 2017

    ISPs generally have powerful DNS servers that can handle large amounts of requests, in the tens of billions.

    There's another thread here where someone was talking about Telstras DNS and they said they actually noticed a speed improvement when switching to a different DNS servers, I've also heard of ISP DNS servers going down completely so I guess that's not always the case of reliability

  • @ethancedrik said:

    @piohost said:

    @dodedodo said:

    dodedodo said: putting up a public DNS may open your server up to amplification attacks. You'd be irritating fellow internet citizen.

    piohost said: Maybe you can give some advice on how to stop this :)

    As Jpshua2216 said you could rate limit your dns request. You could also whitelist certain IP's, and maybe even setup a vpn so you can authenticate before using the dns? I don't know enough about dns hosting to tell you the exact steps though.

    Nice sounds good to me, im only playing with this on some small VPS i have at OVH so i really dont want to get them abused while im playing.

    Wouldn't OVHs Anti-DDoS system catch that?

    Catch what? If i leave my pi hole server open then of course if it gets used for amplification then OVH would block the attack but they would also cut my service until i sort it.

  • Maybe use a firewall rule to only allow it to send traffic to your IP address?

    I just realized what you said earlier in that it's your server sending the attack not someone attacking your server

Sign In or Register to comment.