Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


pi-hole question on security
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

pi-hole question on security

raindog308raindog308 Administrator, Veteran
edited June 2017 in General

So I spun up a VPS and dropped pi-hole on it, and have now entered an advertising bliss-filled existence, etc. I'd rather have it on something reliable like a VPS at a reputable provider rather than an actual pi or a PC in my house, because if it breaks I can say "honey, it's @jarland 's fault you can't watch the Black List, not mine".

nmap looking from the outside, I've got http running on port 80...easy to protect with basic auth and pi-hole has its own auth.

But does pi-hole expose me to DNS reflection attacks, etc.?

I'm not sure I can practically firewall this because my home ISP provides a dynamic IP that sometimes changes. I could look at whatever the firmware has for VPN support (and add a VPN to this VPS) but frankly (a) that's a hassle, (b) I'm lazy, (c) I don't want all my traffic going through that VPS because I'd have to buy extra bandwidth, etc. Just DNS.

I do use afraid.org's dynamic DNS...worse case I guess I could have a script that resolves my home IP every hour and modifies an iptables ruleset...just wondering if there's a simpler way, or if this vulnerability is all in my head.

I thank you in advance.

Thanked by 2HyperSpeed netomx

Comments

  • r0xzr0xz Member

    @raindog308 said:
    But does pi-hole expose me to DNS reflection attacks, etc.?

    Yes, and if you run it on a small VPS it will get terminated because of resource abuse.

  • I use dynamic DNS too, I only allow dns request from the 2 /24 IP from my ISP.

    my pi-hole setup :
    1 DNS on OVH VPS
    1 DNS on Home (orange pi)

    For port 80, you can complety disable that or bind to 127.0.0.1 or 10.8.0.0/24 if you prefer to access from openvpn.

  • bsdguybsdguy Member

    A closer look into the github repo should answer most of the questions (except the dyn IP stuff).

  • I'm Dan, one of the Pi-hole developers. I would suggest running the VPN option, it's not that much to set up, and we have a Wiki on it at https://github.com/pi-hole/pi-hole/wiki/OpenVPN-server:-Installation

    If you don't want all the traffic flowing over the VPN, you can use the added guide https://github.com/pi-hole/pi-hole/wiki/OpenVPN-server:-Only-route-DNS-via-VPN to just route the DNS over VPN.

    But yes, you will be running an open resolver, and there are a number of guides out there that can help limit the exposure, mostly ratelimiting your hits on the DNS server and watching UDP traffic.

  • NanoG6NanoG6 Member

    yeah I use this iptables command to limit it.. don't ask me, I just found it on the internet but it works!

    iptables -A INPUT -p udp --dport 53 -m recent --set --name dnslimit
    iptables -A INPUT -p udp --dport 53 -m recent --update --seconds 5 --hitcount 20 --name dnslimit -j DROP
    
    Thanked by 1arda
  • raindog308raindog308 Administrator, Veteran

    SonOfAMotherlessGoat said: I'm Dan, one of the Pi-hole developers.

    Wow, I didn't know we had a pi-hole dev here. And one with one of the most awesome nicks I've ever seen.

    Thanks for the reply...and of course, thanks for your great work on pi-hole. It's marvelous.

  • @SonOfAMotherlessGoat pi-hole is wonderfull.

  • Is there a way to limit queries only to my IP(s)? I don't want to allow other clients except my computers.

  • @drdrake said:
    Is there a way to limit queries only to my IP(s)? I don't want to allow other clients except my computers.

    I am using iptables rules in rc.local.

  • @Janevski said:

    @drdrake said:
    Is there a way to limit queries only to my IP(s)? I don't want to allow other clients except my computers.

    I am using iptables rules in rc.local.

    Can you give me more information?

  • raindog308raindog308 Administrator, Veteran

    drdrake said: Can you give me more information?

    It's rather simple - simply block port 53 for anything except IPs you want to be able to do DNS lookups.

    The tricky part, of course, is when you're using a host with a dynamic IP, as you probably are at home...

  • xt_recent's default is 100 IP addresses, the above iptables rate limiting is rather useless since the VPS will get hammered with mostly spoofed src ip.

    This helps:
    /sbin/modprobe ipt_recent ip_list_tot=5000

  • @raindog308 said:

    drdrake said: Can you give me more information?

    It's rather simple - simply block port 53 for anything except IPs you want to be able to do DNS lookups.

    The tricky part, of course, is when you're using a host with a dynamic IP, as you probably are at home...

    My ip is static so that's not an issue.

  • raindog308raindog308 Administrator, Veteran

    What I ended up doing was:

    1. I have my home IP setup with afraid.org's dynamic DNS (free)

    2. On my pi-hole VPS, run something like this every 5 minutes from cron. That catches if the IP at home changes. You should have proper logging and alerting so you know if this script fails, of course - I'm just illustrating the bare bones version.

    These rules accept traffic from your home IP (only!) and drop all other traffic to port 53. Of course, if you have other iptables rules, you'll need to figure if you want to put them in here or handle some other way. Note that the -F flushes rules.

    #!/bin/bash
    
    IP=$( host myalias.example.com | awk -F '{ print $4 }' )
    iptables -F
    iptables -A INPUT -p udp --dport 53 -s ${IP} -j ACCEPT
    iptables -A INPUT -p udp --dport 53 -j DROP
    iptables -A INPUT -p tcp --dport 53 -j DROP
    

    I thought the -p was optional if you wanted to match all protocols but it seemed to silently ignore the rule without it.

  • raindog308raindog308 Administrator, Veteran

    @pechspilz said:
    xt_recent's default is 100 IP addresses, the above iptables rate limiting is rather useless since the VPS will get hammered with mostly spoofed src ip.

    This helps:
    /sbin/modprobe ipt_recent ip_list_tot=5000

    There's also xt_recent ip_pkt_list_tot ...I started down that path but ended up just implementing a port-level block.

Sign In or Register to comment.