Technitium DNS server zone high-availability

on
0

Secure your public Pi-hole ad-blocker setup

on

Pi-Hole is network ad-blocker that can setup in your own local network or public cloud to protect your internet access. If you setup your pi-hole in public cloud and with out proper control, it could be easily used by hacker or malicious party for DDoS and DNS amplification attack.

If you have a fixed public IP for your internet access, setup firewall rules to restrict access from your fixed public IP only. If you only have dynamic IP, use DDNS service and some bash script to update the firewall rules regularly.

1. Subscribe to a free DDNS services like No-IP and setup a new hostname. Configure your router or use the No-IP client to update the dynamic IP for the hostname.

2. In your ubuntu 20.04 instance on Oracle cloud, edit your /etc/iptables/rules.v4 to only allow DNS/HTTP connection from a IP. Use a unresolved public IP to make sure no one can access the services from the public internet.

-A INPUT -p tcp --dport 53 -s 1.2.3.4 -j ACCEPT
-A INPUT -p udp --dport 53 -s 1.2.3.4 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -s 1.2.3.4 -j ACCEPT

3. Restart your ubuntu instance and make sure the new iptables rules is working/applied.

4. Test your pi-hole VPS' public IP on https://openresolver.com to make sure the DNS service is not totally open to the world.

 
 

5. Install additional packages needed for the script to work.

sudo apt-get install dnsutils cron

6. Create a script named /home/ubuntu/iptables_ddns_update.sh. It will update your iptables rules to only allow your dynamic IP to access DNS and HTTP service.

#!/bin/bash

# your ddns hostname
ddns_host="xxx.ddns.net"

# extract your latest dynamic IP from the ddns hostname
ddns_ip=`host $ddns_host | cut -d ' ' -f 4`

# create the ddns_ip.txt if missing
if [ ! -f /tmp/ddns_ip.txt ]; then
        #echo "File is missing"
        echo "1.2.3.4" > /tmp/ddns_ip.txt
fi

current_ddns_ip=`cat /tmp/ddns_ip.txt`

#echo "Hostname $ddns_host's IP is $ddns_ip"
#echo "Current DDNS IP is $current_ddns_ip"

# update/replace the iptables rules if the ddns IP have changed from the last update
if [ $ddns_ip != $current_ddns_ip ]; then
        #echo "No same IP"
        # update/replace iptables rules by rules number
        /sbin/iptables -R INPUT 5 -p tcp --dport 53 -s $ddns_ip -j ACCEPT
        /sbin/iptables -R INPUT 6 -p udp --dport 53 -s $ddns_ip -j ACCEPT
        /sbin/iptables -R INPUT 7 -p tcp -m state --state NEW --dport 80 -s $ddns_ip -j ACCEPT
        # update/save the latest ddns ip to ddns_ip.txt
        echo $ddns_ip > /tmp/ddns_ip.txt
fi

7. Create a cron job /etc/cron.d/iptables_ddns_update to schedule run/check for dynamic IP changes. Below cron job will run at startup and every 10 min. Change the timing according to your preference.

# create /etc/cron.d/iptables_ddns_update with below line...
MAILTO=""
@reboot root /home/ubuntu/iptables_ddns_update.sh > /dev/null 2>&1
*/10 * * * * root /home/ubuntu/iptables_ddns_update.sh > /dev/null 2>&1

8. Restart your VPS and make sure you can access the pi-hole web admin.



Comments

Post a Comment