Pi-hole: Open DNS Resolver Query from reddit user /u/Just-A-City-Boy

Created on 13 Sep 2016  路  3Comments  路  Source: pi-hole/pi-hole

Hey PromoFaux,
I was wondering if you could help me out.
It seems like my PiHole is being used to assist someone with a DDOS attack.
https://imgur.com/a/zViPS
My statistics don't usually exceed 500 requests total in a day.
I have blocked those two IP's, but this could easily happen again. Do you know of a way to restrict any >connections to my PiHole device to only 173...*?

Reply:

Hey, sorry for the late reply, been logged out of this account for a few days!
I'm assuming that your pi-hole is publically resolvable? If so, and it's so that you can access it from outside your network?
If you want true control over who uses it, you're probably going to be better off setting up a VPN server to connect to when you're out and about.

Response from /u/Just-A-City-Boy:

Hello,
Yes the server that holds pihole is publicly accessible so that I can use it at work/home. It's not hosted at my home, it's a purchased server for multi-use.
It seems whomever is using my server for DDOS purposes is intent on finding a way through because they keep using IP's from countries I have yet to block and sending 1000's of requests through it.
I have another server that is used as an OpenVPN server, how would that assist me in getting control over the pihole box?
My thought process is the pihole DNS is publicly available, if I add OpenVPN to that box then it's just still a public pihole with a private VPN beside it?

@pi-hole/gravity Could you help me out on this one please?

Edit: My reply:

What you have is an Open DNS Resolver, which is generally considered a bad thing.

| If I add OpenVPN to that box then it's just still a public pihole with a private VPN beside it?

The idea here is to close off public access to port 53 (DNS) and hide it _behind_ the VPN, essentially only allowing devices on the local network to access it. I think, I'm a bit out of my depth!

I've copied this thread over to an Issue on our Github repo hopefully one of the other guys has a better idea on how to secure this...

Help Wanted Security
Source
picture PromoFaux

Most helpful comment

Linux / network security is out of scope of a DNS product IMO. Raspberry pi and linux hobbyists probably don't know the risks of exposing their network until they get bit once or someone takes the time to teach them, and I don't often see warnings like this on the pi pages I've read:

My warning: Anyone can take any service, expose it to the internet and it'll get hacked or abused somehow eventually. Without knowing what is safe and what isn't, never expose your inner network to the public without some type of security, such as IPTables.

Suggestions to Just-A-City-Boy

  1. I would shut down your pihole immediately until you can secure it. You are probably being used for a DNS reflection attack
  2. implement source based restrictions to prevent all of the internet from connecting:
  3. Are you work/home dynamic IPS? You'll probably want a dynamic dns service to update hostnames to your latest dynamic IP automatically for you. Some router level firewalls support hostnames instead of IP sources and automatically update when the hostname DNS changes...iptables not so much.

Edit: one more thought, if you're using a laptop and pointing to your home pi-hole. Consider maybe instead of opening your home up to everyone and worrying about security / dynamic DNS, just run a 2nd instance of pihole on your laptop through a VM or Docker.

picture diginc on 13 Sep 2016
👍4

All 3 comments

Linux / network security is out of scope of a DNS product IMO. Raspberry pi and linux hobbyists probably don't know the risks of exposing their network until they get bit once or someone takes the time to teach them, and I don't often see warnings like this on the pi pages I've read:

My warning: Anyone can take any service, expose it to the internet and it'll get hacked or abused somehow eventually. Without knowing what is safe and what isn't, never expose your inner network to the public without some type of security, such as IPTables.

Suggestions to Just-A-City-Boy

  1. I would shut down your pihole immediately until you can secure it. You are probably being used for a DNS reflection attack
  2. implement source based restrictions to prevent all of the internet from connecting:
  3. Are you work/home dynamic IPS? You'll probably want a dynamic dns service to update hostnames to your latest dynamic IP automatically for you. Some router level firewalls support hostnames instead of IP sources and automatically update when the hostname DNS changes...iptables not so much.

Edit: one more thought, if you're using a laptop and pointing to your home pi-hole. Consider maybe instead of opening your home up to everyone and worrying about security / dynamic DNS, just run a 2nd instance of pihole on your laptop through a VM or Docker.

diginc picture diginc on 13 Sep 2016
👍4

Reply from Just-A-City-Boy

Hey,
I saw the reply the issue received and it was definitely helpful.
I was looking at the situation in the reverse, locking out IP's I didn't want to connect to me (via countries). When I should've been looking at it as; Only allow these IP's and block everything else.
I have since used the provided stackexchange link to permit my static IP's and tested it by using the DNS on a non-whitelisted IP and received timeouts. So everything should be good to go now!... At least i'll know for sure in the morning if my Pi-Hole web panel doesn't list insane statistics!

PromoFaux picture PromoFaux on 18 Sep 2016

I realized this is closed but I thought I would add that I believe I found a way to possibly mitigate this in a limited fashion with some other iptables settings. Please keep in mind I'm in no way an expert and just found options online so helping people protect their IoT from participating in a potential DDoS attack would be great add as a feature within the pihole. Exploring this may help others' searches that lead them here.
I added this to my iptables after testing how many hits bogged down some of my favorite sites:

sudo iptables -I INPUT -p udp --dport 53 -i eth0 -m state --state NEW -m recent --set
sudo iptables -I INPUT -p udp --dport 53 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 30 -j DROP

Thanks for all the great work with Pi-Hole.

References that helped me out:
http://thiemonagel.de/2006/02/preventing-brute-force-attacks-using-iptables-recent-matching/
http://rockdio.org/ayudatech/how-to-stop-small-ddos-attacks-some-basic-security-advice/

ZiiX picture ZiiX on 18 Dec 2016
Was this page helpful?
0 / 5 - 0 ratings

Related issues

flo80 picture flo80  路  5Comments
phzang picture phzang  路  5Comments
githubsaturn picture githubsaturn  路  3Comments
z3to picture z3to  路  4Comments
FallenKN picture FallenKN  路  4Comments