Join Log in
Score:0
Emilio Dalla Torre avatar Server

Secure my DNS server by allowing connection only from VPN

cn flag
Emilio Dalla Torre

I have an Ubuntu 20.04 LTS VPS (connected directly to the internet), on which I installed WireGuard and Pi-Hole.

I noticed tons of requests on my ad-blocking DNS server, and I suddenly realized that leaving my 53 port open was a bad idea at all.

I'm now wondering how could I block all requests to port 53 unless they come from WireGuard tunnel (the idea is that I want to be able to access my DNS only if I am also connected to my VPN).

The very question is how to select the incoming traffic by checking whether the client is connected to WireGuard on the server or it's coming from the internet wasteland.

141
0 + 0
Score:1
avatar Server
in flag
Gerald Schneider

Bind your DNS server to the VPN interface instead of 0.0.0.0.

0 + 0
Emilio Dalla Torre avatar
cn flag
Emilio Dalla Torre
Could you please provide a deeper explanation of how could I do that and what would it mean in concrete connection management by the server?
0
Reply
djdomi avatar
za flag
djdomi
You did not prodive which dns-server-software has been used. bind allows to specify which ips are allowed to query
0
Reply
Emilio Dalla Torre avatar
cn flag
Emilio Dalla Torre
I used Pi-Hole @djdomi.
0
Reply
djdomi avatar
za flag
djdomi
@emilio so you dont know ehat kind of dns you use, could it be that you try to fix an issue that only relates to your primary privately owned LAN?
0
Reply
in flag
Gerald Schneider
How to do the binging depends on how you installed pi-hole. If you used the docker installation method you can check the docker documentation on how to bind on a specific interface, of you used a different method it's different. You need to provide more information about your setup.
0
Reply
Score:-1
Emilio Dalla Torre avatar Server
cn flag
Emilio Dalla Torre

I finally found how to prevent outer clients to access my DNS server.

Based on some research I made on the suggestion by Gerald Schneider, I found out I could limit Pi-Hole only to listen on the WireGuard interface (wg0).

By reconfiguring Pi-Hole with its install script (curl -sSL https://install.pi-hole.net | sudo bash), and enabling only the wg0 interface, I have been able to prevent request not coming from WireGuard to be resolved.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.