0

I have an Ubuntu 20.04 LTS VPS (connected directly to the internet), on which I installed WireGuard and Pi-Hole.

I noticed tons of requests on my ad-blocking DNS server, and I suddenly realized that leaving my 53 port open was a bad idea at all.

I'm now wondering how could I block all requests to port 53 unless they come from WireGuard tunnel (the idea is that I want to be able to access my DNS only if I am also connected to my VPN).

The very question is how to select the incoming traffic by checking whether the client is connected to WireGuard on the server or it's coming from the internet wasteland.

Emilio Dalla Torre
  • 1

2 Answers2

1

Bind your DNS server to the VPN interface instead of 0.0.0.0.

Gerald Schneider
  • 19,757
  • 8
  • 52
  • 79
  • Could you please provide a deeper explanation of how could I do that and what would it mean in concrete connection management by the server? – Emilio Dalla Torre Oct 18 '21 at 11:46
  • You did not prodive which dns-server-software has been used. bind allows to specify which ips are allowed to query – djdomi Oct 18 '21 at 13:20
  • I used Pi-Hole @djdomi. – Emilio Dalla Torre Oct 18 '21 at 13:58
  • @emilio so you dont know ehat kind of dns you use, could it be that you try to fix an issue that only relates to your primary privately owned LAN? – djdomi Oct 18 '21 at 15:59
  • How to do the binging depends on how you installed pi-hole. If you used the docker installation method you can check the docker documentation on how to bind on a specific interface, of you used a different method it's different. You need to provide more information about your setup. – Gerald Schneider Oct 18 '21 at 17:12
-1

I finally found how to prevent outer clients to access my DNS server.

Based on some research I made on the suggestion by Gerald Schneider, I found out I could limit Pi-Hole only to listen on the WireGuard interface (wg0).

By reconfiguring Pi-Hole with its install script (curl -sSL https://install.pi-hole.net | sudo bash), and enabling only the wg0 interface, I have been able to prevent request not coming from WireGuard to be resolved.

Emilio Dalla Torre
  • 1