New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
The load of packets dropped by iptables is pretty much negligible unless you're receiving thousands and thousands per second and the bots will likely take your IP off at some point anyways as your non-responsive.
Thats why i wanted to put it behind cloudflare at the beginning.
Well, as @six said Cloudflare won't proxy regular DNS protocol. It's pretty much HTTPS only but as he also said, you might be able to get away with DNS over HTTPS (might involve some extra config on the clients though).
How many bad requests per second are you usually getting?
Edit: It might be also worth thinking about if running a public and open DNS server is really ideal/needed. There are quite a bit public ones with pretty much unbeatable connectivity and like you see it's quite a bit of hassle due to the systematic insecurity off the basic DNS protocol. Wouldn't running unbound + dnsmasq on some VPS that gets exposed over VPN not be an option?
Running some filters for some clients (blocking gambling sites for the children, ...). I tried to proxy the domain but dns over https isnt working then anymore. Routers are configured to intercept and redirect the dns requests for each device. Proxy the domain mydnsdomain.tld/dns-query through cloudflare results in a connection error and dns cant be resolved anymore.
Right now there are 100 to 500 "bad" requests per second on the average. Peak was in the low four-digit range.
This wouldn't be that bad in terms of iptables dropping it but it might increase once your service gets older and you'd pretty much have to be permanently updating the blocklists for it to stay effective. If i were you i'd really think about realizing this over a VPN and not the open internet.
Right now the server is easy handling all the requests. If they are raising, ill take a further look into iptables
Right now the server is easy handling all the requests. If they are raising, ill take a further look into iptables
Just don’t.
Running a public DNS is really a pain.
If you are using this for clients in some way, add them to a VPN and only listen to the VPN-address. Problem solved.
Since I’m not 100% sure how exactly you are connecting to the system, a real solution is more or less impossible.
You can try answering only to some dyndns-IPs, but that won’t be good either.
Iptables are nice, but the traffic is still hitting your system, before it gets discarded. So it doesn’t really scale.
Another solution:
Setup a cluster. Each location has its own instance and you sync the settings.
There are solutions for pihole and AdGuard out there. The local systems can be really small. Even a raspi is probably oversized
device are connecting to the router or mesh network - router intercepts and redirect dns requests to one of 2 public hosted dns servers - public dns servers only responding to dns over tls and dns over https but since im not able to proxy the domains through cloudflare. This is by now the easiest way for me to manage the networks and dns requests.
More devices, like a rasbpi, would still need more investment which nobody wanna pay.
Is there any way to proxy the dns requests through cloudflare?
Maybe there is a solution to automatically update iptables with cidr ips lists from continents?
After i blocked port 53 for external access, requests have dropped dramatically.
What routers are you using?
When they are able to intercept dns requests, I suppose they can setup a VON.
the easiest way would be to setup A VPN between the router and your public VPS systems.
Then you can only open dns to the VPN interfaces - no public access, no headache, no firewall.
That’s what I’m doing. All my (multiple) locations have a local DNS-Server and as backup the DNS-serves from the other locations. (You can push more than 2 DNS-server via DHCP
)
All DNS-servers sync to a master on my network.
If you are behind only one or two routers you can probably script a single script that update your IP-tables to your public Internet-address.
A cloudflare tunnel or WARP tunnel needs software on client and server side. So probably it won’t work out the way you need it.
DOH should work over CF, and you don’t need port 53.
Im using asus routers and they are flashed with asus wrt merlin.
Im not sure how to redirect the dns traffic through a proxy to a dns server, please give me a hint or an idea what i should look for.