Are you determining these numbers simply by a site search? That's just wrong. In case of Spain this even returns 3 and there are effectively 2 unicorns in this list.
Location: Europe
Remote: Yes
Willing to relocate: Depends
Technologies: vuejs/nuxt/js/devops/ansible/docker/k8s
Résumé/CV: Upon request
Email: x-ychn@crstin.com
Blog: https://www.crstin.com
Languages: English/German/French/Spanish/Italian
Latest: Bare Metal kubernetes cluster on Hetzner / DeFi Ethereum THORChain
As the situation has worsened with the latest release of Safari I'm really interested to globally setup Pi-Hole on a VPS via docker and use it in combination with VPN (Strongswan) for all of my devices (also mobile). Has anybody had success with such a setup yet?
I have run pi-hole on the cheapest tier of Rackspace cloud server for 2+years now with great success. It’s wonderful. Just configure my routers dhcp to set my pi ip for dns and no ads anywhere (YouTube, streaming [except Hulu unfortunately], and general browsing). It’s especially nice now that it seems every company is offering their own streaming apps with ads. Recent example was I wanted to watch an action sports video and firetv had it with the redbull app. Ten or so minutes in and the video was interrupted with “here’s some ads” stinger and then the video immediately resumed. Kinda caught me off guard but produced an instant smile.
One thing to consider though is becoming a dns resolver for any random thing on the net. What I did for this was create a bash script that adds the visiting ip to iptables whitelist. Created an impossible-to-guess php page (pi admin uses php so it’s already installed and ready to go) which takes the REMOTE_ADDR and passes it to the bash script to add to iptables. Makes it super easy to allow ip’s when isp changes address or when visiting family/friends and they want to use it.
"One thing to consider though is becoming a dns resolver for any random thing on the net. What I did for this was create a bash script that adds the visiting ip to iptables whitelist. Created an impossible-to-guess php page (pi admin uses php so it’s already installed and ready to go) which takes the REMOTE_ADDR and passes it to the bash script to add to iptables."
I hesitate to mention this, as it causes heads to explode, but the problem you're describing is nicely solved with port-knocking. Might be easier than setting up the php page, etc. ...
Because it’s available everywhere e.g. work/family/friends etc. and I can share it with family/friends as well. It’s a lot of fun to see people’s reactions when they see what the net can be like without all of the ads.
Please do not open port 53. Without proper counter-measures, open resolvers contribute to DNS Amplification attacks. If you have an open resolver, I guarantee that it is being used maliciously. Please close your port 53 and use a VPN to securely access your pihole.
> A Domain Name Server (DNS) amplification attack is a popular form of distributed denial of service (DDoS) that relies on the use of publically accessible open DNS servers to overwhelm a victim system with DNS response traffic.
DNS queries are much smaller then DNS responses. Making a huge amount of queries uses less bandwidth then uses to respond - making it a prime candidate for DDOS attacks. Look at your logs, no doubt you will see a large number of requests for various hosts. This is your system being used to attack people. Please close the port.
You could instead WireGuard split tunnel dns traffic and serve it with Pi-Hole or forward it to dns.aguard.com if you do not really require analytics or use unbound with block lists to resolve names recursively.
Have you managed to get WireGuard to do split tunnel DNS? I've been wanting to do this, but couldn't figure out how to make it work on Android, for example.
Thanks for your answer. I think the sources you linked to are tunneling all of their DNS queries through Wireguard. I don't want to do this, since my work has some DNS records which only resolve internally. Basically I want to be able to give DNS names to the various hosts on my Wireguard network, while falling back to the DNS provided by the network I'm on.
Edit: per discussion on r/Wireguard, looks like one soln is to run dnsmasq locally on ::53 and forward public queries to the VPN/DNS provider of your choosing and resolve private queries locally.
Yeah, thanks for looking deeper into it. I found before that I could do it by running my own DNS server (like dnsmasq) on the local device (so I could do it no problem on my laptop), but that isn't easy on a phone.
I would like to do the same. Maybe have a DNS server (pi-hole) on AWS and do a simple web ui where ui can log in and it whitelists your IP in the security group.
