Allow external access to internal DNS server
-
Hello,
I have server setup which is running Home assistant and AdGuard Home (piHole equivalent). I would like to expose both serveries externally so that I can use them outside of the network. In particular I want to be use the DNS server (AdGuard) from another location. The goal is for the secondary location to be able to use my DNS server as their primary server for network wide ad blocking, without needing to use a VPN on each device.
Can someone recommend NAT/Firewall rules to allow this to happen?
Thanks!
-
@Zoidman said in Allow external access to internal DNS server:
without needing to use a VPN on each device.
This would be the best to go though. But that's your issue.
Normally you only need a NAT port forwarding rule for TCP/UDP and destination port 53 on pfSense.
However, it's required that you have a real public IP on the WAN.
But possibly your ISP blocks DNS port.Also on the AdGuard DNS you have possibly to allow access from outside.
-
@viragomann I do have a real public static IP address assigned to my location, so good there. As far as I know my ISP doesn't do any traffic shaping or restrictions of any kind.
Where I am looking for guidance is that both homeassitant and the AdGuard DNS server are hosted on the same box. Not sure how the rules would work for that. Additionally I am using that same AdGuard DNS server internally for all my local devices, and when I experimented with this in the past it would break the DNS resolution inside of my network.
The AdGuard DNS doesn't have any settings that I am aware that restrict traffic from external sources.
-
@Zoidman said in Allow external access to internal DNS server:
Where I am looking for guidance is that both homeassitant and the AdGuard DNS server are hosted on the same box. Not sure how the rules would work for that.
There is nothing different at all. Your DNS has an IP within your network and this is to be used as target in the port forwarding.
No matter if the homeassistant uses the same. It might be listening on a different port, I guess.Additionally I am using that same AdGuard DNS server internally for all my local devices, and when I experimented with this in the past it would break the DNS resolution inside of my network.
Not clear, what, but it shouldn't be affected from the DNS forwarding. That are just other IPs also accessing the DNS server.
-
Please be aware that a DNS server on the internet without the proper protections will be used for DDoS attacks.
-
@AndyRH Good to know. Any suggestions on how to harden it?
All the locations I want to share access to the DNS server with are from the same small ISP and all share the same IP address blocks.
Could I limit the allowable connections to just a range of IP address that are likely from the same ISP? -
@Zoidman To prevent abuse of a DNS server on the internet requires experts. I think the list will include network, security and DNS experts. There is far more danger than reward. For home users a VPN is the best option. That is what I and all of my friends use. We are all experts in various IT fields and none of us have attempted what you are wanting to do.
-
@Zoidman If they are specific computers, and they all had dynamic DNS client software, you could allow just those dynamic DNS hostnames, via an alias in pfSense.
Otherwise yes it's possible to allow IP blocks, though that allows anyone on that ISP to connect.
AS for hardening, installing security updates for the DNS server is obviously paramount. You could also run Suricata, on WAN in your case since they would be connecting to the WAN IP.
