1y ago

Setup a DNS server on a dynamic public ip

Hello! I want to set up a pi-hole on my home and connect from my parent's. Both setups have a dynamic IP assigned by my isp and are different networks.

I have a couple of questions:

I can get a domain that updates automatically. But how would I resolve it on the client side?
Is there any way to authenticate on the server? By Mac maybe? That can be spoofed right?

Edit: my bad, thanks for correcting me, Mac is another layer completely

Can setting up a VPN solve both (1) and (2)?
Is there any other way?

Thanks!

16 comments

I would get a domain name and use ddns to update your rotating IP. Then I would setup wireguard VPN in split tunnel and have your parents network tunnel back to your piholes for dns resolution.
I use cloudflare API for ddns updates but there are plenty of choices for that. If you're using cloudflare for DNS just keep in mind you can't proxy the DNS entry for the ip for your VPN host as CF only forwards traffic over certain ports and they are not configurable (on free plan anyway not sure about paid).
- Don't you get a short break in connectivity as the ip changes?
  
  yes but most isp's (at least where I live) change the IP in the middle of nobody-should-be-awake-anyway o'clock
  Plus the connection drops only for a minute or two at most unless ypu set a really high ttl on the domain dns record
- You can do DoH over proxied cloudflare I believe
  edit: now I'm wondering, is it possible to proxy headscale??

You can't configure DNS server by name on anything, so you'd need some kind of script/automation to query current IP address of your pihole from google/your ddns provider/someone and update that on your parents router which can be a bit tricky or straight impossible depending on the hardware.
VPN would solve both 1 and 2 from your list as your pihole would be available with static address on both locations. You can't authenticate on DNS server by MAC as you don't receive originating MAC at all. Other solution would be to get a static IP address from some provider and tunnel traffic so that your pihole could be reached trough that static address.

@papelitofeliz
VPN for sure:
Set up both locations with Dynamic DNS providers. DuckDNS is free, but if you’re building infrastructure you may as well buy your own domain and set it up through that (Namecheap is what I use and recommend).
Set up a Wireguard tunnel between both locations. Do not specify an endpoint for either. You could specify endpoints to boost security (barely), but it will cause your system to fail during IP changes, for the duration of the TTL.
- @papelitofeliz
  3. Set up your PiHole on a static private IP.
  Ensure both sites can route across the tunnel. Based on your experience level and scope, dynamic routing is not recommended or necessary, which means static routes. Point a route for each side’s subnet to the Wireguard tunnel IPs so your firewalls know how to reach and respond to each other across the tunnel.
  Configure your devices to use PiHole for their DNS, via DHCP ideally.
  
  I didn't look anything up yet. But can the wireguard tunnel be setup on the router level (I have a cheap Mikrotik) or as a network service? So clients don't have to install custom stuff

DynDNS. That will give you a hostname, but check if your ISP offers a static IP tbh. Client side shouldn't matter overmuch if you're returning requests it's made
- I'll second this recommendation and add a bit more. I'd recommend using DuckDNS's dynamic DNS service. It's free (donate if you can!) and fairly simple to set up. I run it on my router since it supports it but it's easy to run in a docker container too.
  
  I recommend DuckDNS as well, you can run it both sides and set up a daemon to update the domain when there is an IP change automatically.
  And with Wireguard you can set up a tunnel between both locations so you can share anything you need.

If both routers support it: S2S VPN. Also has the advantage of being able to access the stuff from each others side.
Disadvantage: Viruses can traverse the tunnel.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
Fewer Letters More Letters

CF CloudFlare
DNS Domain Name Service/System
IP Internet Protocol
PiHole Network-wide ad-blocker (DNS sinkhole)
VPN Virtual Private Network
[Thread #315 for this sub, first seen 30th Nov 2023, 16:15] [FAQ] [Full list] [Contact] [Source code]

Fewer Letters	More Letters
CF	CloudFlare
DNS	Domain Name Service/System
IP	Internet Protocol
PiHole	Network-wide ad-blocker (DNS sinkhole)
VPN	Virtual Private Network

Is there any other way?
For all intends and purposes, let's assume there isn't. Running a DNS server on the 'open internet' is notoriously difficult if you are not familiar with the intricacies, especially with regards to security. Running it through a VPN is really the best option you have here.

A lot of people are suggesting VPNs
But there's some beauty in DoH/DoT/Quic ports opened
You should check adguard-home for the dns stuff For your questions:
I don't quite get what you mean. But if you say "my domain's dns updates regularly, how would one of the clients of the dns get the new IP", then I would say upstream dns, and maybe pi-hole/adguard have something up their sleeve
In adguard you can have client ids, it can be different things I forgot, but mainly it can be the domain you're using as dns, so john.dns.mysite.com, and you can give 0.0.0.0 response to every client that is not a client. Maybe there are more clever ways to do this
Yes, but for 1 is not so straightforward, you have many options, you either need to update your dns in some way anyway to connect to VPN, or rent a cloud to host(or port forward) the entry point there (or the theoretical option, some selfhosted vpns allow you to do everything without any ports opened)
Adguard-home, using a public dns, route through tor, cloudflare's tunnels, host on a cloud, forward ports to a cloud, and many more
And for dynamic IP, I personally use cloudflare(although I don't trust them) (he-he, I didn't expect previous point to be so long, I wrote this at the beginning)
Ah, and for the VPN I personally use headscale

16 comments