Create a DNS for just me minus VPN

[doodlemania2]

Is there a way to do the pihole bit, expose DNS over the public internet via DNS+TLS or 443 (think cloudflared) and then let only my address range work with it?

[rajannpatel]

Yes, this is possible. Do you have a static IP? It is important to do this very carefully, because creating a public DNS resolver is frowned upon, open dns resolvers can be the targets of cache poisoning attacks.

[doodlemania2]

Yes, I'd want to do this and restrict on the server side to only my IP ranges.

[rajannpatel]

This is how you would do it. Follow these portions of the guide:

• Google Cloud Login and Account Creation
• Compute Engine Virtual Machine Setup
• Debian Update & Upgrade
• Pi-Hole Installation

After completing the Pi-Hole Installation step, go to http://your-external-ip/admin/settings.php?tab=dns and click Settings and navigate to DNS. Under Interface Listening Behavior you want to choose the 3rd radio button: Listen on all interfaces, permit all origins. I want to bring your attention to the warning here:

this option should not be used on devices which are directly connected to the Internet. This option is safe if your Pi-hole is located within your local network, i.e. protected behind your router, and you have not forwarded port 53 to this device. In virtually all other cases you have to make sure that your Pi-hole is properly firewalled.

To ensure everything is properly firewalled:

1. Log into Google Cloud Console: https://console.cloud.google.com/
2. Ensure your Project is selected in the blue bar at the top (next to the words "Google Cloud Console); by default it should be
3. Click the Hamburger Menu at the top left, click VPC Network and click Firewall Rules
4. Click default-allow-http in the table
5. Click Edit at the top of the page
6. Add the static IP address from the location you plan on accessing Pi-Hole from, this is going to protect your admin panel
7. Click the Save button
8. Click the Hamburger Menu at the top left, click VPC Network and click Firewall Rules
9. Click Create Firewall Rule at the top of the page
10. Set the Name to allow-dns, set your static IP address from the location you plan on making your DNS queries from under Source filter, and enable both the tcp and udp checkboxes. In the Input field beside tcp: write 53, and in the Input field beside udp: write 53.
11. Click Save.

You can use "your-external-ip" that Google Compute Engine has assigned to you as your DNS server now. You will not be able to use the Private DNS Server option on Android 9, even if you map a hostname to the Google Compute Engine IP address, because your cellular provider will not give you a static IPv4 address on your mobile phone. You can define the DNS server on WiFi networks, however.

Feel free to close this issue if this answers your question, happy to elaborate further if needed.

[doodlemania2]

Brilliant!

[rajatpatel92]

@rajannpatel - First of all thanks for your awesome guide! Superb work!

In addition to what is discussed in this issue, I was just wondering if one can possibly setup an OpenVPN server on home router and connect GCP VM with PiHole to it using OpenVPN client & use its IP as DNS server?

I have just basic networking knowledge so don't know whether this would be a recommended way to do it, though I would really love to have your inputs on this.