From 139f16594d41ab49991c1307ec7399ec60d09db7 Mon Sep 17 00:00:00 2001 From: Orazio Date: Fri, 24 Jul 2020 14:44:59 +0200 Subject: [PATCH] Allowing queries only from the local subnet is enough for the functionality of PiVPN. From the man page of dnsmasq: --local-service Accept DNS queries only from hosts whose address is on a local subnet, ie a subnet for which an interface exists on the server. This option only has effect if there are no --interface, --except-interface, --listen-address or --auth-server options. It is intended to be set as a default on installation, to allow unconfigured installations to be useful but also safe from being used for DNS amplification attacks. --- auto_install/install.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/auto_install/install.sh b/auto_install/install.sh index 0a24d16..3fc82fb 100755 --- a/auto_install/install.sh +++ b/auto_install/install.sh @@ -1475,10 +1475,10 @@ askClientDNS(){ # Then create an empty hosts file or clear if it exists. $SUDO bash -c "> /etc/pivpn/hosts.$VPN" - # Set Pi-hole to "Listen on all interfaces, permit all origins" to allow dnsmasq - # to listen on the VPN interface as well. This setting matches what's suggested - # in the official guide: https://docs.pi-hole.net/guides/vpn/dual-operation - $SUDO pihole -a -i all + # Setting Pi-hole to "Listen on all interfaces" allows dnsmasq to listen on the + # VPN interface while permitting queries only from hosts whose address is on + # the LAN and VPN subnets. + $SUDO pihole -a -i local # Use the Raspberry Pi VPN IP as DNS server. pivpnDNS1="$vpnGw"