Addressing the mods on r/pihole
Yes. Open resolvers are bad.
After I posted my “Running Pi-hole on AWS EC2” article last night, I decided to enter the amazing internet cesspool called reddit. I knew there was a subreddit for pihole and I genuinely wanted to provide people with a simple tutorial for running a safe and secure off-prem pihole instance.
I posted my article on r/pihole and within 10 minutes, a mod of the subreddit had take down my post saying that in using an AWS EC2 instance, I was creating an open resolver (which is bad) and that my post went against guidelines. This all fine and all except for the fact that the article I mentioned earlier shows readers how to create a virtual cloud network security group in AWS that only allows traffic from the public IP of their choosing. After I pointed this out and asked the mod to read the article, he deleted his comments but the post remained inactive (all good, really). In my case (and in the case of everyone who followed my tutorial) ports 22, 53, and 80 can only answer requests from my home network IP. If a request is made from any other IP, the request is dropped.
The pihole mods on reddit do have a valuable point tho. Creating a pihole instance on AWS EC2 and not hardening the sceurity group is an extrememly bad practice.
This picture shows what the AWS network security groups actually do. As you can see, when the request is being made from my home network, the request is answered. When a request is made outside of my home networkm the request is not answered.
This picture shows an incorrect implementation of pihole running on AWS EC2. The security group here is allowing access to 22, 53, and 80 from any IP. This is extrememly insecure and is not recomended by any means. Some services (like NextDNS) use open resolvers and hope for the best when it comes to who actually hits the IP.
So long story short. The pihole mods were correct in saying that open resolvers = very bad. They apparently did not read the actual article however since I explicitly explained how to not make your pihole an open resolver. Not asking for an apology, just wanted to post this for transparency.
Also, I am officially never entering the r/pihole subreddit ever again. I am also actively looking for alternatives to pihole since there seems to be a certain level of toxicity on their subreddit and sometimes on their forums.
Thats all for today,
Joe