Securing the Pi-hole with fail2ban to prevent DNS Amplification attacks

Securing the Pi-hole with fail2ban to prevent DNS Amplification attacks


1. Install fail2ban 

sudo apt-get update ; sudo apt-get install fail2ban

2. create jail file

vi /etc/fail2ban/jail.d/pihole-dns.conf

enabled = true
port     = 53
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/pihole.log
findtime = 60
maxretry = 5
bantime = 3600


3. create filter file

vi /etc/fail2ban/filter.d/pihole-dns.conf

# Fail2Ban configuration file
# script from


# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


_daemon = dnsmasq

# log example from /var/log/pihole.log
#Feb 26 04:41:28 dnsmasq[1887]: query[A] from
#(?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?

failregex =  .*query\[A\].*from <HOST>
                   .*query\[ANY\].*from <HOST>

ignoreregex =

4. test if regex works

fail2ban-regex /var/log/pihole.log /etc/fail2ban/filter.d/pihole-dns.conf

you should have results like this:

Running tests

Use   failregex filter file : pihole-dns, basedir: /etc/fail2ban
Use   log file : /var/log/pihole.log
Use   encoding : UTF-8


Failregex: 4127 total
|-  #) [# of hits] regular expression
|   1) [4125] .*query\[A\].*from <HOST>
|   2) [2] .*query\[ANY\].*from <HOST>


Ignoreregex: 0 total

Date template hits:
|- [# of hits] date format
|  [15674] (?:DAY )?MON Day 24hour:Minute:Second(?:\.Microseconds)?(?: Year)?

Lines: 15674 lines, 0 ignored, 4127 matched, 11547 missed
[processed in 1.25 sec]

Missed line(s): too many to print.  Use --print-all-missed to print all 11547 lines

Got hits (in red) so regex works !

5. add your`s IP to ignore list to prevent being blocked

use your local IP or global if Pi-hole is open access/relay installed on cloud VPS etc.

 vi /etc/fail2ban/jail.conf



# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
ignoreip =,


6. restart fail2ban service


7. to check if fail2ban works 

fail2ban-client status pihole-dns

Status for the jail: pihole-dns
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     75
|  `- File list:        /var/log/pihole.log
`- Actions
   |- Currently banned: 2
   |- Total banned:     2
   `- Banned IP list:

 8. (optional for Centos 7)

You can check ipset list directly

ipset list fail2ban-pihole-dns-udp

Name: fail2ban-pihole-dns-udp
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 600
Size in memory: 312
References: 1
Number of entries: 2
Members: timeout 558 timeout 558


based on this


  1. Thanks for the guide! Very useful!

  2. Ive set up a pihole that I can access on my mobile externally, the problem is this fail2ban config just bans any outside connection instantaneously.

    Is that its purpose rather then banning amplification attacks?

    1. You can always add ignoreip in failban.conf and add network of your mobile provider.


Post a Comment

Popular posts from this blog

Reduce (shrink) and resize raw disk at Proxmox

How to clean DB from old logs in Magento 1.x