[dsissitka]

Are you sure? From https://docs.docker.com/compose/compose-file/:

> Either specify both ports (HOST:CONTAINER), or just the container port (an ephemeral host port is chosen).

It sounds like you get a random publicly accessible port unless you specify a non publicly accessible IP. I'm not sure whether having a DNS server listening on a non standard port would be an issue though.

[byteknight]

Sorry! I was wrong you are correct.

but nonetheless you're ingress rules in your cloud provider will not allow anything but that's single port so it's not really a big deal provided you close everything else off in your firewall.

I will make an update to see how I can work around this

[dsissitka]

> but nonetheless you're ingress rules in your cloud provider will not allow anything but that's single port...

That's all that's required for a DNS amplification attack. :)

[byteknight]

Thats not true. DNS isnt on 51820. That's wireguard. You cannot hit the DNS unless you're connected to the wireguard VPN provided you're using a cloud provider and you havent configured any additional ingress rules other than port 51820. That I am positive on.

[dsissitka]

You're right! I thought we were talking about the Pi-hole port. ><

[jradd]

You can try setting up a vpn and no tcp/udp is necessary. Pinhole could be accessed over local network.

[byteknight]

Modified it so that only port 51820 is exposed preventing any unintentional exposure.