More details on hosting public instance

[Brandon10x15]

Hey how's it going?
I've followed the video for setting up on windows and I'm pretty technically inclined but was unable to get it working.
What exactly do you need to do in order to use a public ip for friends to use my instance to join

[Brandon10x15]

Could it be because I'm also using port 19132 to host a geyser Java server?

[Pugmatt]

EDIT: For hosting a public instance, it is recommended to use software like bind (with recursion turned off) See following guide for how to set this up on a Linux server: https://github.com/Pugmatt/BedrockConnect/wiki/Setting-up-on-Linux

[taoyx]

Just wondering whether this method is still working?

Just now, I tried to change the DNS server to US, German, restarted the xbox, but I still cannot add a custom server without game pass.

[laplongejunior]

Sorry to necro this discussion, but I'm a bit concerned that people are discussing about making a DNS server public.
As anyone operating a Pihole would remember, if you open a DNS server to the litteral public, random people can then use your DNS server to conduct some forms of DDOS attacks against third-party targets.

I didn't see any in-depth explanation about security in the documentatiob, is BedrockConnect built with mitigations against attempts of misuses for DNS Amplification?
For that exact reason, some ISPs will block port 53 to prevent open resolvers, so for some/most people it wouldn't work.

(The easiest solution that I know is to setup a VPN server, so that the friend's client are auth'd before accessing the services hosted in your home... but that's becoming overkill to access a Minecraft server.)

[Xavierhorwood]

Sorry to necro this discussion, but I'm a bit concerned that people are discussing about making a DNS server public. As anyone operating a Pihole would remember, if you open a DNS server to the litteral public, random people can then use your DNS server to conduct some forms of DDOS attacks against third-party targets.

I didn't see any in-depth explanation about security in the documentatiob, is BedrockConnect built with mitigations against attempts of misuses for DNS Amplification? For that exact reason, some ISPs will block port 53 to prevent open resolvers, so for some/most people it wouldn't work.

(The easiest solution that I know is to setup a VPN server, so that the friend's client are auth'd before accessing the services hosted in your home... but that's becoming overkill to access a Minecraft server.)

Some of the public servers maybe vulnerable
https://openresolver.com/?ip=45.55.68.52
https://openresolver.com/?ip=185.169.180.190

[Pugmatt]

Sorry to necro this discussion, but I'm a bit concerned that people are discussing about making a DNS server public. As anyone operating a Pihole would remember, if you open a DNS server to the litteral public, random people can then use your DNS server to conduct some forms of DDOS attacks against third-party targets.

I didn't see any in-depth explanation about security in the documentatiob, is BedrockConnect built with mitigations against attempts of misuses for DNS Amplification? For that exact reason, some ISPs will block port 53 to prevent open resolvers, so for some/most people it wouldn't work.

(The easiest solution that I know is to setup a VPN server, so that the friend's client are auth'd before accessing the services hosted in your home... but that's becoming overkill to access a Minecraft server.)

Thank you for bringing this up. The BedrockConnect software itself does not supply the DNS connection, it is what a separate DNS server would be directing a hostname to for players on Minecraft to connect to. So there isn't anything built into the software itself per se, as it doesn't touch the DNS step. The DNS connections mentioned in this project would be provided through third-party software.

We do though have a install-bind.sh script in the repo for quickly setting up Bind, which is set to disable recursion by default.

That being said, there are some improvements I've been meaning to make to the documentation, along with removing some guides that probably are not the most advisable from a security standpoint. I've removed the guide from my previous reply in this issue (along with the similar wiki page), and instead recommend people to follow the existing "Setting up on Linux" guide in the repo wiki if they really want to host a public instance. (Which uses the install-bind.sh script previously mentioned) I've also gone in and edited this wiki page to specify that its recommended for recursion should stay off for public instances.

Inside our README, under the "Publicly available BedrockConnect instances", as @Xavierhorwood mentioned those two IPs may be vulnerable. My main instance, 104.238.130.180, has always had mitigations in place such as having recursion off, but for my alternate one 45.55.68.52 had recursion on (with other mitigations such as rate limiting), as an alternative solution for PS4/PS5 users (As that appeared to be the only way for the DNS to work on PS4/PS5 consoles) I've been meaning though to remove this, as again it's still not the most secure, and going forward the alternate solution will instead be to join through a new "Add Friend" method. (Which has been added now here: https://github.com/Pugmatt/BedrockConnect?tab=readme-ov-file#add-friend-method) 45.55.68.52 has been removed from the public list, and will be sunsetting. (EDIT: I may just look into more ways into securing it, but for now it's been removed from the public listing)

@hasankayra04 For your DNS instance, do you know if NextDNS has anything in place that mitigates against attacks?

[hasankayra04]

I don't think so. But i have rate-limiting in place to prevent abuse.