Are you sure? From https://docs.docker.com/compose/compose-file/:

> Either specify both ports (HOST:CONTAINER), or just the container port (an ephemeral host port is chosen).

It sounds like you get a random publicly accessible port unless you specify a non publicly accessible IP. I'm not sure whether having a DNS server listening on a non standard port would be an issue though.

Sorry! I was wrong you are correct.

but nonetheless you're ingress rules in your cloud provider will not allow anything but that's single port so it's not really a big deal provided you close everything else off in your firewall.

I will make an update to see how I can work around this

> but nonetheless you're ingress rules in your cloud provider will not allow anything but that's single port...

That's all that's required for a DNS amplification attack. :)

Thats not true. DNS isnt on 51820. That's wireguard. You cannot hit the DNS unless you're connected to the wireguard VPN provided you're using a cloud provider and you havent configured any additional ingress rules other than port 51820. That I am positive on.

You're right! I thought we were talking about the Pi-hole port. ><

You can try setting up a vpn and no tcp/udp is necessary. Pinhole could be accessed over local network.

Modified it so that only port 51820 is exposed preventing any unintentional exposure.

Ahh, so as long as I only list single ports and not pairs, it is not exposed to the host, because the other number of a pair is the port to be exposed on the host. And therefor it is not exposed to the public network in this case. Makes sense, thanks for the explanation!

This is false. Not listing the host port will make docker choose a random one. It however is still opened up in the firewall by default.

Source: https://docs.docker.com/compose/compose-file/#ports

That’s what he said