Blue Dot: Starlink connected to ubiquiti dream station, that we want
Green Dot: Xfinity connected to ubiquiti dream station.
We want to discontinue Comcast’s service at Green Dot so that Blue Dot can provide internet to Green Dot instead.
He is considering setting up a wireless bridge between the two rooftops, but he needs my assistance to establish a connection from Blue Dot’s Ubiquiti (connected via Starlink) to Green Dot’s Ubiquiti. This would allow him to cancel the Xfinity plans.
I successfully installed new wiring, which required me to access the attic for the first time. The project involved drilling to run two Cat6 cables for a client’s access point and a NanoBeam 5AC Gen 2 in a cottage house. Altogether, I installed ten Cat6 cables to support both the cottage and the hotel laundry building.
I have successfully reached the owner and assured him that it is safe to cancel his Comcast Business service. He can now transition to Starlink and take advantage of their new advanced protocols.
Laundry Hotel, i did install it there and set It up as Main Internet, then cottage i did set AP bridge, and now it is working Added 2 new wires for NBE-5AC-Gen2 and UAP-AC-LTEThat is where I plan to put Mount AP on there.NanoBeam 5AC Gen 2 Cottage house (client router) Zip tie all blue cable and power. Yellow cat 5e already removed. So it all nice and clean.100 download and 100 upload good speed between Hotel to cottages.. 2 miles away not badHotel wifi access point to cottage house
What a wild ride! As someone who cares deeply about keeping ads and trackers away, I run not one, not two, but threeAdguard Home DNS servers for my network and my work and a few trusted friends. Things were smooth…until today’s wake-up call.
When 3 DNS Servers All Go Down
Early this morning, my phone lit up with monitoring alerts: All three Adguard Home DNS servers were timing out. At first, I figured it was typical network flakiness, but when I logged in and checked the stats—yikes! Each DNS server was being bombarded with requests. Log entries were flying by like a slot machine, and CPU loads were through the roof.
I quickly realized: this was a full-blown DDoS attack. Someone (or something) had decided today was the day to flood all my DNS instances and bring them to their knees.
Port 53 is Love, Port 53 is Pain
If you run a DNS server, you know traffic flows through port 53. It’s the default, it’s widely known, and unfortunately, it makes you a target. Even with basic security and firewall rules, a determined attacker can throw a gigantic amount of junk queries your way. The more public your DNS, the more likely it is to end up on a botnet’s hit list.
I tried to mitigate: blocking IPs, tweaking Adguard’s query limits, but the traffic just kept coming—botnets can scale, after all.
The Fix: Hello, DNS-over-TLS (853)!
Desperate for relief, I remembered what sets modern DNS apart: encryption. Both DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) remove reliance on the open port 53, using encrypted connections to a different port.
DoT uses port 853.
So, I did something radical (for my setup):
I closed public access to port 53 on all three servers.
I configured Adguard Home to only accept DNS-over-TLS traffic on port 853.
I made sure my clients (phones, computers, routers) were using DoT (port 853) instead of plain DNS.
Like flipping a switch, the attack ended. No more flood, no more timeouts—just blissfully fast, secure DNS again.
Why This Works
Open port 53 is universally scanned—by researchers and attackers—for DNS servers to abuse. By limiting access and switching to encrypted DNS-over-TLS, you:
Hide your DNS from general internet scanning.
Require authentication (sort of; at least a valid TLS handshake).
Dramatically reduce DDoS exposure, since randomized bot attacks target port 53 by default.
Lessons Learned
Don’t run a public port 53 DNS unless you must. Always lock it down or require VPN/TLS/DNSCrypt.
Encourage clients to use DoT or DoH—they get privacy AND you get peace of mind.
Know your tools: Adguard Home makes it surprisingly easy to deploy DNS-over-TLS.
If you rely on DNS, have a mitigation plan—DDoS can strike anyone, anytime.
Next steps? I’ll keep a close eye on logs, make sure clients are all set up with DoT, and might even look into DNS-over-HTTPS as a backup.
How about you? Have you had to defend your home DNS from attacks? Share your story below!
Stay safe, and happy (private) browsing!
The initial offensive commences on May 25, 2024. Additionally, the internet will experience a gradual slowdown to 2 Mbps and 3 Mbps during uploads; this is how people tell us they did the DDoS attacks on us.This is after and much better
My DNS query results confirm that all our DNS servers are secured with DNS over TLS encryption.
We have replaced our old 51-inch TVs with new 55-inch models, enhancing both display size and quality. These upgraded TVs are now powered by YoDeck digital signage software—a cost-effective solution that eliminates the need for pricier alternatives. To date, YoDeck has been successfully deployed on 25 TVs across all our Anthem locations.
Old TV, 51 inch Today 2024, New TV 55 inch and differnet TV Mount.
