That feels weird somehow. I highly doubt PiHole is the culprit. If you're only using it internal to your LAN for DNS there is no way someone from outside can touch it. You most likely have other, bigger problems with your network (perhaps the WiFi password was discovered by someone, or you're exposing other vulnerable services to the web directly).

Accually there's several ways, XSS for example.

But I agree that there's something other that's not ok. Compromised client (probably a computer) or a compromised router is my guesses.

Agreed, I managed to achieve this by port forwarding port 53 in my router settings. This allows hackers to enlist you in their DNS amplification attacks so please never do this.

Yikes. As much as I want to look into PiVPN, things like this give me pause.

Wireguard is the only service that I bother to expose.

It's stealth and has mitigations for DOS attacks.

Do you have a good guide for this? I sort of grok that the Pi (server) setup is different from the devices (clients) that will use it, but it’s always good to check assumptions.

I already run PiHole, but I might run this on a different box just to keep things simple.

Also, last I checked - port 51820 is reasonably well known, is it safe to use this default when forwarding traffic?