IP blocklists/allowlists and domain blocklists in DNS access settings

[DandelionSprout]

Prerequisites

• [x] I am running the latest version (v0.98.1)
• [x] I checked the documentation and found no answer
• [x] I checked to make sure that this issue has not already been filed

Problem Description

In DNS Settings → Disallowed Clients, it may feel a bit inconvenient to have to add IP addresses one at a time manually. Could it be a possibility to make it possible to use IP blacklists (e.g. FireHOL Level 1) to keep the list of disallowed clients updated and large?

Note that this is not to be confused with the theorethical use of IP blacklists as filterlists to block web connections.

Proposed Solution

Add a setting/menu dedicated to IP blacklists, which are then used to disallow DNS requests from those IPs. They should also be updated in much the same way as adblock/domain/hosts filterlists are, although not as often; and the use of multiple IP blacklists should also be permitted.

Alternatives Considered

Expanding on the Disallowed Clients or Filters settings to allow pasting IP blacklist URLs into them, is also a possibility.

Additional Information

I'll confess that this is a part of how I use my AdGuard Home as a straightforward unencrypted public DNS server (although I intend to be the only user of it) by opening port 53 to it, and that I was hoping to be able to use IP blocklists, as a preferable alternative to setting up an entire firewall program and undoubtedly struggling with it. More details about my intentions are at https://hub.filterlists.com/t/remote-access-to-agh-pi-hole-dns-servers-the-do-s-and-dont-s/57

[nyancrimew]

I have the same issue, I am running a publicly hosted AdGuard home server (for me and some friends) and over the last few days I have started getting more and more requests from known Dns Scanners. I am currently just manually blocking the netblocks these often originate from but that cannot be the permanent solution.

[ghost]

I'm looking for something like this but...

I'd like to put forward an alternative solution to solve a similar problem. What if we queried a free geoip service and created something called a "geoip rule"? For example we could use the free service "https://ipstack.com" (For reference ipstack.com is currently filtered for what ever reason by AdGuard Simplified Domain Names filter)

Under Settings -> DNS Settings -> Access Settings, have a setting named "enable geoip lookup and rules. If we need an api key then allow user to pop one in below.

Finally place "geoip rules" in "Allowed clients" or "Disallowed clients" under Settings -> DNS Settings -> Access Settings. Of course the user could still use previous methods like ip addresses or CIDR or a mix.

Here's what a "geoip rule" could be written as...

ALLOW a continent

geoip continent_name="africa"

DISALLOW a country

geoip continent_name="north america" country_name="united states"

DISALLOW a zip code if you want to be that specific.

geoip continent_name="north america" country_name="united states" region_name="california" city="alameda" zip=94502

Something to think about, if no geoip data is received, do we deny, accept or let the user decide the requests fate with a setting...

This wouldn't be excessive for the end API either. As soon as we identify a request from a new ip, query the API, if ip matches a geoip rule, have adguard allow or disallow ip for a period of time.

[ghost]

@apathyNot similar geo topic https://github.com/AdguardTeam/AdGuardHome/issues/1137

[ghost]

@ArchiveBase I kinda wish I never saw that topic, @ameshkov doesn't like geo blocking ;)

I realize that I have made this issue two separate issues now. An issue for those who would like a convenient automated way of adding and updating lists of IPs they wish AdGuard would not communicate with, and those who would like to limit AdGuard responding to queries based on ip geolocations they could care less to ever see a request from. I think both issues discussed here, used in conjunction, could offer greater security and be a good component to helping solve DNS amplification attacks.

[ameshkov]

Well, I don't like geo-blocking simply because I find this approach ineffective and easy to misuse.

There are better approaches to this:

1. Smarter rate limiter
2. DNS cookies

[DandelionSprout]

Given how my client-block-specific IP list has now reached ~550 entries and has had to be categorised into company paragraphs with ! comments (which 'Client settings' can't easily deal with), I'm giving this issue report a very rare bump from me, which is something I only do in outstanding cases.

[ameshkov]

@DandelionSprout there's actually more to this issue. It seems that blocking domains may be much easier and more productive than creating huge IP blocklists: https://github.com/AdguardTeam/AdGuardHome/issues/1469

[DandelionSprout]

A possibly even better thing that could've been implemented in addition to you guys' domain blocking plans, could be to block clients based on their servers' AS numbers.

So that e.g. CARInet could be blocked through AS10439 instead of a considerable amount of occasionally-changing CIDR address ranges.

[ameshkov]

Yeah, blocking by AS numbers makes perfect sense. Could you please file another feature request for that?

[ameshkov]

Merging https://github.com/AdguardTeam/AdGuardHome/issues/2461 here

"Domains" lists should also be a part of this FR.