New security features

[lordraiden]

NextDNS has the following security features, why the same can't be develop for adguard home?

• DNS Rebinding Protection
• IDN Homograph Attacks Protection
• Typosquatting Protection
• Domain Generation Algorithms (DGAs) Protection
• Block Newly Registered Domains (NRDs)
• Block Parked Domains
• Top-Level Domains (TLDs) Blocking
• Block Bypass Methods

[ameshkov]

Those who will upvote this feature request, please add a comment about what exact feature from this list you need more, and why

[lordraiden]

My particular ranking, based on the security they provide

1. Block Newly Registered Domains (NRDs) https://whoisds.com/newly-registered-domains 15-30 days or so should be fine

This could be done for the most popular sites (amazon, google, microsoft, etc.)

---

2. Typosquatting Protection https://github.com/elceef/dnstwist
3. Domain Generation Algorithms (DGAs) Protection https://github.com/matthoffman/degas
4. IDN Homograph Attacks Protection https://github.com/topics/idn-homograph-attack

   ---

5. DNS Rebinding Protection
6. Block Bypass Methods
7. Block Parked Domains
8. Top-Level Domains (TLDs) Blocking and SLD https://www.icann.org/resources/pages/tlds-2012-02-25-en https://www.spamhaus.org/statistics/tlds/

I forgot to mention: Google Safe Browsing (NextDNS) Block malware and phishing domains using Google Safe Browsing—a technology that examines billions of URLs per day looking for unsafe websites. Unlike the version embedded in some browsers, this does not associate your public IP address to threats and does not allow bypassing the block.

[ghost]

I too would like to block NRDs. The problem is using the list from whoisds in my experience leads to blocking legitimate domains. If any domain creates a new subdomain, that is to be considered a NRD but when whoisds publishes list of NRDs only the domain is listed.

For example on Tuesday Google created subdomain servemoreads.google.com. Wednesday whoisds publishes list saying google.com is NRD

Friday Google created subdomain adsgalore.google.com and now on the list for Saturday that whoisds publishes once again google.com is shown as a NRD.

Yes we could whitelist google.com but we would also be whitelisting many more domains depending on your needs to the point where its not feasible to spend that much time on whitelisting.

The only way I could see this working is to create a list of every unique domain listed. If any future lists contain a domain we have seen before then it should be excluded from blocking at any point in the future past the retention period for how long we block a NRD.

In other words. If we see google.com listed as an NRD, assume its actually new. The second time google.com becomes lists as an NRD, we can safely assume the only reason is because google.com has a new subdomain and we should no longer include google.com in any future NRD lists.

But then again this creates problems for domains that are re-registered years later but already contained in an exclusion list, we would end up not blocking this domain.

[DandelionSprout]

TLD blocking is already fully possible through e.g. ||*.tk^, so that's 1 down, 7 or 8 to go.

Of the other 7, typosquatting protection is the only one I myself would have actively used, as it'd be an easier way to block counterfeit domains than to have filterlists with e.g. 3,000 different misspellings of ebay.com.

[ammnt]

I would really like to see all of these functions also in AdGuard DNS.

[ghost]

For IDN Homograph Attacks Protection a quick and dirty solution would be to simply block all punycode. I do this with a custom filter regex that looks like this "/.*?xn--.*/". Of course some users may not want to block all punycode. So maybe you could make this an option with a toggle switch like you guys already do with one click facebook, whats app or instagram blocking.

[DandelionSprout]

Regarding @HopHop20's hotfix and concerns: A method to avoid homograph attacks, while not blocking legitimate non-Latin-TLD domains, would be something like /.*?xn--.*\.[a-z][a-z][a-z]?\.?[a-z]?[a-z]?[a-z]?/, which blocks løkballær.no (which is a completely random test phrase), but not яндекс.рф.

[DandelionSprout]

I've now created https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Special%20security%20lists/IDNHomographProtectionTotal.txt and https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Special%20security%20lists/IDNHomographProtection-USLatinTLDsOnly.txt, to attempt to ensure a list that prevents homograph attacks.

@ameshkov Do these two new lists mean that the goal of "IDN Homograph Attacks Protection" has been accomplished and can be checked off the list, or not?

[lordraiden]

This is what nextdns offers

[DandelionSprout]

For those who're really keen on typosquatting protection in the lieu of an official AdGuard solution, I can currently recommend AntiSocial Engineer BlackList.

Note that among its 34,000 entries, there's also 7 false positives for Google, the most severe one being google.org. I've sent them an E-mail now about it and a handful of other ones.

[ghost]

For those who're really keen on typosquatting protection in the lieu of an official AdGuard solution, I can currently recommend AntiSocial Engineer BlackList.

Note that among its 34,000 entries, there's also 7 false positives for Google, the most severe one being google.org. I've sent them an E-mail now about it and a handful of other ones.

It's a UK centric blocklist so I wouldn't expect many if any of those entries reported to be removed. I totally ignored this fact and here is the response I got from the maintainer about T-Mobile.com ...

"...blacklist is UK centric where T-Mobile now trade as EE. So customers and people that use the list have no need for T-mobile domains..."

[DandelionSprout]

Oh.

That's admittedly a big, BIG minus-point for that list. Big enough that I'll even remove it from my curated lists in the OP of https://github.com/AdguardTeam/AdGuardHome/issues/1325#issue-544430478. Thanks so much for the heads-up.

[GyokuroT]

Please add "DNS Rebinding Protection". Thank you :-)

[emlimap]

Another vote for DNS Rebinding Protection.

It would be good to have an option to exclude certain domains from Rebinding protection. The use case for it will be if you are self hosting and have a DNS record that points to an internal IP.

These are the options dnsmasq offers when it comes to DNS rebind protection.

--stop-dns-rebind
    Reject (and log) addresses from upstream nameservers which are in the private ranges. This blocks an attack where a browser behind a firewall is used to probe machines on the local network. For IPv6, the private range covers the IPv4-mapped addresses in private space plus all link-local (LL) and site-local (ULA) addresses. 
--rebind-localhost-ok
    Exempt 127.0.0.0/8 and ::1 from rebinding checks. This address range is returned by realtime black hole servers, so blocking it may disable these services. 
--rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/] 

http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

[ghost]

Here's what I do to block DNS rebinding attacks currently. You can add the regular expressions to custom filter rules.

192.0.0.0/24

/^192.0.0(.[0-9]{1,3}){1}$/

192.0.2.0/24

/^192.0.2(.[0-9]{1,3}){1}$/

198.51.100.0/24

/^198.51.100(.[0-9]{1,3}){1}$/

203.0.113.0/24

/^203.0.113(.[0-9]{1,3}){1}$/

192.168.0.0/16

/^192.168(.[0-9]{1,3}){2}$/

169.254.0.0/16

/^169.254(.[0-9]{1,3}){2}$/

10.0.0.0/8

/^10(.[0-9]{1,3}){3}$/

127.0.0.0/8

/^127(.[0-9]{1,3}){3}$/

10.0.0.0/8

/^0(.[0-9]{1,3}){3}$/

100.64.0.0/10

/^100.(6[4-9]|[7-9][0-9]{1}|1[0-1][0-9]|12[0-7])(.[0-9]{1,3}){2}$/

224.0.0.0/4

/^(22[4-9]|23[0-9])(.[0-9]{1,3}){3}$/

240.0.0.0/4

/^(24[0-9]|25[0-5])(.[0-9]{1,3}){3}$/

172.16.0.0/12

/^172.(1[6-9]|2[0-9]|30-9{2}$/

198.18.0.0/15

/^198.(1[8-9])(.[0-9]{1,3}){2}$/

If you need to whitelist an IP then add a whitelist rule. For example example.com resolved to 192.168.0.1 then add below to custom filter

@@|192.168.0.1^

Edit

fixed: 100.64.0.0/10 regex

[DandelionSprout]

Feel free to correct me if I'm wrong, but wouldn't DNS rebinding protection prevent local LAN addresses from being accessed, or perhaps even from using AGH as clients? Since AGH seems to be first and foremost designed for use on local LANs, I'd be surprised if this became an officially supported function in AGH outside of 3rd-party filterlists.

https://github.com/InnoScorpio/Public_Adblock_Filters/tree/master/LOCALNET-EX seem to attempt to make an anti-localhost list, although none of the 3 formats are supported by AGH.

[emlimap]

@HopHop20 Thank you for the regex filters. They work as intended.

I wonder if there is a performance impact with AGH when you use regex filters. For example, Pi-Hole developers used to advise against regex rules as pihole-FTL/dnsmasq had to evaluate each and every regex rule compared to a blocklist where it stops at first match. More the regex rules you had, the longer it took to process dns queries. Not sure if the situation has changed with their new v5 beta. Haven't tested it yet.

There were some IP's that I wasn't aware of like 192.0.0.0/24, 192.168.0.2.0/24, 198.51.100.0/24. Did you have to go through IETF RFC's to find them?

In terms of whitelist, whitelisting the sub/root domain also does work. For example, if webserver.example.org points to 192.168.1.20, then @@||webserver.example.org^ does the trick. Works better for me as I could just add @@||home.mylocadomain.tld^ as whitelist instead of invidual IP addresses.

@DandelionSprout Any domain name that responds with a private address (full list - https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses) will get blocked. HopHop20's regex filters above covers a lot more than that. You can still access them directly by their IP address.

This is why both dnsmasq and unbound don't enable it by default. It has to be enabled by the user along with the option to exclude certain domains. In Openwrt with dnsmasq, if you enable DNS rebinding protection, local domain isn't affected but others returning private IP addresses will be dropped.

This article does go into detail how DNS rebinding attack works and how it can be exploited in real world - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325

[ghost]

@emlimap I should have been a bit more clear. The regexes are for ipv4 bogons, taking from https://www.team-cymru.com/bogon-bit-notation.html You can learn more about bogons at https://www.team-cymru.com/bogon-reference-http.html They are basically private ranges and reserved ranges or ranges that you should never see out in the internet. They also have an ipv6 list of bogons but I don't have regex filters yet, mostly because my isp doesn't support ipv6.

As for performance issues, I haven't noticed much of a decline using the small set of regexes I have including the ones I posted here. Ideally don't use them or don't use to many but again it hasn't been so slow for me to even care...

You could turn the above regexes into rules and abandoned regex all together if one is that concerned about performance. However you might also run into more of a performance issue. For instance if you wanted to blocked all of 127.0.0.0/8 you would need to create a rule for each ip in 127.0.0.0/8 and that would be a total of 16,777,216 rules. For all the bogon ranges I posted above, that would turn into 592,708,608 individual rules. This gets a lot worse with ipv6... Anyways seems like a lot of rules for AdGuardHome to handle without a degrade in performance although I've never tested this theory. You could shorten the rules by writing something like |127. but then that would block 127.example.com and 127example.com or anything that begins with 127

[ameshkov]

I wonder if there is a performance impact with AGH when you use regex filters

If there are many thousands -- there is. But a small number of regexes won't hurt.

[emlimap]

@HopHop20 Thanks for that link. I think that list is better off to be used with router/firewall rather than regex, especially the IPv6 one as it is quite large and you have to constantly keep your regex updated as IPv6 allocations are made.

RIPE has a good guide on some IPv6 equivalents of IPv4 Private IP ranges - https://www.ripe.net/manage-ips-and-asns/ipv6/ipv6-address-types

Since DNS rebinding is purely about private IP range to stop websites from scanning user's local network, I would say we just need rules for fc00::/7 and fe80::/10. These are the ranges dnsmasq also seems to cover.

I had a stab at this but it doesn't cover the full /10 CIDR but all devices on my local network are only picking up an IP from fe80 range. /^fe80:(:[0-9a-fA-F]{0,4}){0,4}$/

Query for test. Useful service to testing - https://ip6.name/

dig AAAA "fe80.x.200.5aee.feaa.20a2.ip6.name"

If you would like to play with IPv6, you can give HE's Tunnel broker service a try https://tunnelbroker.net. Used to use it until I moved to an ISP that provided native IPv6 support.

Bear in mind Netflix will stop working unless you either block Netflix IPv6 range on your router or block AAAA records for netflix. For second one, it is planned to be addressed on the release after next, https://github.com/AdguardTeam/AdGuardHome/issues/1547#issuecomment-612887232

@ameshkov That is good to know, Thanks.

[HorayNarea]

I've now created https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Special%20security%20lists/IDNHomographProtectionTotal.txt and https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Special%20security%20lists/IDNHomographProtection-USLatinTLDsOnly.txt, to attempt to ensure a list that prevents homograph attacks.

@ameshkov Do these two new lists mean that the goal of "IDN Homograph Attacks Protection" has been accomplished and can be checked off the list, or not?

This also blocks legit domains such as thüringen.de so probably no. :D

[DandelionSprout]

I believe that's 100% exactly how IDN homograph protection works like, if I understood the concept behind it correctly.

That being said, I have considered adding a whitelist to let sites like elkjøp.no through, but I couldn't find any major websites that had Unicode domains that weren't just instant redirects, which thüringen.de also is (Gets turned into thueringen.de).

[HorayNarea]

I believe that's 100% exactly how IDN homograph protection works like, if I understood the concept behind it correctly.

in real-world attacks it's more abusing characters from different alphabets that look exactly like your target alphabet… for example the cyrilic character В that looks (depending on the font) like the latin B or an even better example: о vs. o

(to see that these are really different characters, copy-paste them in to google and see the results)

[davidmerrique]

Looks like NextDNS has a new feature Native Tracking Protection https://headwayapp.co/nextdns-changelog/new-feature-native-tracking-protection-149447

Block wide spectrum trackers—often operating at the operating system level—that track your activity on a device. This could include all the websites you visit, everything you type or your location at all times.

I’m not even 100% sure what that means from the description.

[ameshkov]

Sounds like a nice name for a blocklist, this is not a security feature.

[ai-utt]

Google Safe Browsing

yes!! please.

[Aikatsui]

Google Safe Browsing

yes!! please.

Not sure. AdGuardHome has a one built-in otherwise you can use Yandex safe DNS, Cloudflare malware blocking DNS or else.

[ai-utt]

Not sure. AdGuardHome has a one built-in otherwise you can use Yandex safe DNS, Cloudflare malware blocking DNS or else.

i know but it doesn't use google safe browsing, sadly Cloudflare malware blocking, quad9 and many other “malware, phishing etc...” blocking DNSs are blocked in my country.

[Aikatsui]

i know but it doesn't use google safe browsing, sadly Cloudflare malware blocking, quad9 and many other “malware, phishing etc...” blocking DNSs are blocked in my country.

https://github.com/AdguardTeam/AdGuardHome/issues/1834#issuecomment-650697074

[thewan056]

Why not use NextDNS in the Upstream DNS Servers for AdGuardHome instead to get the best of both worlds?

[iceman73]

Would really like Typosquatting Protection https://github.com/elceef/dnstwist, for when they dont make the lists quick enough

[ammnt]

We really need a separate function "DNS rebind protection" to block domains associated with localhost and loopback addresses (127.0.0.1,:: 1 etc)🤩

[Aikatsui]

Block Parked Domains https://github.com/AdguardTeam/AdGuardHome/issues/1446#issue-574168506

It isn't a security feature then goes to https://github.com/AdguardTeam/AdGuardHome/issues/2230 (solution to block worldwide services)

Top-Level Domains (TLDs) Blocking https://github.com/AdguardTeam/AdGuardHome/issues/1446#issue-574168506

@DandelionSprout TLD blocking is already fully possible through e.g. ||*.tk^, so that's 1 down, 7 or 8 to go.

And related enhancement https://github.com/AdguardTeam/AdGuardHome/issues/1733 (rules support for TLD and SLD). Since necessary rules exist then it's not necessary for add to UI

[ghost]

Block Newly Registered Domains (NRDs)

I have experience working in a AV company, and can't stress enough how important this feature is. Huge majority of malicious campaigns use newly registered domains as their initial stage or the second one

[ghost]

The one i would be interested is CSAM in my case (and in the case of those who let other people use their DNS)

[ghost]

@lordraiden for the bypass all you have to do is add their blocklist of bypass domain.

https://raw.githubusercontent.com/nextdns/metadata/master/parentalcontrol/bypass-methods

[ghost]

Here's what I do to block DNS rebinding attacks currently. You can add the regular expressions to custom filter rules.

192.0.0.0/24

/^192.0.0(.[0-9]{1,3}){1}$/

192.0.2.0/24

/^192.0.2(.[0-9]{1,3}){1}$/

198.51.100.0/24

/^198.51.100(.[0-9]{1,3}){1}$/

203.0.113.0/24

/^203.0.113(.[0-9]{1,3}){1}$/

192.168.0.0/16

/^192.168(.[0-9]{1,3}){2}$/

169.254.0.0/16

/^169.254(.[0-9]{1,3}){2}$/

10.0.0.0/8

/^10(.[0-9]{1,3}){3}$/

127.0.0.0/8

/^127(.[0-9]{1,3}){3}$/

10.0.0.0/8

/^0(.[0-9]{1,3}){3}$/

100.64.0.0/10

/^100.(6[4-9]|[7-9][0-9]{1}|1[0-1][0-9]|12[0-7])(.[0-9]{1,3}){2}$/

224.0.0.0/4

/^(22[4-9]|23[0-9])(.[0-9]{1,3}){3}$/

240.0.0.0/4

/^(24[0-9]|25[0-5])(.[0-9]{1,3}){3}$/

172.16.0.0/12

/^172.(1[6-9]|2[0-9]|30-9{2}$/

198.18.0.0/15

/^198.(1[8-9])(.[0-9]{1,3}){2}$/

If you need to whitelist an IP then add a whitelist rule. For example example.com resolved to 192.168.0.1 then add below to custom filter

@@|192.168.0.1^

Edit

fixed: 100.64.0.0/10 regex

Can you be kind enough to do the same with ipv6 ? I ask because i'm not good with regexp

[jvoisin]

Is there a reliable way to programmatically tell the age of a particular domain name?

[ameshkov]

@jvoisin yep, whois shows this info

[jvoisin]

Won't a whois request per DNS resolution slow the resolution significantly, or is this slowdown acceptable?

[ameshkov]

Not just that, whois services usually have a strict rate limit so it simply not possible to synchronously query it for each domain.

[HorayNarea]

@jvoisin yep, whois shows this info

not for .de domains and I think a few others too… because "something something privacy" :roll_eyes:

[jenabaivab]

@ameshkov Any update please on which features are planned to come in upcoming versions or if none of them are passed? Pretty long list, but useful for sure.

[ghost]

@ameshkov Any update please on which features are planned to come in upcoming versions or if none of them are passed? Pretty long list, but useful for sure.

you can found what's is shipped on witch version here, i just hope to see one day an aproximate date of release in beta

[jenabaivab]

you can found what's is shipped on witch version here, i just hope to see one day an aproximate date of release in beta

Don't see a lot of things except cname flattening support :( was looking for mostly typosquatting, cryptojacking, intelligence feeds and rebinding. Hopefully someday we can get those things in AG home.

[ammnt]

Guys, see what other interested security features are implemented on the applied-privacy.net:

• QNAME minimisation (RFC7816) is enabled to reduce query disclosure to 3rd parties
• Aggressive Use of DNSSEC-Validated Cache (RFC8198)
• prefetching is enabled to reduce latency and make correlation of inbound and outbound connections harder.
• TLS session resumption
• EDNS0 TCP keepalive Option (RFC7828)
• TLSA records for our DNS endpoints (CA Constraint)
• TCP Fast Open (RFC7413) is available on the DoH service
• EDNS0 Padding Option (RFC7830, RFC8467)
• TLS False Start (RFC7918)
• "Recommendations for DNS Privacy Service Operators" (active Internet Draft) etc.

@ameshkov, anything interesting for us?🤨

[gregtwallace]

+1 for DNS Rebinding Protection (I implemented the RegEx, but something more user friendly like a couple of checkboxes ("Block private networks and loopback addresses" & "Block bogon networks") and a whitelist / define local domains setting would be fantastic.

edit: I see someone submitted a pull request to add this feature.

[gregtwallace]

Here's what I do to block DNS rebinding attacks currently. You can add the regular expressions to custom filter rules.

172.16.0.0/12

/^172.(1[6-9]|2[0-9]|30-9{2}$/

You're missing a bracket; should be: 172.16.0.0/12 /^172.(1[6-9]|2[0-9]|3[0-1])(.[0-9]{1,3}){2}$/

[ammnt]

@Macqael, these ugly rules works for me, but i still test it:

/^(::1)$/
/^(fe80::)/
/^(fec0::)/
/^(febf::)/
/^(feff::)/
/^(fc00::)/
/^(ff00::)/
/^(::ffff:)/

[xenstar]

We love AdguardHome, so that's why we requested those features from NextDNS. I just search those features, then google brought me here. Hopefully, you will keep adding these security features in AdguardHome, in the coming days. All the best to ADH Team.