DoH requests from configured clients only

[AlexHighTower]

Hello,

It is nice to limit access to DoH to configured clients only. My server was somehow found and now I see queries from unknown clients in log

[cuiver]

Are you talking about limiting to custom DoH addresses, like allowing "https://yourdomain.something/dns-query/[customsequence]" and refusing requests made to the apex "/dns-query"?

Nonetheless, be sure that you don't have port 53 open to everyone. You can always configure the firewall of your VPS to only allow requests on port 443(53 for plain/853 for DoT) made from an IP that matches your ISP CIDR range (useful if your IP is dynamic) or in AdGuard Home - DNS - Access settings - Allowed clients. Other option is to use a VPN between you and the VPS so that you authenticate yourself.

[AlexHighTower]

yes, I'm talking about allowing "https://yourdomain.something/dns-query/[customsequence]" and refusing requests made to the apex "/dns-query" and "customsequence" configured as "client" only configuring firewall to pass request only from allowed ip - not acceptable because I use DoH settings at my mobile and ip is different all the time

related problem if "https://yourdomain.something/" is worldwide accessible is how "https://yourdomain.something/login.html" will handle brut force attack....

[cuiver]

If you want to use it on a mobile setting, the best choice is to configure Wireguard (most resource eficient) on your VPS and establish a connection to it from your device. Provided that you are really set on discarding the VPN option, if your mobile ISP uses a specific CIDR/range of IPs, you can narrow the access even if your IP is dynamic (just don't access public WiFi/hotspots).

Regarding the apex domain, you can always define a custom subdomain/A record, like "https://**maybedns**.yourdomain.something" and point it to the VPS public IP. It may still be crawled and found but it is not common. Also, if you block port 80 in the VPS egress traffic, some crawlers may stop since the http form of your domain is not giving a response and not redirecting to the https form (the redirect to https option in AdGuard will be ignored).

[AlexHighTower]

for now I solved my problem with nginx at from of agh for /dns-query like this

location = /dns-query {
    return 404;
}

location ~ ^/dns-query/([a-zA-Z0-9]+)$ {
    set $user $1;
    if ($user !~* (user1|user2|user3)) {
        return 404;
        break;
    }
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass https://127.0.0.1:8443;
}

[Ryckie]

for now I solved my problem with nginx at from of agh for /dns-query like this

location = /dns-query {
    return 404;
}

location ~ ^/dns-query/([a-zA-Z0-9]+)$ {
    set $user $1;
    if ($user !~* (user1|user2|user3)) {
        return 404;
        break;
    }
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass https://127.0.0.1:8443;
}

I have tried this, I'm using nginx proxy manager. For me it seems that it does give a 404 dns-query/test but not for dns-query/test- or anything else with a - at the end. It also doesn't give a 404 error for the /dns-query itself without a /user behind it. Any idea on how to fix that?

I managed to solve the /dns-query not blocking by adding a 404 host for the domain/dns-query. Still not sure why the config above doesn't block it. But anything with a - at the end still passes.