AdguardTeam / AdGuardHome

Network-wide ads & trackers blocking DNS server
https://adguard.com/adguard-home/overview.html
GNU General Public License v3.0
25.57k stars 1.84k forks source link

Restrict hosting of public dns resolver #6394

Open snapsl opened 1 year ago

snapsl commented 1 year ago

Prerequisites

The problem

Many issues and discussion are about hosting a public dns resolver which is in general not a good idea.

Proposed solution

Adguard Home should restrict the hosting of public DNS servers or at least warn the user about possible consequences.

Alternatives considered and additional information

No response

agneevX commented 1 year ago

This is not a valid issue as it's up to users how they want to deploy AGH.

snapsl commented 1 year ago

This is not a valid issue as it's up to users how they want to deploy AGH.

Software should be secure by default. Of course, in the end the user can decide how to deploy AGH, but the default should not allow the creation of a publicly open dns resolver without warning.

snapsl commented 1 year ago

In comparison, the default configuration of Pi-hole only serves dns requests from local devices and warns if the user wants to create an open dns server. link This would be easy to implement. Any other suggestions?

Aesir commented 10 months ago

Mostly what's needed is better logging. Then the user can use available mitigation tools (e.g. Fail2Ban, Crowdsec) to handle threat mitigation as we do for any other publicly available service. A trusted DNS server is something you want always up and available no matter where you are, so making it [semi-]publicly available is a very worthwhile use case but right now we just don't have the tools to accomplish it in a reasonably safe way.

snapsl commented 10 months ago

Improved logging would facilitate integration into existing security solutions. Integrations that to my knowledge do not exist for AdguardHome.

@Aesir If you really want to operate a public DNS server, I recommend using well-established software (e.g. bind, unbound, coredns) where security and monitoring solutions and their integrations already exist. These also support blocklists. I think that AdguardHome, as the name suggests, should run at home.