Restrict hosting of public dns resolver

[snapsl]

Prerequisites

• [X] I have checked the Wiki and Discussions and found no answer

• [X] I have searched other issues and found no duplicates

• [X] I want to request a feature or enhancement and not ask a question

The problem

Many issues and discussion are about hosting a public dns resolver which is in general not a good idea.

Proposed solution

Adguard Home should restrict the hosting of public DNS servers or at least warn the user about possible consequences.

Alternatives considered and additional information

No response

[agneevX]

This is not a valid issue as it's up to users how they want to deploy AGH.

[snapsl]

This is not a valid issue as it's up to users how they want to deploy AGH.

Software should be secure by default. Of course, in the end the user can decide how to deploy AGH, but the default should not allow the creation of a publicly open dns resolver without warning.

[snapsl]

In comparison, the default configuration of Pi-hole only serves dns requests from local devices and warns if the user wants to create an open dns server. link This would be easy to implement. Any other suggestions?

[Aesir]

Mostly what's needed is better logging. Then the user can use available mitigation tools (e.g. Fail2Ban, Crowdsec) to handle threat mitigation as we do for any other publicly available service. A trusted DNS server is something you want always up and available no matter where you are, so making it [semi-]publicly available is a very worthwhile use case but right now we just don't have the tools to accomplish it in a reasonably safe way.

[snapsl]

Improved logging would facilitate integration into existing security solutions. Integrations that to my knowledge do not exist for AdguardHome.

@Aesir If you really want to operate a public DNS server, I recommend using well-established software (e.g. bind, unbound, coredns) where security and monitoring solutions and their integrations already exist. These also support blocklists. I think that AdguardHome, as the name suggests, should run at home.