Closed tescophil closed 6 months ago
Hi @tescophil, thanks for the report. I'm unable to reproduce this on my setup.
Could you please tell me more about how you have AdGuard Home setup?
Seeing a screenshot of your Access settings
in Settings > DNS settings
, and a copy of your yaml
could help too.
Reproducing the issue with verbose logs enabled may also show us more of the picture.
Hi,
So I've already given you my authorised clients settings so I dont really see how a screenshot will help, but...
I'm setup on a standalone intel machine (not a VM) and have had the same setup for years. I provide an external (public) DNS-over-TLS for personal Android and iOS devices via port 853, all of which have individual ClientID to control access (which is now broken).
The unauthorised clients are colored red in the client list, however it's not clear what this actually means and looking in the log all these queries are answered and not blocked/ignored as they should be.
I can get you my yaml settings, but I'm currently on a bus in Malta, so it will have to be later on this evening.
I have the same problem as @tescophil. This was definitely not the case before the update.
OK here is my yaml config (think I've removed all personal info from this..)
http:
pprof:
port: 6060
enabled: false
address: 0.0.0.0:81
session_ttl: 720h
users:
- name: myname
password: <password removed>
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: en
theme: auto
dns:
bind_hosts:
- 0.0.0.0
port: 53
anonymize_client_ip: false
ratelimit: 0
ratelimit_subnet_len_ipv4: 24
ratelimit_subnet_len_ipv6: 56
ratelimit_whitelist: []
refuse_any: true
upstream_dns:
- '# DoH Resolvers'
- https://cloudflare-dns.com/dns-query
- https://dns.google/dns-query
- https://doh.opendns.com/dns-query
- https://dns.quad9.net/dns-query
upstream_dns_file: ""
bootstrap_dns:
- 192.168.0.1
fallback_dns: []
upstream_mode: parallel
fastest_timeout: 1s
allowed_clients:
- 127.0.0.1
- 10.8.1.0/24
- 192.168.0.0/24
- 192.168.10.0/24
- 192.168.20.0/24
- 192.168.30.0/24
- 192.168.40.0/24
- clientone
- clienttwo
- clientthree
- clientfour
disallowed_clients: []
blocked_hosts:
- version.bind
- id.server
- hostname.bind
- '||coopersedge.internal^'
trusted_proxies:
- 127.0.0.0/8
- ::1/128
cache_size: 16777216
cache_ttl_min: 3600
cache_ttl_max: 86400
cache_optimistic: true
bogus_nxdomain: []
aaaa_disabled: false
enable_dnssec: true
edns_client_subnet:
custom_ip: ""
enabled: true
use_custom: false
max_goroutines: 300
handle_ddr: true
ipset: []
ipset_file: ""
bootstrap_prefer_ipv6: false
upstream_timeout: 10s
private_networks: []
use_private_ptr_resolvers: false
local_ptr_upstreams: []
use_dns64: false
dns64_prefixes: []
serve_http3: false
use_http3_upstreams: false
serve_plain_dns: true
hostsfile_enabled: true
tls:
enabled: true
server_name: myownhostname.duckdns.org
force_https: false
port_https: 8443
port_dns_over_tls: 853
port_dns_over_quic: 853
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: false
certificate_chain: ""
private_key: ""
certificate_path: /etc/letsencrypt/live/myownhostname.duckdns.org/fullchain.pem
private_key_path: /etc/letsencrypt/live/myownhostname.duckdns.org/privkey.pem
strict_sni_check: false
querylog:
dir_path: ""
ignored: []
interval: 24h
size_memory: 1000
enabled: true
file_enabled: true
statistics:
dir_path: ""
ignored: []
interval: 24h
enabled: true
filters:
- enabled: true
url: https://raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txt
name: DoH 1
id: 1612043645
- enabled: true
url: https://raw.githubusercontent.com/Sekhan/TheGreatWall/master/TheGreatWall.txt
name: DoH 2
id: 1612043646
- enabled: true
url: https://adaway.org/hosts.txt
name: AdAway Default Blocklist
id: 1621502401
- enabled: true
url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
name: AdGuard DNS filter
id: 1621502402
- enabled: true
url: https://someonewhocares.org/hosts/zero/hosts
name: Dan Pollock's List
id: 1621502403
- enabled: true
url: https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV-AGH.txt
name: Perflyst and Dandelion Sprout's Smart-TV Blocklist
id: 1621502404
- enabled: true
url: https://raw.githubusercontent.com/DandelionSprout/adfilt/master/GameConsoleAdblockList.txt
name: Game Console Adblock List
id: 1621502405
- enabled: true
url: https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus&showintro=1&mimetype=plaintext
name: Peter Lowe's List
id: 1621502406
- enabled: true
url: https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
name: WindowsSpyBlocker - Hosts spy rules
id: 1621502407
- enabled: true
url: https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt
name: NoCoin Filter List
id: 1621502408
- enabled: true
url: https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt
name: Scam Blocklist by DurableNapkin
id: 1621502409
- enabled: true
url: https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt
name: Spam404
id: 1621502410
- enabled: true
url: https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hosts
name: The Big List of Hacked Malware Web Sites
id: 1621502411
- enabled: true
url: https://curben.gitlab.io/malware-filter/urlhaus-filter-agh-online.txt
name: Online Malicious URL Blocklist
id: 1621502412
- enabled: true
url: https://paulgb.github.io/BarbBlock/blacklists/hosts-file.txt
name: BarbBlock
id: 1621502413
- enabled: true
url: https://raw.githubusercontent.com/Zelo72/adguard/main/doh-vpn-proxy-bypass.adblock
name: DoH 3
id: 1634383267
- enabled: true
url: https://abp.oisd.nl/basic/
name: OISD Blocklist Basic
id: 1640125739
- enabled: true
url: https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareAdGuardHome.txt
name: Dandelion Sprout's Anti-Malware List
id: 1640125740
- enabled: true
url: https://raw.githubusercontent.com/notracking/hosts-blocklists/master/adblock/adblock.txt
name: No Tracking Hosts
id: 1643128929
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_24.txt
name: 1Hosts (Lite)
id: 1699928146
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_38.txt
name: 1Hosts (mini)
id: 1699928147
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
name: AdGuard DNS filter
id: 1699928148
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
name: AdAway Default Blocklist
id: 1699928149
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_4.txt
name: Dan Pollock's List
id: 1699928150
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_34.txt
name: HaGeZi Multi NORMAL
id: 1699928151
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_48.txt
name: HaGeZi's Pro Blocklist
id: 1699928152
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_51.txt
name: HaGeZi's Pro++ Blocklist
id: 1699928153
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_49.txt
name: HaGeZi's Ultimate Blocklist
id: 1699928154
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_5.txt
name: OISD Blocklist Small
id: 1699928155
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_27.txt
name: OISD Blocklist Big
id: 1699928156
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_3.txt
name: Peter Lowe's Blocklist
id: 1699928157
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_33.txt
name: Steven Black's List
id: 1699928158
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_39.txt
name: Dandelion Sprout's Anti Push Notifications
id: 1699928159
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_6.txt
name: Dandelion Sprout's Game Console Adblock List
id: 1699928160
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_46.txt
name: HaGeZi's Anti-Piracy Blocklist
id: 1699928162
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_47.txt
name: HaGeZi's Gambling Blocklist
id: 1699928163
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_7.txt
name: Perflyst and Dandelion Sprout's Smart-TV Blocklist
id: 1699928164
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_23.txt
name: WindowsSpyBlocker - Hosts spy rules
id: 1699928165
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_30.txt
name: Phishing URL Blocklist (PhishTank and OpenPhish)
id: 1699928166
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_12.txt
name: Dandelion Sprout's Anti-Malware List
id: 1699928167
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_44.txt
name: HaGeZi's Threat Intelligence Feeds
id: 1699928168
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_8.txt
name: NoCoin Filter List
id: 1699928169
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_18.txt
name: Phishing Army
id: 1699928170
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_10.txt
name: Scam Blocklist by DurableNapkin
id: 1699928171
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_42.txt
name: ShadowWhisperer's Malware List
id: 1699928172
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_31.txt
name: Stalkerware Indicators List
id: 1699928173
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt
name: The Big List of Hacked Malware Web Sites
id: 1699928174
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_50.txt
name: uBlock₀ filters – Badware risks
id: 1699928175
- enabled: true
url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt
name: Malicious URL Blocklist (URLHaus)
id: 1699928176
whitelist_filters: []
user_rules:
- '##################### Blocked Sites #####################' - '#'
- '# Block local domain hostnames (not in /etc/hosts and not in the allow list)'
- /^.+\.myownhostname.duckdns.org/$dnsrewrite=NXDOMAIN;;
- '#'
- '# Block single local hostnames (not in /etc/hosts)'
- /^[A-Za-z0-9_-]*$/$dnsrewrite=NXDOMAIN;;
- '#'
- '# Block Bonjour discovery that never discovers anything'
- /^[l]?b\._dns-sd\._udp.*/$important
- '#'
- '##################### Rewritten Sites #####################'
- '#'
- '# Tapo Camera Relays'
- /^euw1-relay-i-[a-z0-9]*.dcipc.i.tplinknbu.com/$dnsrewrite=euw1-relay-dcipc.i.tplinknbu.com
- /^use1-relay-i-[a-z0-9]*.dcipc.i.tplinknbu.com/$dnsrewrite=use1-relay-dcipc.i.tplinknbu.com
- '#'
- '# Hue diagnostic AAAA requests'
- '||diag.meethue.com^$dnstype=AAAA,dnsrewrite=NOERROR;AAAA;1::'
- '#'
- '##################### Globally Allowed Sites #####################'
- '#'
- '# Allow some torrent sites'
- '@@thepiratebay.org^$important'
- '@@||snowfl.com^$important'
- '#'
- '# Allow Minecraft services'
- '@@vortex.data.microsoft.com^$important'
- '#'
- '# Allow for streaming movies on Plex'
- '@@||manifest.prod.boltdns.net^$important'
- '@@||rarbg.to^$important'
- '@@||stream-us-east-1.getpublica.com^$important'
- '#'
- '##################### Per Client Allowed Sites #####################'
- '#'
- '# Allow for Fire TV to work'
- '@@||msh.amazon.co.uk^$client=''192.168.10.252'''
- '#'
- '# Tor Project, Phil''s Desktop'
- '@@||www.torproject.org^$client=''192.168.10.65'''
- '@@||dist.torproject.org^$client=''192.168.10.65'''
- '@@||aus1.torproject.org^$client=''192.168.10.65'''
- ""
dhcp:
enabled: false
interface_name: ""
local_domain_name: lan
dhcpv4:
gateway_ip: ""
subnet_mask: ""
range_start: ""
range_end: ""
lease_duration: 86400
icmp_timeout_msec: 1000
options: []
dhcpv6:
range_start: ""
lease_duration: 86400
ra_slaac_only: false
ra_allow_slaac: false
filtering:
blocking_ipv4: ""
blocking_ipv6: ""
blocked_services:
schedule:
time_zone: Local
ids:
- icloud_private_relay
protection_disabled_until: null
safe_search:
enabled: false
bing: true
duckduckgo: true
google: true
pixabay: true
yandex: true
youtube: true
blocking_mode: default
parental_block_host: family-block.dns.adguard.com
safebrowsing_block_host: standard-block.dns.adguard.com
rewrites: []
safebrowsing_cache_size: 1048576
safesearch_cache_size: 1048576
parental_cache_size: 1048576
cache_time: 30
filters_update_interval: 24
blocked_response_ttl: 3600
filtering_enabled: true
parental_enabled: false
safebrowsing_enabled: false
protection_enabled: true
clients:
runtime_sources:
whois: true
arp: true
rdns: false
dhcp: true
hosts: true
persistent:
- safe_search:
enabled: false
bing: true
duckduckgo: true
google: true
pixabay: true
yandex: true
youtube: true
blocked_services:
schedule:
time_zone: Local
ids: []
name: client1
ids:
- 192.168.10.179
- clientone
tags: []
upstreams: []
uid: <UID Removed>
upstreams_cache_size: 0
upstreams_cache_enabled: false
use_global_settings: true
filtering_enabled: false
parental_enabled: false
safebrowsing_enabled: false
use_global_blocked_services: true
ignore_querylog: false
ignore_statistics: false
- safe_search:
enabled: false
bing: false
duckduckgo: false
google: false
pixabay: false
yandex: false
youtube: false
blocked_services:
schedule:
time_zone: Local
ids: []
name: client2
ids:
- 192.168.10.128
- clienttwo
tags: []
upstreams: []
uid: <UID Removed>
upstreams_cache_size: 0
upstreams_cache_enabled: false
use_global_settings: true
filtering_enabled: false
parental_enabled: false
safebrowsing_enabled: false
use_global_blocked_services: true
ignore_querylog: false
ignore_statistics: false
- safe_search:
enabled: false
bing: false
duckduckgo: false
google: false
pixabay: false
yandex: false
youtube: false
blocked_services:
schedule:
time_zone: Local
ids: []
name: client3
ids:
- 192.168.10.51
- phonethree
tags: []
upstreams: []
uid: <UID Removed>
upstreams_cache_size: 0
upstreams_cache_enabled: false
use_global_settings: true
filtering_enabled: false
parental_enabled: false
safebrowsing_enabled: false
use_global_blocked_services: true
ignore_querylog: false
ignore_statistics: false
- safe_search:
enabled: false
bing: false
duckduckgo: false
google: false
pixabay: false
yandex: false
youtube: false
blocked_services:
schedule:
time_zone: Local
ids: []
name: client4
ids:
- 192.168.10.52
- clientfour
tags: []
upstreams: []
uid: <UID Removed>
upstreams_cache_size: 0
upstreams_cache_enabled: false
use_global_settings: true
filtering_enabled: false
parental_enabled: false
safebrowsing_enabled: false
use_global_blocked_services: true
ignore_querylog: false
ignore_statistics: false
log:
file: ""
max_backups: 0
max_size: 100
max_age: 3
compress: false
local_time: false
verbose: false
os:
group: ""
user: ""
rlimit_nofile: 0
schema_version: `28)
I can reproduce. Seems to only affect encrypted protos. Will fix today.
I have the same problem - with all protocols..
Can confirm with latest stable, using encrypted DNS only.
- enabled: true\n url: https://curben.gitlab.io/malware-filter/urlhaus-filter-agh-online.txt\n name: Online Malicious URL Blocklist\n id: 1621502412
List is 404.
Use https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-agh.txt
instead.
@tescophil
@tescophil, @kashikoy, @rs-com, we've just published v0.107.48, which should fix this. Can you please update and recheck?
Looks good to me 👍
Yes it works, thank you !
These both below are the same:
> filters:
> - enabled: true
> url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
> name: AdGuard DNS filter
>
> - enabled: true
> url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
> name: AdGuard DNS filter
If you have the Lite version, you don't need the mini.
If Lite is too harsh for your taste, downgrade to mini. If Lite doesn't block enough, upgrade to Pro. Pro still not enough? Xtra is the way to go.
> - enabled: true
> url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_24.txt
> name: 1Hosts (Lite)
>
> - enabled: true
> url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_38.txt
> name: 1Hosts (mini)
Same thing down here. If you have HaGeZi's Ultimate Blocklist enabled, you don't need the Pro++, Pro, Multi...
Everything from Multi is inside the Pro version. Everyting from Pro is inside Pro++ version. Everyting from Pro++ is inside the Ultimate version.
> - enabled: true
> url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_34.txt
> name: HaGeZi Multi NORMAL
> - enabled: true
> url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_48.txt
> name: HaGeZi's Pro Blocklist
> - enabled: true
> url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_51.txt
> name: HaGeZi's Pro++ Blocklist
> - enabled: true
> url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_49.txt
> name: HaGeZi's Ultimate Blocklist
Is it possible to list allowed clients by hostname?!
For example when client come from telekom.de, they have hostname like D31GEA.telekom.com, so i would like to allow telekom.de clients as a wildcard.
How could this be done?
Is it possible to list allowed clients by hostname?!
For example when client come from telekom.de, they have hostname like D31GEA.telekom.com, so i would like to allow telekom.de clients as a wildcard.
How could this be done?
It's simpler to add the ASN, but it's only available on adguard-dns.io unfurtunately...
Get the IPs from ASN of Telekom Deutschland and add it to the access list.
https://www.peeringdb.com/asn/3320
and the IP List: https://hackertarget.com/as-ip-lookup/
Put in 3320
Prerequisites
[X] I have checked the Wiki and Discussions and found no answer
[X] I have searched other issues and found no duplicates
[X] I want to report a bug and not ask a question or ask for help
[X] I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)
Platform (OS and CPU architecture)
Linux, AMD64 (aka x86_64)
Installation
GitHub releases or script from README
Setup
On one machine
AdGuard Home version
v0.107.47
Action
Since installing this latest version I see DNS-over-TLS queries from unauthorised clients being answered.
I have defined a list of authorised clients which include local private IP ranges for my local network and a number of client tags/labels for remote clients.
All the answered 'unauthorised' queries were from IP ranges outside the ones defined in the authorised clients list and non of the requests used ID tag URL's.
This is the list of authorised IP ranges
127.0.0.1 10.8.1.0/24 192.168.0.0/24 192.168.10.0/24 192.168.20.0/24 192.168.30.0/24 192.168.40.0/24
plus several ClientID,'s
Expected result
I don't expect to see any DNS-over-TLS queries answered for unauthorised clients.
Actual result
External queries from unauthorised clients are being answered when they should be dropped.
I see this as a BIG security problem....
Additional information and/or screenshots
No response