ghost
commented
3 months ago This can also be done with Pomerium, and they've setup a [guide](https://www.pomerium.com/docs/guides/ad-guard) to do just that.
Open bioluks opened 3 months ago
ghost
commented
3 months ago This can also be done with Pomerium, and they've setup a [guide](https://www.pomerium.com/docs/guides/ad-guard) to do just that.
bioluks
commented
3 months ago Thanks for the link. That's good to know, the guide you provided is for the web interface, Pomerium is also another reverse proxy to my knowledge... Maybe it works this way I have to test it. Eventually every modern reverse proxy should be able to do this, it could be complicated to combine this with other reverse proxies or switching to it. An implementation natively supported by AdGuardHome looks more beneficial and can be secured easier.
Prerequisites
[X] I have checked the Wiki and Discussions and found no answer
[X] I have searched other issues and found no duplicates
[X] I want to request a feature or enhancement and not ask a question
The problem
When exposing DoT or DoH publicly many people reported just what I experienced myself multiple times - botnet pingings and malicious clients connecting from all over the world. Since standart DNS implementations and clients don't support authentication for the DNS request to succeed I looked for hacky ways to achieve just that.
Proposed solution
Apparently AdGuard DNS (afaik your paid DNS service) just added this feature 2 days ago!
Alternatives considered and additional information
Alternative solutions one can use for now:
Access Settings>Allowed Clientsadd your local subnet(s) like192.168.0.1/24etc.This works well, but many use different reverse proxies in front of AdGuardHome, configuring some of them will be hard, especially having to configure level-2 subdomains (ones like
client-name.adguardhome.example.org- a certificate would be needed for*.adguardhome.example.org).