search

Freekers / ansible-adguard

Ansible playbook to setup AdGuard Home with Unbound, including DoH, DoT & Let's Encrypt, based on Docker
GNU Affero General Public License v3.0
89 stars 20 forks source link

Update docker-compose.yml #8

Closed 0xb33 closed 1 year ago

0xb33 commented 3 years ago

changed unbound container to listen only on locally, so then only adguard container after filtering, pass queries to this recursive DNS server, and block access to publicly accessing this recursive DNS server.

e.g

dig socks.like.video @de.adhole.org -p 53

passes from Adguard, successfully blocks this domain as per OISD rules filter.

; <<>> DiG 9.16.1-Ubuntu <<>> socks.like.video @de.adhole.org -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38989
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;socks.like.video.              IN      A

;; ANSWER SECTION:
socks.like.video.       10      IN      A       0.0.0.0

;; Query time: 144 msec
;; SERVER: 46.4.165.226#53(46.4.165.226)
;; MSG SIZE  rcvd: 50

whereas, because of your recursive DNS server publically accessible on port 5353, you can simply bypass the filters, sending requests directly to your recursive DNS server. which i think should be blocked.

e.g

dig socks.like.video @de.adhole.org -p 5353 

; <<>> DiG 9.16.1-Ubuntu <<>> socks.like.video @de.adhole.org -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43395
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;socks.like.video.              IN      A

;; ANSWER SECTION:
socks.like.video.       293     IN      CNAME   socks.live.bigo.sg.
socks.live.bigo.sg.     293     IN      CNAME   socks-eu.live.bigo.sg.
socks-eu.live.bigo.sg.  293     IN      A       45.82.240.170
socks-eu.live.bigo.sg.  293     IN      A       45.124.254.61

;; Query time: 16 msec
;; SERVER: 46.4.165.226#5353(46.4.165.226)
;; MSG SIZE  rcvd: 132
bruvv commented 3 years ago

Any update on this? Looks good to me

Any idea how we can change this in a running environment ?

Freekers commented 3 years ago

Apologies for the delayed reply. I tried it on my test instance and for me queries do no longer load after implementing this change. I think this is because in the adguard config, the WAN IP is used to connect to unbound; i.e. it will try to connect over 'internet' instead of internally to the unbound instance, which will not reply anymore since it's now only listening for connections on localhost. The only way to make this work is to use the hostname of the unbound docker container, as the internal IP address of the unbound container might change after recreation, but I don't know (yet) if adguard supports that.

An alternative approach would be to work with multiple (separate) networks that differentiate between internal en external (internet) traffic, for example like in this (unrelated) docker-compose file: https://github.com/HenryQW/Awesome-TTRSS/blob/main/docker-compose.yml

But yes, you are right. I agree this should be fixed.I will try to look into it in the near future, but I cannot commit to any dates at this time.

lackoSK commented 2 years ago

Howdy, did you get a chance to take a look?

Freekers commented 2 years ago

Howdy, did you get a chance to take a look?

After shutting down Adhole.org, I haven't really looked at anything Adguard related anymore to be honest, so no. Doubting what to do with this repo as I'm not using it myself anymore...

bruvv commented 2 years ago

I would not mind forking this repo and continu development where needed.

Freekers commented 2 years ago

I would not mind forking this repo and continu development where needed.

Shall I add you as maintainer to this repo instead?

bruvv commented 2 years ago

Thats fine too :)

Freekers commented 2 years ago

Thats fine too :)

Great, I have invited you :)

bruvv commented 2 years ago

I have started totally clean and redid everything. I created a terraform script that creates a free oracle cloud instance (https://github.com/bruvv/terraform-oracle-cloud-free-adguard) if you run that script it will create everything that is needed. In the instance.tf file you will find the command to run: "ansible-playbook --connection=local --inventory 127.0.0.1, /home/ubuntu/adguard/configure_adguard.yml -e "hostname=adguard.website.com emailaddress=here@email.com"" I am still testing this so I will not merge it but when I feel it is ready, @Freekers do you want me to merge it in your repo? (https://github.com/bruvv/ansible-adguard-unbound)

bruvv commented 1 year ago

@Freekers I again made a big change to my ansible script, would you think it will be better to close this one and merge mine?

Freekers commented 1 year ago

You mean archiving my repo?

bruvv commented 1 year ago

no I meant merging my repo with yours.

Freekers commented 1 year ago

Sounds good. I guess you need to open a new merge request for that? :)

bruvv commented 1 year ago

Well you gave me permission to edit the repo so I can just merge but wanted to pass it by you first :)

Freekers commented 1 year ago

Oh that's right, I forgot. Feel free to go ahead ;)