AdGuardHome
AdGuardHome copied to clipboard
AdguardTeam
Ability to exclude IPs in bind_hosts
Problem Description
In systems where AdGuardHome is multihomed and listening to multiple interface (IPs) the documentation includes options only to implicitly include all addresses (0.0.0.0) or explicitly define specific addresses.
In relatively static systems such as servers this is a perfectly acceptable solution but in systems that change often such as routers or firewalls this is suboptimal.
Proposed Solution
Add an option to 'bind_hosts': that can define binds to exclude that can be used in conjunction with the implicit include all i.e. include all except.
Alternatives Considered
I had considered suggesting easier GUI based configs but to my eye this is lesser solution to this problem (albeit powerful in itsefl)
Additional Information
Use case for context. Install AdGuardHome onto a firewall such as OPNsense. Define listen to all interfaces except the WAN internet. Later a new VLAN is added to the firewall which is implicitly included in the 0.0.0.0 and not defined in any exclude and as such automatically serves DNS correctly without reconfiguration.
Real life example discussing this issue (not me).
https://www.reddit.com/r/OPNsenseFirewall/comments/tfvg92/unable_to_access_adguard_dns_from_opnsense_ssh/
@nomandera, hello and sorry for late response. Currently you may achieve this by simply listing all addresses of the interfaces your system has excluding the ones you don't need. We're also planning to support multiple addresses for all similar settings in v0.108.0. If my suggestion worked for you?
@EugeneOne1 thanks for the reply.
For normal servers your suggested solution would be perfect but on firewalls or routers it is problematic.
On firewalls or routers you would likely want to listen to all internal addresses and this list may change very often. The suggested solution above would mean remembering to reconfigure and restart AdGuardHome every time an interface change was made.
As seen in my previous post this is not what people are doing, they are opting to bind to all interfaces via 0.0.0.0 which can result in AdGuardHome being dangerously exposed to the public internet.
Adding an option to "listen to only internal interfaces" or an option to "listen to all interfaces except named interfaces" removes this risk.
Also I just noticed the documentation only lists IPs to listen to. On a firewall the external IP will likely change often and would need defined by interface name and not IP.
Please let me know if I can do a better job of explaining. I can perhaps attach diagrams if it would help.
I actually think this is a pretty good idea and can see the use case. Supporting multiple interfaces is great, and I have several VLANs. One of which I do not wish to use Adguard on.
Being able to declare in the config "assign all interfaces EXCEPT ${SPECIFIC_VLAN}" would make life pretty easy in the future when I inevitably add further interfaces.
Could we consider revisiting the priority of this ticket please.
I was reminded it existed when I noticed that AdGuardHome was also listening on each of my VPN interfaces which is potentially a large risk.
I would like to see something like this as my devices have a one interface where port 53 is already in use, so I would like to bind to all interfaces except that one. The other interface addresses are subject to change so a way to exclude a specific interface by name or IP would be ideal.
