AdGuardHome icon indicating copy to clipboard operation
AdGuardHome copied to clipboard
verified publisher icon AdguardTeam

Whitelist dynamic IP

Open Cilenco opened this issue 3 years ago • 6 comments

A feature I would like to see is an addition to the whitelisting of clients. I have deployed my AdGuard in the cloud. My FritzBox is sitting behind a DSLite tunnel but with a MyFritz account I have a dynamic IP which always points to my router. I would like to restrict the access to my AdGuard only to my router so it would be great if I could whitelist the dynamic IP otherwise my DNS queries will not get resolved when my IP changes.

I'm willing to work on this feature myself. Just wanted to ask if something like this would be accepted as pull request

Cilenco avatar Jul 28 '22 18:07 Cilenco

The first question that comes to mind is, does your router support an encrypted DNS protocol? Because if so, you could simply add a ClientID for it and only allow it.

If not, how are you going to signal that the IP has changed?

ainar-g avatar Jul 28 '22 18:07 ainar-g

Good idea, I'll check that!

Currently I have written a script which updates my IP through the AdGuard REST api (pointed my DynDns settings of my router to that script to update the IP via push) but it would be nice to have this functionality directly build into AdGuard.

Cilenco avatar Jul 28 '22 18:07 Cilenco

I don't feel like this need arises that commonly, to be honest. Especially since encrypted protocols become more and more widely supported by routers (and even when they don't, you can always use something like https://github.com/AdguardTeam/dnsproxy to make them, heh).

I'll leave the issue open to see if more people want this. But it will most probably not be until v0.109 cycle or later.

ainar-g avatar Jul 29 '22 09:07 ainar-g

Does your router support an encrypted DNS protocol

Just to be clear about that, you mean for example DNS over TLS? My router supports this yes. But how is the ClientID determined? Doesn't it depend on the external IP from my router?

Cilenco avatar Jul 29 '22 15:07 Cilenco

Yes, DoH, DoQ, and DoT can all use a ClientID.

You set it yourself by creating a persistent client on the Settings → Client settings page.

You can choose which port to use on the Settings → Encryption settings page, although I personally would recommend just leaving the default 853 port.

ainar-g avatar Jul 29 '22 16:07 ainar-g

Thank you for your help, I got it work now :)

Again just to be sure: Everyone with the ClientId could use my AdGuard as a DNS server then right? So I probably should use a UUID or so as ClientId to make sure no one would guess it?

Cilenco avatar Jul 30 '22 09:07 Cilenco

Apologies for the long wait. Yes, both of your assessments are correct.

If the issue is resolved for you, I'll close it, if you don't mind.

ainar-g avatar Aug 19 '22 15:08 ainar-g