AdGuardHome icon indicating copy to clipboard operation
AdGuardHome copied to clipboard

Published 20 hours ago verified publisher icon AdguardTeam

How to protect Adguard Home from Tor exit nodes and other IPs

Open hexclann opened this issue 7 months ago • 4 comments

Prerequisites

  • [X] I have checked the Wiki and Discussions and found no answer

  • [X] I have searched other issues and found no duplicates

  • [X] I want to request a feature or enhancement and not ask a question

The problem

I have a AGH instance hosted in a small VM, I have configured UFW to use only DoT, DoH. Port 53 is blocked and I'm not using it as a plain open DNS resolver.

The instance is not advertised anywhere and only my devices uses AGH using DoH.

I'm getting lot of unknown clients from different countries, all of them are either Tor Nodes or IPs from a virtual machine (not a residential IP).

I manually copied the IPs from https://github.com/SecOps-Institute/Tor-IP-Addresses and pasted it in deny list and most of the clients are gone. It works for a few days and again I get the requests as the deny list has to be manually updated every day.

Is there any possible to allow requests from specific country or have a deny list update automatically ?

Proposed solution

  1. A configuration that allow/block request based country of origin.
  2. Add a feature to pull the deny list from a publicly available source (just like blacklist and whitelist)

Alternatives considered and additional information

None

hexclann avatar Jan 06 '24 05:01 hexclann

Duplicate of https://github.com/AdguardTeam/AdGuardHome/issues/352.

fernvenue avatar Jan 06 '24 14:01 fernvenue

You can also restrict the access to devices under the parameter, DNS parameter page, access parameter. Had the same issue and fixed it that way. It works very well.

Flyingfufu avatar Jan 13 '24 10:01 Flyingfufu

@Flyingfufu I've already restricted over 3000 IP addresses, but I get new IP spamming my AGH instance every day.

I used the tor IP list from GitHub in device blacklist but it's valid for few days as the list gets updated automatically but the AGH will still have the old data

hexclann avatar Jan 13 '24 11:01 hexclann

Not sure how many device you have that need to access from the outside, but I guess that list will not change too often. Therefore, rather to block some, I've changed and added only my device in the authorized client list, rather than updating the list of banned domain or denied client... So by default everything gets blocked except you device.

Flyingfufu avatar Jan 13 '24 15:01 Flyingfufu

Presuming your PC is not running a Tor server of its own: I know there was a thing situation around that time, wherein dubious Brazilian IPs would massively spam TXT requests to e.g. apple.com, to the point of at least my own AGH server sometimes failing to work at all due to the sheer number of requests.

Though that particular problem has long ceased by now, these custom rules should fix most future cases:

|cisco.com|$dnstype=TXT
|cloudflare.com|$dnstype=TXT
|google.com|$dnstype=TXT
|apple.com|$dnstype=TXT

I think I know one way to make an AGH server single-country, which is to pick the country in question at https://github.com/ipverse/rir-ip/tree/master/country, and paste its IPs into "Settings" → "DNS settings" → "Allowed clients". Just make sure to add 192.168.0.0/14 to "Allowed clients" too, or else you wouldn't be able to use most of your home devices with the server.

DandelionSprout avatar Mar 25 '24 07:03 DandelionSprout