ansible-adguard
ansible-adguard copied to clipboard
Freekers
Update docker-compose.yml
changed unbound container to listen only on locally, so then only adguard container after filtering, pass queries to this recursive DNS server, and block access to publicly accessing this recursive DNS server.
e.g
dig socks.like.video @de.adhole.org -p 53
passes from Adguard, successfully blocks this domain as per OISD rules filter.
; <<>> DiG 9.16.1-Ubuntu <<>> socks.like.video @de.adhole.org -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38989
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;socks.like.video. IN A
;; ANSWER SECTION:
socks.like.video. 10 IN A 0.0.0.0
;; Query time: 144 msec
;; SERVER: 46.4.165.226#53(46.4.165.226)
;; MSG SIZE rcvd: 50
whereas, because of your recursive DNS server publically accessible on port 5353, you can simply bypass the filters, sending requests directly to your recursive DNS server. which i think should be blocked.
e.g
dig socks.like.video @de.adhole.org -p 5353
; <<>> DiG 9.16.1-Ubuntu <<>> socks.like.video @de.adhole.org -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43395
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;socks.like.video. IN A
;; ANSWER SECTION:
socks.like.video. 293 IN CNAME socks.live.bigo.sg.
socks.live.bigo.sg. 293 IN CNAME socks-eu.live.bigo.sg.
socks-eu.live.bigo.sg. 293 IN A 45.82.240.170
socks-eu.live.bigo.sg. 293 IN A 45.124.254.61
;; Query time: 16 msec
;; SERVER: 46.4.165.226#5353(46.4.165.226)
;; MSG SIZE rcvd: 132
Any update on this? Looks good to me
Any idea how we can change this in a running environment ?
Apologies for the delayed reply. I tried it on my test instance and for me queries do no longer load after implementing this change. I think this is because in the adguard config, the WAN IP is used to connect to unbound; i.e. it will try to connect over 'internet' instead of internally to the unbound instance, which will not reply anymore since it's now only listening for connections on localhost. The only way to make this work is to use the hostname of the unbound docker container, as the internal IP address of the unbound container might change after recreation, but I don't know (yet) if adguard supports that.
An alternative approach would be to work with multiple (separate) networks that differentiate between internal en external (internet) traffic, for example like in this (unrelated) docker-compose file: https://github.com/HenryQW/Awesome-TTRSS/blob/main/docker-compose.yml
But yes, you are right. I agree this should be fixed.I will try to look into it in the near future, but I cannot commit to any dates at this time.
Howdy, did you get a chance to take a look?
After shutting down Adhole.org, I haven't really looked at anything Adguard related anymore to be honest, so no. Doubting what to do with this repo as I'm not using it myself anymore...
I would not mind forking this repo and continu development where needed.
Shall I add you as maintainer to this repo instead?
I have started totally clean and redid everything. I created a terraform script that creates a free oracle cloud instance (https://github.com/bruvv/terraform-oracle-cloud-free-adguard) if you run that script it will create everything that is needed. In the instance.tf file you will find the command to run: "ansible-playbook --connection=local --inventory 127.0.0.1, /home/ubuntu/adguard/configure_adguard.yml -e "hostname=adguard.website.com [email protected]""
I am still testing this so I will not merge it but when I feel it is ready, @Freekers do you want me to merge it in your repo? (https://github.com/bruvv/ansible-adguard-unbound)