Ability to completely disable plain DNS #1660
Comments
|
@ammnt @ameshkov , IMO, disabling or changing default DNS ports should have a very explicit warning, but be allowed in the config. What do you think? |
|
@devinslick, i like it 🤟 |
Changing the default DNS port is already possible, but you need to do it when you go through the initial AG Home setup screens, there's no option to do it after that. Alternatively, you can do it later by editing |
|
@ammnt , You could use a firewall rule or just stop exposing port 53 to AGH and just expose the ports you need. v102 introduced rate limiting. Doesn't that address your concern about DDOS? |
|
@ainar-g, FYI: |
|
@ammnt, just to be clear, what do you mean by “disable incoming queries via 53 port”? Do you mean serving plain DNS on a different port—which is already available—or completely disabling plain DNS on any port? |
|
@ainar-g, i want AGH to stop processing unencrypted queries through 53 port (serving plain DNS, yeah), stop listening to 53 port completely, and free up 53 port for other applications. To solve this problem, I suggest adding the variable |
|
If you only need to free up port 53, why not just move AGH to another port, say 5353? We'll introduce the ability to completely disable plain DNS eventually, but why not use this workaround until then? |
I do not need unencrypted plain DNS and I have already done this by specifying a zero port. I just want users to be able to manage this and there was no zero port in this case😅 |
|
Ah, I see, thanks. We'll probably be able to do this either during or after the API refactoring, so approximately v0.108 or early v0.109 cycles. |
ainar-g
changed the title
|
before looking for the issue, i'm just guess and tried to put "0" instead of "53" and its somehow works, but a little unexpected way - its set high random port on every restart, like 34555 or 36788. but complete disable will be better |
Updates #1660. Squashed commit of the following: commit ed49233 Merge: 85e8252 388583c Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Nov 17 16:00:13 2023 +0300 Merge branch 'master' into 1660-refactor-dns commit 85e8252 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Nov 17 14:55:11 2023 +0300 home: imp dns conf commit bd255a7 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Nov 17 14:30:50 2023 +0300 all: imp dns conf
Updates #1660. Squashed commit of the following: commit d928a00 Merge: 38e401d 0f5e8ca Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Nov 22 13:39:34 2023 +0300 Merge branch 'master' into 1660-disable-plain commit 38e401d Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Nov 21 20:17:53 2023 +0300 dnsforward: imp validation commit f9e99ce Merge: cb75296 c8f1112 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Mon Nov 20 16:02:31 2023 +0300 Merge branch 'master' into 1660-disable-plain commit cb75296 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Nov 17 14:20:02 2023 +0300 all: add serve_plain_dns
Updates AdguardTeam#1660. Squashed commit of the following: commit ed49233 Merge: 85e8252 388583c Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Nov 17 16:00:13 2023 +0300 Merge branch 'master' into 1660-refactor-dns commit 85e8252 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Nov 17 14:55:11 2023 +0300 home: imp dns conf commit bd255a7 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Nov 17 14:30:50 2023 +0300 all: imp dns conf
Updates AdguardTeam#1660. Squashed commit of the following: commit d928a00 Merge: 38e401d 0f5e8ca Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Wed Nov 22 13:39:34 2023 +0300 Merge branch 'master' into 1660-disable-plain commit 38e401d Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Nov 21 20:17:53 2023 +0300 dnsforward: imp validation commit f9e99ce Merge: cb75296 c8f1112 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Mon Nov 20 16:02:31 2023 +0300 Merge branch 'master' into 1660-disable-plain commit cb75296 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Fri Nov 17 14:20:02 2023 +0300 all: add serve_plain_dns
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [adguard/adguardhome](https://adguard.com/en/adguard-home/overview.html) ([source](https://github.com/AdguardTeam/AdGuardHome)) | patch | `v0.107.43` -> `v0.107.44` | | [fireflyiii/core](https://github.com/firefly-iii/docker) ([source](https://dev.azure.com/Firefly-III/_git/MainImage)) | patch | `version-6.1.8` -> `version-6.1.9` | | [fireflyiii/data-importer](https://github.com/firefly-iii/docker) ([source](https://dev.azure.com/Firefly-III/_git/ImportToolImage)) | patch | `version-1.4.3` -> `version-1.4.4` | | postgres | minor | `16.1` -> `16.2` | | [traefik](https://github.com/containous/traefik) | minor | `v2.10.7` -> `v2.11.0` | --- ### Release Notes <details> <summary>AdguardTeam/AdGuardHome (adguard/adguardhome)</summary> ### [`v0.107.44`](https://github.com/AdguardTeam/AdGuardHome/blob/HEAD/CHANGELOG.md#v010744---2024-02-06) [Compare Source](AdguardTeam/AdGuardHome@v0.107.43...v0.107.44) See also the \[v0.107.44 GitHub milestone]\[ms-v0.107.44]. ##### Added - Timezones in the Etc/ area to the timezone list (\[[#​6568](AdguardTeam/AdGuardHome#6568)]). - The schema version of the configuration file to the output of running `AdGuardHome` (or `AdGuardHome.exe`) with `-v --version` command-line options (\[[#​6545](AdguardTeam/AdGuardHome#6545)]). - Ability to disable plain-DNS serving via UI if an encrypted protocol is already used (\[[#​1660](AdguardTeam/AdGuardHome#1660)]). ##### Changed - The bootstrapped upstream addresses are now updated according to the TTL of the bootstrap DNS response (\[[#​6321](AdguardTeam/AdGuardHome#6321)]). - Logging level of timeout errors is now `error` instead of `debug` (\[[#​6574](AdguardTeam/AdGuardHome#6574)]). - The field `"upstream_mode"` in `POST /control/dns_config` and `GET /control/dns_info` HTTP APIs now accepts `load_balance` value. Check `openapi/CHANGELOG.md` for more details. ##### Configuration changes In this release, the schema version has changed from 27 to 28. - The new property `clients.persistent.*.uid`, which is a unique identifier of the persistent client. - The properties `dns.all_servers` and `dns.fastest_addr` were removed, their values migrated to newly added field `dns.upstream_mode` that describes the logic through which upstreams will be used. See also a \[Wiki page]\[wiki-config]. ```yaml ``` </details> <details> <summary>containous/traefik (traefik)</summary> ### [`v2.11.0`](https://github.com/containous/traefik/blob/HEAD/CHANGELOG.md#v2110-rc2-2024-01-24) [Compare Source](traefik/traefik@v2.11.0...v2.11.0) [All Commits](traefik/traefik@v2.11.0-rc1...v2.11.0-rc2) **Bug ...
Updates AdguardTeam/AdGuardHome#1660. Squashed commit of the following: commit 843758066634b9900324a262cdb0b2743780537a Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Tue Nov 21 20:40:49 2023 +0300 Configuration: add serve_plain_dns
Hello,
please add an option to completely disable incoming queries via 53 ports to prevent DDoS-attacks. For example:
https://forum.adguard.com/index.php?threads/spam-pizzaseo-com.38335/
I know it can be done with a firewall. And that 's what I did, but it seems reasonable to me if there is a separate function in the AGH itself for that.
Thank you.
Cheers!
The text was updated successfully, but these errors were encountered: