New security features

[lordraiden]

NextDNS has the following security features, why the same can't be develop for adguard home?

• DNS Rebinding Protection
• IDN Homograph Attacks Protection
• Typosquatting Protection
• Domain Generation Algorithms (DGAs) Protection
• Block Newly Registered Domains (NRDs)
• Block Parked Domains
• Top-Level Domains (TLDs) Blocking
• Block Bypass Methods

[ameshkov]

Those who will upvote this feature request, please add a comment about what exact feature from this list you need more, and why

[lordraiden]

My particular ranking, based on the security they provide

1. Block Newly Registered Domains (NRDs) https://whoisds.com/newly-registered-domains
   15-30 days or so should be fine

This could be done for the most popular sites (amazon, google, microsoft, etc.)

---

2. Typosquatting Protection https://github.com/elceef/dnstwist
3. Domain Generation Algorithms (DGAs) Protection https://github.com/matthoffman/degas
4. IDN Homograph Attacks Protection https://github.com/topics/idn-homograph-attack

---

5. DNS Rebinding Protection
6. Block Bypass Methods
7. Block Parked Domains
8. Top-Level Domains (TLDs) Blocking and SLD
   https://www.icann.org/resources/pages/tlds-2012-02-25-en
   https://www.spamhaus.org/statistics/tlds/

I forgot to mention:
Google Safe Browsing (NextDNS)
Block malware and phishing domains using Google Safe Browsing—a technology that examines billions of URLs per day looking for unsafe websites. Unlike the version embedded in some browsers, this does not associate your public IP address to threats and does not allow bypassing the block.

[ghost]

I too would like to block NRDs. The problem is using the list from whoisds in my experience leads to blocking legitimate domains. If any domain creates a new subdomain, that is to be considered a NRD but when whoisds publishes list of NRDs only the domain is listed.

For example on Tuesday Google created subdomain servemoreads.google.com. Wednesday whoisds publishes list saying google.com is NRD

Friday Google created subdomain adsgalore.google.com and now on the list for Saturday that whoisds publishes once again google.com is shown as a NRD.

Yes we could whitelist google.com but we would also be whitelisting many more domains depending on your needs to the point where its not feasible to spend that much time on whitelisting.

The only way I could see this working is to create a list of every unique domain listed. If any future lists contain a domain we have seen before then it should be excluded from blocking at any point in the future past the retention period for how long we block a NRD.

In other words. If we see google.com listed as an NRD, assume its actually new. The second time google.com becomes lists as an NRD, we can safely assume the only reason is because google.com has a new subdomain and we should no longer include google.com in any future NRD lists.

But then again this creates problems for domains that are re-registered years later but already contained in an exclusion list, we would end up not blocking this domain.

[DandelionSprout]

TLD blocking is already fully possible through e.g. ||*.tk^, so that's 1 down, 7 or 8 to go.

Of the other 7, typosquatting protection is the only one I myself would have actively used, as it'd be an easier way to block counterfeit domains than to have filterlists with e.g. 3,000 different misspellings of ebay.com.

[ammnt]

I would really like to see all of these functions also in AdGuard DNS.

[ghost]

For IDN Homograph Attacks Protection a quick and dirty solution would be to simply block all punycode. I do this with a custom filter regex that looks like this "/.*?xn--.*/". Of course some users may not want to block all punycode. So maybe you could make this an option with a toggle switch like you guys already do with one click facebook, whats app or instagram blocking.

[DandelionSprout]

Regarding @HopHop20's hotfix and concerns: A method to avoid homograph attacks, while not blocking legitimate non-Latin-TLD domains, would be something like /.*?xn--.*\.[a-z][a-z][a-z]?\.?[a-z]?[a-z]?[a-z]?/, which blocks løkballær.no (which is a completely random test phrase), but not яндекс.рф.

[DandelionSprout]

I've now created https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Special%20security%20lists/IDNHomographProtectionTotal.txt and https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Special%20security%20lists/IDNHomographProtection-USLatinTLDsOnly.txt, to attempt to ensure a list that prevents homograph attacks.

@ameshkov Do these two new lists mean that the goal of "IDN Homograph Attacks Protection" has been accomplished and can be checked off the list, or not?

[lordraiden]

This is what nextdns offers

[DandelionSprout]

For those who're really keen on typosquatting protection in the lieu of an official AdGuard solution, I can currently recommend AntiSocial Engineer BlackList.

Note that among its 34,000 entries, there's also 7 false positives for Google, the most severe one being google.org. I've sent them an E-mail now about it and a handful of other ones.

[ghost]

For those who're really keen on typosquatting protection in the lieu of an official AdGuard solution, I can currently recommend AntiSocial Engineer BlackList.

Note that among its 34,000 entries, there's also 7 false positives for Google, the most severe one being google.org. I've sent them an E-mail now about it and a handful of other ones.

It's a UK centric blocklist so I wouldn't expect many if any of those entries reported to be removed. I totally ignored this fact and here is the response I got from the maintainer about T-Mobile.com ...

"...blacklist is UK centric where T-Mobile now trade as EE. So customers and people that use the list have no need for T-mobile domains..."

[DandelionSprout]

Oh.

That's admittedly a big, BIG minus-point for that list. Big enough that I'll even remove it from my curated lists in the OP of #1325 (comment). Thanks so much for the heads-up.

[GyokuroT]

Please add "DNS Rebinding Protection". Thank you :-)

[emlimap]

Another vote for DNS Rebinding Protection.

It would be good to have an option to exclude certain domains from Rebinding protection. The use case for it will be if you are self hosting and have a DNS record that points to an internal IP.

These are the options dnsmasq offers when it comes to DNS rebind protection.

--stop-dns-rebind
    Reject (and log) addresses from upstream nameservers which are in the private ranges. This blocks an attack where a browser behind a firewall is used to probe machines on the local network. For IPv6, the private range covers the IPv4-mapped addresses in private space plus all link-local (LL) and site-local (ULA) addresses. 
--rebind-localhost-ok
    Exempt 127.0.0.0/8 and ::1 from rebinding checks. This address range is returned by realtime black hole servers, so blocking it may disable these services. 
--rebind-domain-ok=[<domain>]|[[/<domain>/[<domain>/] 

http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

[ghost]

Here's what I do to block DNS rebinding attacks currently. You can add the regular expressions to custom filter rules.

192.0.0.0/24

/^192.0.0(.[0-9]{1,3}){1}$/

192.0.2.0/24

/^192.0.2(.[0-9]{1,3}){1}$/

198.51.100.0/24

/^198.51.100(.[0-9]{1,3}){1}$/

203.0.113.0/24

/^203.0.113(.[0-9]{1,3}){1}$/

192.168.0.0/16

/^192.168(.[0-9]{1,3}){2}$/

169.254.0.0/16

/^169.254(.[0-9]{1,3}){2}$/

10.0.0.0/8

/^10(.[0-9]{1,3}){3}$/

127.0.0.0/8

/^127(.[0-9]{1,3}){3}$/

10.0.0.0/8

/^0(.[0-9]{1,3}){3}$/

100.64.0.0/10

/^100.(6[4-9]|[7-9][0-9]{1}|1[0-1][0-9]|12[0-7])(.[0-9]{1,3}){2}$/

224.0.0.0/4

/^(22[4-9]|23[0-9])(.[0-9]{1,3}){3}$/

240.0.0.0/4

/^(24[0-9]|25[0-5])(.[0-9]{1,3}){3}$/

172.16.0.0/12

/^172.(1[6-9]|2[0-9]|3[0-1)(.[0-9]{1,3}){2}$/

198.18.0.0/15

/^198.(1[8-9])(.[0-9]{1,3}){2}$/

If you need to whitelist an IP then add a whitelist rule. For example example.com resolved to 192.168.0.1 then add below to custom filter

@@|192.168.0.1^

Edit

fixed: 100.64.0.0/10 regex

[DandelionSprout]

Feel free to correct me if I'm wrong, but wouldn't DNS rebinding protection prevent local LAN addresses from being accessed, or perhaps even from using AGH as clients? Since AGH seems to be first and foremost designed for use on local LANs, I'd be surprised if this became an officially supported function in AGH outside of 3rd-party filterlists.

https://github.com/InnoScorpio/Public_Adblock_Filters/tree/master/LOCALNET-EX seem to attempt to make an anti-localhost list, although none of the 3 formats are supported by AGH.

[emlimap]

@HopHop20 Thank you for the regex filters. They work as intended.

I wonder if there is a performance impact with AGH when you use regex filters. For example, Pi-Hole developers used to advise against regex rules as pihole-FTL/dnsmasq had to evaluate each and every regex rule compared to a blocklist where it stops at first match. More the regex rules you had, the longer it took to process dns queries. Not sure if the situation has changed with their new v5 beta. Haven't tested it yet.

There were some IP's that I wasn't aware of like 192.0.0.0/24, 192.168.0.2.0/24, 198.51.100.0/24. Did you have to go through IETF RFC's to find them?

In terms of whitelist, whitelisting the sub/root domain also does work. For example, if webserver.example.org points to 192.168.1.20, then @@||webserver.example.org^ does the trick. Works better for me as I could just add @@||home.mylocadomain.tld^ as whitelist instead of invidual IP addresses.

@DandelionSprout Any domain name that responds with a private address (full list - https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses) will get blocked. HopHop20's regex filters above covers a lot more than that. You can still access them directly by their IP address.

This is why both dnsmasq and unbound don't enable it by default. It has to be enabled by the user along with the option to exclude certain domains. In Openwrt with dnsmasq, if you enable DNS rebinding protection, local domain isn't affected but others returning private IP addresses will be dropped.

This article does go into detail how DNS rebinding attack works and how it can be exploited in real world - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325

[ghost]

@emlimap I should have been a bit more clear. The regexes are for ipv4 bogons, taking from https://www.team-cymru.com/bogon-bit-notation.html You can learn more about bogons at https://www.team-cymru.com/bogon-reference-http.html They are basically private ranges and reserved ranges or ranges that you should never see out in the internet. They also have an ipv6 list of bogons but I don't have regex filters yet, mostly because my isp doesn't support ipv6.

As for performance issues, I haven't noticed much of a decline using the small set of regexes I have including the ones I posted here. Ideally don't use them or don't use to many but again it hasn't been so slow for me to even care...

You could turn the above regexes into rules and abandoned regex all together if one is that concerned about performance. However you might also run into more of a performance issue. For instance if you wanted to blocked all of 127.0.0.0/8 you would need to create a rule for each ip in 127.0.0.0/8 and that would be a total of 16,777,216 rules. For all the bogon ranges I posted above, that would turn into 592,708,608 individual rules. This gets a lot worse with ipv6... Anyways seems like a lot of rules for AdGuardHome to handle without a degrade in performance although I've never tested this theory. You could shorten the rules by writing something like |127. but then that would block 127.example.com and 127example.com or anything that begins with 127

[ameshkov]

I wonder if there is a performance impact with AGH when you use regex filters

If there are many thousands -- there is. But a small number of regexes won't hurt.

[emlimap]

@HopHop20 Thanks for that link. I think that list is better off to be used with router/firewall rather than regex, especially the IPv6 one as it is quite large and you have to constantly keep your regex updated as IPv6 allocations are made.

RIPE has a good guide on some IPv6 equivalents of IPv4 Private IP ranges - https://www.ripe.net/manage-ips-and-asns/ipv6/ipv6-address-types

Since DNS rebinding is purely about private IP range to stop websites from scanning user's local network, I would say we just need rules for fc00::/7 and fe80::/10. These are the ranges dnsmasq also seems to cover.

I had a stab at this but it doesn't cover the full /10 CIDR but all devices on my local network are only picking up an IP from fe80 range.
/^fe80:(:[0-9a-fA-F]{0,4}){0,4}$/

Query for test. Useful service to testing - https://ip6.name/

dig AAAA "fe80.x.200.5aee.feaa.20a2.ip6.name"

If you would like to play with IPv6, you can give HE's Tunnel broker service a try https://tunnelbroker.net. Used to use it until I moved to an ISP that provided native IPv6 support.

Bear in mind Netflix will stop working unless you either block Netflix IPv6 range on your router or block AAAA records for netflix. For second one, it is planned to be addressed on the release after next, #1547 (comment)

@ameshkov That is good to know, Thanks.

[HorayNarea]

I've now created https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Special%20security%20lists/IDNHomographProtectionTotal.txt and https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Special%20security%20lists/IDNHomographProtection-USLatinTLDsOnly.txt, to attempt to ensure a list that prevents homograph attacks.

@ameshkov Do these two new lists mean that the goal of "IDN Homograph Attacks Protection" has been accomplished and can be checked off the list, or not?

This also blocks legit domains such as thüringen.de so probably no. :D

[DandelionSprout]

I believe that's 100% exactly how IDN homograph protection works like, if I understood the concept behind it correctly.

That being said, I have considered adding a whitelist to let sites like elkjøp.no through, but I couldn't find any major websites that had Unicode domains that weren't just instant redirects, which thüringen.de also is (Gets turned into thueringen.de).

[HorayNarea]

I believe that's 100% exactly how IDN homograph protection works like, if I understood the concept behind it correctly.

in real-world attacks it's more abusing characters from different alphabets that look exactly like your target alphabet…
for example the cyrilic character В that looks (depending on the font) like the latin B or an even better example: о vs. o

(to see that these are really different characters, copy-paste them in to google and see the results)

[davidmerrique]

Looks like NextDNS has a new feature Native Tracking Protection https://headwayapp.co/nextdns-changelog/new-feature-native-tracking-protection-149447

Block wide spectrum trackers—often operating at the operating system level—that track your activity on a device. This could include all the websites you visit, everything you type or your location at all times.

I’m not even 100% sure what that means from the description.

[ameshkov]

Sounds like a nice name for a blocklist, this is not a security feature.

[jenabaivab]

you can found what's is shipped on witch version here, i just hope to see one day an aproximate date of release in beta

Don't see a lot of things except cname flattening support :( was looking for mostly typosquatting, cryptojacking, intelligence feeds and rebinding. Hopefully someday we can get those things in AG home.

[ammnt]

Guys, see what other interested security features are implemented on the applied-privacy.net:

• QNAME minimisation (RFC7816) is enabled to reduce query disclosure to 3rd parties
• Aggressive Use of DNSSEC-Validated Cache (RFC8198)
• prefetching is enabled to reduce latency and make correlation of inbound and outbound connections harder.
• TLS session resumption
• EDNS0 TCP keepalive Option (RFC7828)
• TLSA records for our DNS endpoints (CA Constraint)
• TCP Fast Open (RFC7413) is available on the DoH service
• EDNS0 Padding Option (RFC7830, RFC8467)
• TLS False Start (RFC7918)
• "Recommendations for DNS Privacy Service Operators" (active Internet Draft)
  etc.

@ameshkov, anything interesting for us?🤨

[gregtwallace]

+1 for DNS Rebinding Protection (I implemented the RegEx, but something more user friendly like a couple of checkboxes ("Block private networks and loopback addresses" & "Block bogon networks") and a whitelist / define local domains setting would be fantastic.

edit: I see someone submitted a pull request to add this feature.

[gregtwallace]

Here's what I do to block DNS rebinding attacks currently. You can add the regular expressions to custom filter rules.

172.16.0.0/12

/^172.(1[6-9]|2[0-9]|3[0-1)(.[0-9]{1,3}){2}$/

You're missing a bracket; should be:
172.16.0.0/12
/^172.(1[6-9]|2[0-9]|3[0-1])(.[0-9]{1,3}){2}$/

[ammnt]

@Macqael, these ugly rules works for me, but i still test it:

/^(::1)$/
/^(fe80::)/
/^(fec0::)/
/^(febf::)/
/^(feff::)/
/^(fc00::)/
/^(ff00::)/
/^(::ffff:)/

[xenstar]

We love AdguardHome, so that's why we requested those features from NextDNS. I just search those features, then google brought me here. Hopefully, you will keep adding these security features in AdguardHome, in the coming days. All the best to ADH Team.

[timkgh]

+1 for DNS Rebinding Protection but it needs to allow internal DNS servers to return private IP addresses.

Just copy all the other features from NextDNS :)

[kevindd992002]

+1 for DNS Rebinding Protection as well. Unbound and dnsmasq have this as a standard feature.

[DandelionSprout]

If I'm understanding https://en.wikipedia.org/wiki/DNS_rebinding correctly, it would be possible for me to make an adblock list for that, loosely based on https://raw.githubusercontent.com/gwarser/filter-lists/master/lan-block.txt. Give me 30min.

[DandelionSprout]

Okay, so here's how to (hopefully) do DNS rebinding protection in AdGuard Home:

Make sure that Enable reverse resolving of clients' IP addresses is turned on, set Override minimum TTL to 100 or higher (Preferably higher), and add these three entries:

://192.168.$dnstype=CNAME,denyallow=airbox.home|airport|arcor.easybox|aterm.me|bthub.home|bthomehub.home|congstar.box|connect.box|easy.box|etxr|fritz.box|fritz.nas|fritz.repeater|giga.cube|hi.link|hitronhub.home|homerouter.cpe|huaweimobilewifi.com|myfritz.box|ntt.setup|pi.hole|repeater.asus.com|router.asus.com|routerlogin.com|routerlogin.net|samsung.router|speedport.ip|tplinkwifi.net|web.setup|web.setup.home|home.arpa|local|localhost|127.0.0.1
/^172.(1[6-9]|2[0-9]|3[01])\./$dnstype=CNAME,denyallow=airbox.home|airport|arcor.easybox|aterm.me|bthub.home|bthomehub.home|congstar.box|connect.box|easy.box|etxr|fritz.box|fritz.nas|fritz.repeater|giga.cube|hi.link|hitronhub.home|homerouter.cpe|huaweimobilewifi.com|myfritz.box|ntt.setup|pi.hole|repeater.asus.com|router.asus.com|routerlogin.com|routerlogin.net|samsung.router|speedport.ip|tplinkwifi.net|web.setup|web.setup.home|home.arpa|local|localhost|127.0.0.1
://10.$dnstype=CNAME,denyallow=airbox.home|airport|arcor.easybox|aterm.me|bthub.home|bthomehub.home|congstar.box|connect.box|easy.box|etxr|fritz.box|fritz.nas|fritz.repeater|giga.cube|hi.link|hitronhub.home|homerouter.cpe|huaweimobilewifi.com|myfritz.box|ntt.setup|pi.hole|repeater.asus.com|router.asus.com|routerlogin.com|routerlogin.net|samsung.router|speedport.ip|tplinkwifi.net|web.setup|web.setup.home|home.arpa|local|localhost|127.0.0.1

Though the entries are very untested, these three approaches combined will mitigate perhaps 98% of rebinding attacks. However, the chance of false positives is considerable, especially for connecting to home media servers.

[kevindd992002]

Okay, so here's how to (hopefully) do DNS rebinding protection in AdGuard Home:

Make sure that Enable reverse resolving of clients' IP addresses is turned on, set Override minimum TTL to 100 or higher (Preferably higher), and add these three entries:

://192.168.$dnstype=CNAME,denyallow=airbox.home|airport|arcor.easybox|aterm.me|bthub.home|bthomehub.home|congstar.box|connect.box|easy.box|etxr|fritz.box|fritz.nas|fritz.repeater|giga.cube|hi.link|hitronhub.home|homerouter.cpe|huaweimobilewifi.com|myfritz.box|ntt.setup|pi.hole|repeater.asus.com|router.asus.com|routerlogin.com|routerlogin.net|samsung.router|speedport.ip|tplinkwifi.net|web.setup|web.setup.home|home.arpa|local|localhost|127.0.0.1
/^172.(1[6-9]|2[0-9]|3[01])\./$dnstype=CNAME,denyallow=airbox.home|airport|arcor.easybox|aterm.me|bthub.home|bthomehub.home|congstar.box|connect.box|easy.box|etxr|fritz.box|fritz.nas|fritz.repeater|giga.cube|hi.link|hitronhub.home|homerouter.cpe|huaweimobilewifi.com|myfritz.box|ntt.setup|pi.hole|repeater.asus.com|router.asus.com|routerlogin.com|routerlogin.net|samsung.router|speedport.ip|tplinkwifi.net|web.setup|web.setup.home|home.arpa|local|localhost|127.0.0.1
://10.$dnstype=CNAME,denyallow=airbox.home|airport|arcor.easybox|aterm.me|bthub.home|bthomehub.home|congstar.box|connect.box|easy.box|etxr|fritz.box|fritz.nas|fritz.repeater|giga.cube|hi.link|hitronhub.home|homerouter.cpe|huaweimobilewifi.com|myfritz.box|ntt.setup|pi.hole|repeater.asus.com|router.asus.com|routerlogin.com|routerlogin.net|samsung.router|speedport.ip|tplinkwifi.net|web.setup|web.setup.home|home.arpa|local|localhost|127.0.0.1

Though the entries are very untested, these three approaches combined will mitigate perhaps 98% of rebinding attacks. However, the chance of false positives is considerable, especially for connecting to home media servers.

Thanks for this. I wonder what kind of listing do both pfsense and pihole use. I would also add "plex.tv" to the exceptions for dns redinding attack.

[xenstar]

Okay, so here's how to (hopefully) do DNS rebinding protection in AdGuard Home:

Make sure that Enable reverse resolving of clients' IP addresses is turned on, set Override minimum TTL to 100 or higher (Preferably higher), and add these three entries:

://192.168.$dnstype=CNAME,denyallow=airbox.home|airport|arcor.easybox|aterm.me|bthub.home|bthomehub.home|congstar.box|connect.box|easy.box|etxr|fritz.box|fritz.nas|fritz.repeater|giga.cube|hi.link|hitronhub.home|homerouter.cpe|huaweimobilewifi.com|myfritz.box|ntt.setup|pi.hole|repeater.asus.com|router.asus.com|routerlogin.com|routerlogin.net|samsung.router|speedport.ip|tplinkwifi.net|web.setup|web.setup.home|home.arpa|local|localhost|127.0.0.1
/^172.(1[6-9]|2[0-9]|3[01])\./$dnstype=CNAME,denyallow=airbox.home|airport|arcor.easybox|aterm.me|bthub.home|bthomehub.home|congstar.box|connect.box|easy.box|etxr|fritz.box|fritz.nas|fritz.repeater|giga.cube|hi.link|hitronhub.home|homerouter.cpe|huaweimobilewifi.com|myfritz.box|ntt.setup|pi.hole|repeater.asus.com|router.asus.com|routerlogin.com|routerlogin.net|samsung.router|speedport.ip|tplinkwifi.net|web.setup|web.setup.home|home.arpa|local|localhost|127.0.0.1
://10.$dnstype=CNAME,denyallow=airbox.home|airport|arcor.easybox|aterm.me|bthub.home|bthomehub.home|congstar.box|connect.box|easy.box|etxr|fritz.box|fritz.nas|fritz.repeater|giga.cube|hi.link|hitronhub.home|homerouter.cpe|huaweimobilewifi.com|myfritz.box|ntt.setup|pi.hole|repeater.asus.com|router.asus.com|routerlogin.com|routerlogin.net|samsung.router|speedport.ip|tplinkwifi.net|web.setup|web.setup.home|home.arpa|local|localhost|127.0.0.1

Though the entries are very untested, these three approaches combined will mitigate perhaps 98% of rebinding attacks. However, the chance of false positives is considerable, especially for connecting to home media servers.

Where to add these values? In custom block list?

[DandelionSprout]

(Top row) → Filters → Custom filtering rules.

[timkgh]

Maybe this is not the place to discuss how to implement some of these features, but just pointing out the filters suggested above might have problems with domains such as 10.mail.example.com.
Also, I am not sure AGH understands :// because it works at the DNS/domain/IP level not URL.

I've kept mine very simple because this is all I care to block on my VLANs and I don't care about netgear/asus/etc routers and their DNS hacks or 172.*:
Block via (a not so perfect) regex:
/^(127\.[0-9]+|192\.168|10\.[0-9]+)\.[0-9]+\.[0-9]+$/
Unblock my internal and public domains:
@@|*.myinternaldomain^$important
@@||mypublicdomain.com^$important
This is important if you use Plex also:
@@||plex.direct^$important

[DandelionSprout]

:// is normally supposed to be a synonym for an initial single | in AdGuard Home, though I can't entirely rule out any potential bugs regarding either of those syntaxes when used with IP addresses.

[SiNONiMiTY]

DNS Rebinding Protection, why is this not available by default? Even in disabled state.

I can see that there are regex workarounds, but this feature is a must have.

[kevindd992002]

DNS Rebinding Protection, why is this not available by default? Even in disabled state.

I can see that there are regex workarounds, but this feature is a must have.

My exact sentiments here.

[emlimap]

@SiNONiMiTY @kevindd992002 There is an open PR for DNS rebinding protection feature, and it is pencilled in for 0.108 release #2397

[vaskozl]

I personally run dnsmasq in-front of adguard home for dns-rebinding protection (among other reasons).

A minimal dnsmasq config where adguard home runs on port 1753:

bogus-priv
stop-dns-rebind
no-resolv
server=127.0.0.1:#1753

[gregtwallace]

I personally run dnsmasq in-front of adguard home for dns-rebinding protection (among other reasons).

Why? You're adding another potential point of failure and probably introducing latency.

[vaskozl]

I personally run dnsmasq in-front of adguard home for dns-rebinding protection (among other reasons).

Why? You're adding another potential point of failure and probably introducing latency.

I've been using dnsmasq for a long time and rely on some of the features like changing the domain, acting as an authoritative server, dchp options such as setting search domains, varisous /etc/hosts options and dns rebinding protection with selective exclusion.

Latency is tiny via the loopback and availability wise it lets me set a fallback for when docker decides to pull a new :latest on restart. Definitely nothing wrong with adguard, it's perfect for adding DoT and fast blocking, this is just my setup.

[lordraiden]

Any update on this?

NextDNS has the following security features, why the same can't be develop for adguard home?

* DNS Rebinding Protection

* IDN Homograph Attacks Protection

* Typosquatting Protection

* Domain Generation Algorithms (DGAs) Protection

* Block Newly Registered Domains (NRDs)

* Block Parked Domains

* Top-Level Domains (TLDs) Blocking

* Block Bypass Methods

[xenstar]

NextDNS has the following security features, why the same can't be developed for adguard home?

I think because all companies need money to survive. So Adguard is developing another product AdguardDNS which is similar to nextdns, so I am hoping those features will be there.

But if the team adds it to the adguardhome free version, that would be so generous of them.

Whatever they will do, I will support them, because their product is already doing an excellent job.

[vaskozl]

As mentioned you can already use their bypass block list. Most of the others other than DNS rebinding can be quite disruptive and not too much more than marketing as what they really do is hazy. DNS based protection can only do so much for security.

[tiny-pangolin]

I understand I can add block list or make rules for these but think it would be cool to have the following as features in the ui

• IDN Homograph Attacks Protection (could be added in blockslists)
• Typosquatting Protection (could be added by adding in blocklists
• Top-Level Domains (TLDs) Blocking (could be added by populating custom rules or having a sketchy tld list)

[finzzz]

Is there any plan on these features? I think blocking NRD is a must have feature

[Haraguroicha]

I think NRDs might be the most wanted then other features since passed 4 years, here some idea I suggest for NRDs:

1. Allow to block recently registered since 1 day ~ 2 years domain
2. Allow to add some exceptions to exclude from NRDs (a.k.a. Trusted Domains)
3. Statics for blocked NRDs

[ados8]

With 4 years under the belt this might not happen for ADGuard Home.
However for those wanting an NRDs list: newly-registered-domains
I verified with a few domains they are new.
This list is apparently free from competitor PiHole.