Unauthorized clients accessing DNS-overTLS

[tescophil]

Prerequisites

• I have checked the Wiki and Discussions and found no answer

• I have searched other issues and found no duplicates

• I want to report a bug and not ask a question or ask for help

• I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)

Platform (OS and CPU architecture)

Linux, AMD64 (aka x86_64)

Installation

GitHub releases or script from README

Setup

On one machine

AdGuard Home version

v0.107.47

Action

Since installing this latest version I see DNS-over-TLS queries from unauthorised clients being answered.

I have defined a list of authorised clients which include local private IP ranges for my local network and a number of client tags/labels for remote clients.

All the answered 'unauthorised' queries were from IP ranges outside the ones defined in the authorised clients list and non of the requests used ID tag URL's.

This is the list of authorised IP ranges

127.0.0.1
10.8.1.0/24
192.168.0.0/24
192.168.10.0/24
192.168.20.0/24
192.168.30.0/24
192.168.40.0/24

plus several ClientID,'s

Expected result

I don't expect to see any DNS-over-TLS queries answered for unauthorised clients.

Actual result

External queries from unauthorised clients are being answered when they should be dropped.

I see this as a BIG security problem....

Additional information and/or screenshots

No response

[ghost]

Hi @tescophil, thanks for the report.
I'm unable to reproduce this on my setup.

Could you please tell me more about how you have AdGuard Home setup?
Seeing a screenshot of your Access settings in Settings > DNS settings, and a copy of your yaml could help too.

Reproducing the issue with verbose logs enabled may also show us more of the picture.

[tescophil]

Hi,

So I've already given you my authorised clients settings so I dont really see how a screenshot will help, but...

I'm setup on a standalone intel machine (not a VM) and have had the same setup for years. I provide an external (public) DNS-over-TLS for personal Android and iOS devices via port 853, all of which have individual ClientID to control access (which is now broken).

The unauthorised clients are colored red in the client list, however it's not clear what this actually means and looking in the log all these queries are answered and not blocked/ignored as they should be.

I can get you my yaml settings, but I'm currently on a bus in Malta, so it will have to be later on this evening.

[rs-com]

I have the same problem as @tescophil.
This was definitely not the case before the update.

[tescophil]

OK here is my yaml config (think I've removed all personal info from this..)

http:
  pprof:
    port: 6060
    enabled: false
  address: 0.0.0.0:81
  session_ttl: 720h
users:
  - name: myname
    password: <password removed>
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: en
theme: auto
dns:
  bind_hosts:
    - 0.0.0.0
  port: 53
  anonymize_client_ip: false
  ratelimit: 0
  ratelimit_subnet_len_ipv4: 24
  ratelimit_subnet_len_ipv6: 56
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - '# DoH Resolvers'
    - https://cloudflare-dns.com/dns-query
    - https://dns.google/dns-query
    - https://doh.opendns.com/dns-query
    - https://dns.quad9.net/dns-query
  upstream_dns_file: ""
  bootstrap_dns:
    - 192.168.0.1
  fallback_dns: []
  upstream_mode: parallel
  fastest_timeout: 1s
  allowed_clients:
    - 127.0.0.1
    - 10.8.1.0/24
    - 192.168.0.0/24
    - 192.168.10.0/24
    - 192.168.20.0/24
    - 192.168.30.0/24
    - 192.168.40.0/24
    - clientone
    - clienttwo
    - clientthree
    - clientfour
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
    - '||coopersedge.internal^'
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
  cache_size: 16777216
  cache_ttl_min: 3600
  cache_ttl_max: 86400
  cache_optimistic: true
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: true
  edns_client_subnet:
    custom_ip: ""
    enabled: true
    use_custom: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  bootstrap_prefer_ipv6: false
  upstream_timeout: 10s
  private_networks: []
  use_private_ptr_resolvers: false
  local_ptr_upstreams: []
  use_dns64: false
  dns64_prefixes: []
  serve_http3: false
  use_http3_upstreams: false
  serve_plain_dns: true
  hostsfile_enabled: true
tls:
  enabled: true
  server_name: myownhostname.duckdns.org
  force_https: false
  port_https: 8443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  certificate_chain: ""
  private_key: ""
  certificate_path: /etc/letsencrypt/live/myownhostname.duckdns.org/fullchain.pem
  private_key_path: /etc/letsencrypt/live/myownhostname.duckdns.org/privkey.pem
  strict_sni_check: false
querylog:
  dir_path: ""
  ignored: []
  interval: 24h
  size_memory: 1000
  enabled: true
  file_enabled: true
statistics:
  dir_path: ""
  ignored: []
  interval: 24h
  enabled: true
filters:
  - enabled: true
    url: https://raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txt
    name: DoH 1
    id: 1612043645
  - enabled: true
    url: https://raw.githubusercontent.com/Sekhan/TheGreatWall/master/TheGreatWall.txt
    name: DoH 2
    id: 1612043646
  - enabled: true
    url: https://adaway.org/hosts.txt
    name: AdAway Default Blocklist
    id: 1621502401
  - enabled: true
    url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
    name: AdGuard DNS filter
    id: 1621502402
  - enabled: true
    url: https://someonewhocares.org/hosts/zero/hosts
    name: Dan Pollock's List
    id: 1621502403
  - enabled: true
    url: https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV-AGH.txt
    name: Perflyst and Dandelion Sprout's Smart-TV Blocklist
    id: 1621502404
  - enabled: true
    url: https://raw.githubusercontent.com/DandelionSprout/adfilt/master/GameConsoleAdblockList.txt
    name: Game Console Adblock List
    id: 1621502405
  - enabled: true
    url: https://pgl.yoyo.org/adservers/serverlist.php?hostformat=adblockplus&showintro=1&mimetype=plaintext
    name: Peter Lowe's List
    id: 1621502406
  - enabled: true
    url: https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
    name: WindowsSpyBlocker - Hosts spy rules
    id: 1621502407
  - enabled: true
    url: https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt
    name: NoCoin Filter List
    id: 1621502408
  - enabled: true
    url: https://raw.githubusercontent.com/durablenapkin/scamblocklist/master/adguard.txt
    name: Scam Blocklist by DurableNapkin
    id: 1621502409
  - enabled: true
    url: https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt
    name: Spam404
    id: 1621502410
  - enabled: true
    url: https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hosts
    name: The Big List of Hacked Malware Web Sites
    id: 1621502411
  - enabled: true
    url: https://curben.gitlab.io/malware-filter/urlhaus-filter-agh-online.txt
    name: Online Malicious URL Blocklist
    id: 1621502412
  - enabled: true
    url: https://paulgb.github.io/BarbBlock/blacklists/hosts-file.txt
    name: BarbBlock
    id: 1621502413
  - enabled: true
    url: https://raw.githubusercontent.com/Zelo72/adguard/main/doh-vpn-proxy-bypass.adblock
    name: DoH 3
    id: 1634383267
  - enabled: true
    url: https://abp.oisd.nl/basic/
    name: OISD Blocklist Basic
    id: 1640125739
  - enabled: true
    url: https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareAdGuardHome.txt
    name: Dandelion Sprout's Anti-Malware List
    id: 1640125740
  - enabled: true
    url: https://raw.githubusercontent.com/notracking/hosts-blocklists/master/adblock/adblock.txt
    name: No Tracking Hosts
    id: 1643128929
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_24.txt
    name: 1Hosts (Lite)
    id: 1699928146
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_38.txt
    name: 1Hosts (mini)
    id: 1699928147
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
    name: AdGuard DNS filter
    id: 1699928148
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
    name: AdAway Default Blocklist
    id: 1699928149
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_4.txt
    name: Dan Pollock's List
    id: 1699928150
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_34.txt
    name: HaGeZi Multi NORMAL
    id: 1699928151
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_48.txt
    name: HaGeZi's Pro Blocklist
    id: 1699928152
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_51.txt
    name: HaGeZi's Pro++ Blocklist
    id: 1699928153
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_49.txt
    name: HaGeZi's Ultimate Blocklist
    id: 1699928154
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_5.txt
    name: OISD Blocklist Small
    id: 1699928155
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_27.txt
    name: OISD Blocklist Big
    id: 1699928156
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_3.txt
    name: Peter Lowe's Blocklist
    id: 1699928157
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_33.txt
    name: Steven Black's List
    id: 1699928158
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_39.txt
    name: Dandelion Sprout's Anti Push Notifications
    id: 1699928159
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_6.txt
    name: Dandelion Sprout's Game Console Adblock List
    id: 1699928160
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_46.txt
    name: HaGeZi's Anti-Piracy Blocklist
    id: 1699928162
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_47.txt
    name: HaGeZi's Gambling Blocklist
    id: 1699928163
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_7.txt
    name: Perflyst and Dandelion Sprout's Smart-TV Blocklist
    id: 1699928164
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_23.txt
    name: WindowsSpyBlocker - Hosts spy rules
    id: 1699928165
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_30.txt
    name: Phishing URL Blocklist (PhishTank and OpenPhish)
    id: 1699928166
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_12.txt
    name: Dandelion Sprout's Anti-Malware List
    id: 1699928167
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_44.txt
    name: HaGeZi's Threat Intelligence Feeds
    id: 1699928168
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_8.txt
    name: NoCoin Filter List
    id: 1699928169
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_18.txt
    name: Phishing Army
    id: 1699928170
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_10.txt
    name: Scam Blocklist by DurableNapkin
    id: 1699928171
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_42.txt
    name: ShadowWhisperer's Malware List
    id: 1699928172
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_31.txt
    name: Stalkerware Indicators List
    id: 1699928173
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt
    name: The Big List of Hacked Malware Web Sites
    id: 1699928174
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_50.txt
    name: uBlock₀ filters – Badware risks
    id: 1699928175
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt
    name: Malicious URL Blocklist (URLHaus)
    id: 1699928176
whitelist_filters: []
user_rules:
  - '##################### Blocked Sites #####################'  - '#'
  - '# Block local domain hostnames (not in /etc/hosts and not in the allow list)'
  - /^.+\.myownhostname.duckdns.org/$dnsrewrite=NXDOMAIN;;
  - '#'
  - '# Block single local hostnames (not in /etc/hosts)'
  - /^[A-Za-z0-9_-]*$/$dnsrewrite=NXDOMAIN;;
  - '#'
  - '# Block Bonjour discovery that never discovers anything'
  - /^[l]?b\._dns-sd\._udp.*/$important
  - '#'
  - '##################### Rewritten Sites #####################'
  - '#'
  - '# Tapo Camera Relays'
  - /^euw1-relay-i-[a-z0-9]*.dcipc.i.tplinknbu.com/$dnsrewrite=euw1-relay-dcipc.i.tplinknbu.com
  - /^use1-relay-i-[a-z0-9]*.dcipc.i.tplinknbu.com/$dnsrewrite=use1-relay-dcipc.i.tplinknbu.com
  - '#'
  - '# Hue diagnostic AAAA requests'
  - '||diag.meethue.com^$dnstype=AAAA,dnsrewrite=NOERROR;AAAA;1::'
  - '#'
  - '##################### Globally Allowed Sites #####################'
  - '#'
  - '# Allow some torrent sites'
  - '@@thepiratebay.org^$important'
  - '@@||snowfl.com^$important'
  - '#'
  - '# Allow Minecraft services'
  - '@@vortex.data.microsoft.com^$important'
  - '#'
  - '# Allow for streaming movies on Plex'
  - '@@||manifest.prod.boltdns.net^$important'
  - '@@||rarbg.to^$important'
  - '@@||stream-us-east-1.getpublica.com^$important'
  - '#'
  - '##################### Per Client Allowed Sites #####################'
  - '#'
  - '# Allow for Fire TV to work'
  - '@@||msh.amazon.co.uk^$client=''192.168.10.252'''
  - '#'
  - '# Tor Project, Phil''s Desktop'
  - '@@||www.torproject.org^$client=''192.168.10.65'''
  - '@@||dist.torproject.org^$client=''192.168.10.65'''
  - '@@||aus1.torproject.org^$client=''192.168.10.65'''
  - ""
dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
filtering:
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_services:
    schedule:
      time_zone: Local
    ids:
      - icloud_private_relay
  protection_disabled_until: null
  safe_search:
    enabled: false
    bing: true
    duckduckgo: true
    google: true
    pixabay: true
    yandex: true
    youtube: true
  blocking_mode: default
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  rewrites: []
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  filters_update_interval: 24
  blocked_response_ttl: 3600
  filtering_enabled: true
  parental_enabled: false
  safebrowsing_enabled: false
  protection_enabled: true
clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: false
    dhcp: true
    hosts: true
  persistent:
    - safe_search:
        enabled: false
        bing: true
        duckduckgo: true
        google: true
        pixabay: true
        yandex: true
        youtube: true
      blocked_services:
        schedule:
          time_zone: Local
        ids: []
      name: client1
      ids:
        - 192.168.10.179
        - clientone
      tags: []
      upstreams: []
      uid: <UID Removed>
      upstreams_cache_size: 0
      upstreams_cache_enabled: false
      use_global_settings: true
      filtering_enabled: false
      parental_enabled: false
      safebrowsing_enabled: false
      use_global_blocked_services: true
      ignore_querylog: false
      ignore_statistics: false
    - safe_search:
        enabled: false
        bing: false
        duckduckgo: false
        google: false
        pixabay: false
        yandex: false
        youtube: false
      blocked_services:
        schedule:
          time_zone: Local
        ids: []
      name: client2
      ids:
        - 192.168.10.128
        - clienttwo
      tags: []
      upstreams: []
      uid: <UID Removed>
      upstreams_cache_size: 0
      upstreams_cache_enabled: false
      use_global_settings: true
      filtering_enabled: false
      parental_enabled: false
      safebrowsing_enabled: false
      use_global_blocked_services: true
      ignore_querylog: false
      ignore_statistics: false
    - safe_search:
        enabled: false
        bing: false
        duckduckgo: false
        google: false
        pixabay: false
        yandex: false
        youtube: false
      blocked_services:
        schedule:
          time_zone: Local
        ids: []
      name: client3
      ids:
        - 192.168.10.51
        - phonethree
      tags: []
      upstreams: []
      uid: <UID Removed>
      upstreams_cache_size: 0
      upstreams_cache_enabled: false
      use_global_settings: true
      filtering_enabled: false
      parental_enabled: false
      safebrowsing_enabled: false
      use_global_blocked_services: true
      ignore_querylog: false
      ignore_statistics: false
    - safe_search:
        enabled: false
        bing: false
        duckduckgo: false
        google: false
        pixabay: false
        yandex: false
        youtube: false
      blocked_services:
        schedule:
          time_zone: Local
        ids: []
      name: client4
      ids:
        - 192.168.10.52
        - clientfour
      tags: []
      upstreams: []
      uid: <UID Removed>
      upstreams_cache_size: 0
      upstreams_cache_enabled: false
      use_global_settings: true
      filtering_enabled: false
      parental_enabled: false
      safebrowsing_enabled: false
      use_global_blocked_services: true
      ignore_querylog: false
      ignore_statistics: false
log:
  file: ""
  max_backups: 0
  max_size: 100
  max_age: 3
  compress: false
  local_time: false
  verbose: false
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: `28)

[ainar-g]

I can reproduce. Seems to only affect encrypted protos. Will fix today.

[Eyeborgs]

I have the same problem - with all protocols..

[xRuffKez]

Can confirm with latest stable, using encrypted DNS only.

[xRuffKez]

• enabled: true\n url: https://curben.gitlab.io/malware-filter/urlhaus-filter-agh-online.txt\n name: Online Malicious URL Blocklist\n id: 1621502412

List is 404.
Use https://malware-filter.gitlab.io/malware-filter/urlhaus-filter-agh.txt instead.
@tescophil

[ainar-g]

@tescophil, @kashikoy, @rs-com, we've just published v0.107.48, which should fix this. Can you please update and recheck?

[tescophil]

Looks good to me 👍

[kashikoy]

Yes it works, thank you !

[renatoyamane]

These both below are the same:

> filters:
>   - enabled: true
>     url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
>     name: AdGuard DNS filter
>
>   - enabled: true
>     url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
>     name: AdGuard DNS filter

If you have the Lite version, you don't need the mini.

If Lite is too harsh for your taste, downgrade to mini.
If Lite doesn't block enough, upgrade to Pro.
Pro still not enough? Xtra is the way to go.

>   - enabled: true
>     url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_24.txt
>     name: 1Hosts (Lite)
>
>   - enabled: true
>     url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_38.txt
>     name: 1Hosts (mini)

Same thing down here.
If you have HaGeZi's Ultimate Blocklist enabled, you don't need the Pro++, Pro, Multi...

Everything from Multi is inside the Pro version.
Everyting from Pro is inside Pro++ version.
Everyting from Pro++ is inside the Ultimate version.

>   - enabled: true
>     url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_34.txt
>     name: HaGeZi Multi NORMAL

>   - enabled: true
>     url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_48.txt
>     name: HaGeZi's Pro Blocklist

>   - enabled: true
>     url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_51.txt
>     name: HaGeZi's Pro++ Blocklist

>   - enabled: true
>     url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_49.txt
>     name: HaGeZi's Ultimate Blocklist

[yaneony]

Is it possible to list allowed clients by hostname?!

For example when client come from telekom.de, they have hostname like D31GEA.telekom.com, so i would like to allow telekom.de clients as a wildcard.

How could this be done?

[xRuffKez]

Is it possible to list allowed clients by hostname?!

For example when client come from telekom.de, they have hostname like D31GEA.telekom.com, so i would like to allow telekom.de clients as a wildcard.

How could this be done?

It's simpler to add the ASN, but it's only available on adguard-dns.io unfurtunately...

Get the IPs from ASN of Telekom Deutschland and add it to the access list.

https://www.peeringdb.com/asn/3320

and the IP List:
https://hackertarget.com/as-ip-lookup/

Put in 3320