Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AdGuard Home secure to open to public? #769

Closed
davidsarkany opened this issue May 19, 2019 · 3 comments
Closed

AdGuard Home secure to open to public? #769

davidsarkany opened this issue May 19, 2019 · 3 comments
Labels
question

Comments

@davidsarkany
Copy link

Hi!
AdGuard Home safe on public internet?
I want use without VPN, but i'm worried about DNS Amplification and other vulnerabilities.
I have a reason to be worry, or AdGuardHome safe on public internet?
@ameshkov
Copy link
Member

Yeah, you should be worried about DNS amplification. Any public DNS server eventually becomes a target for such an attack.

AdGuard Home has default rate limit set to 20rps which is generally enough, but from my experience DDoSers are still trying to exploit public DNS servers even when the rate limit is low.

You will need to monitor the situation and block their IP addresses from time to time. For now, the only way to block an IP address is to use iptables on the server. In future versions of AGH, we'll add a configurable blacklist to the settings.

@alexzeitgeist
Copy link
Contributor

I believe DNS-over-TLS and/or DNS over HTTPS mitigate spoofing and amplification for DoS. If you adjusted your clients to use only one of these, you could drop incoming port 53 on the server.

@davidsarkany
Copy link
Author

I am currently using this solution.
Works well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alexzeitgeist @ameshkov @davidsarkany