Skip to content
/ guarde Public

A TCP and UDP reverse proxy for AdGuard Home and other self-hostable DNS servers.

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ShindouMihou/guarde

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
cmd
cmd
 
 
internal
internal
 
 
pkg
pkg
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

Guarde

Guarde is a TCP and UDP reverse proxy written in Golang. It was created in an attempt to mitigate the potential of a DNS amplification attack by limiting the IPs to those that has specific WHOIS properties, this was created more towards protecting my local AdGuard Home instance.

How does this protect Home DNS servers?

The philosophy behind Guarde is that we only allow addresses that come specifically those that you know such as ISPs that shouldn't be used by an enterprise (e.g. PLDT ISP for PH). It is designed this way due to the fact that most home routers and devices do not have a static IP address (or so is the case in the Philippines).

How to configure Guarde

Guarde has a very simple configuration:

  • proxy: contains all the proxy configurations
    • udp: contains all the udp configuration details
    • tcp: contains all the tcp configuration details
      • [udp/tcp].forward: forwards all requests to the given port to this address.
      • [udp/tcp].port: the port that Guarde should listen on.
      • [udp/tcp].fallback: additional configuration for when Guarde fails to request from initial forward.
        • addresses: an array containing all the fallback addresses, this will be requested in synchronous until one replies.
    • ruleset: contains all the WHOIS rulesets that matter, please refer to Rulesets.
    • verbose: whether to show all the request body and response body.
    • allow: configures the flexibility of the rulesets
      • property_not_found: whether to allow when the ruleset cannot be found, default: false
    • options: additional options that you can reconfigure especially if you find the defaults lacking.
      • read_deadline: configures the maximum amount of time a read operation (from Guarde to forward/fallback) should take. default: 1280.
      • buffer_size: configures the initial buffer size of each read operation. default: 1024.
    • healthcheck: enables the healthcheck module (includes in-memory metrics), viewer available at guarde-health.
      • port: the port the healthcheck should listen to.

An example of this configuration would be:

proxy:
  udp:
    forward: 172.17.0.1:1053
    fallback:
      addresses: ['1.1.1.1:53']
    port: 53
  tcp:
    forward: 172.17.0.1:1053
    fallback:
      addresses: ['1.1.1.1:53']
    port: 53
ruleset:
  - person: '%PLDT'
    e-mail: '%pldt.com.ph'
    country: 'PH'
verbose: true

You have to save the file under the %HOME%/.guarde/config.yml file. If you are using Docker, you can link it to the /root/.guarde/config.yml path since the Dockerfile here uses Alpine Linux.

Rulesets

To know what ruleset properties are available, you can query your IP Address using ARIN Lookup. We recommend using the CLI tool, or using the link we provided since it provides the raw output, for example, to make sure that the organization id matches, you can add this field:

OrgId: 'AT-88-Z'

If you want to make sure that the field contains a specific value, then you can add the % prefix at the value and it will only ensure that the field contains that specific value.

About

A TCP and UDP reverse proxy for AdGuard Home and other self-hostable DNS servers.

Topics

hacktoberfest dns-proxy adguardhome

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages