Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authenticated DNS-over-HTTPS Requests/Clients #6938

Open
3 tasks done
bioluks opened this issue Apr 24, 2024 · 2 comments
Open
3 tasks done

Authenticated DNS-over-HTTPS Requests/Clients #6938

bioluks opened this issue Apr 24, 2024 · 2 comments
Labels
feature request

Comments

@bioluks
Copy link

bioluks commented Apr 24, 2024
edited

Prerequisites

  • I have checked the Wiki and Discussions and found no answer

  • I have searched other issues and found no duplicates

  • I want to request a feature or enhancement and not ask a question

The problem

When exposing DoT or DoH publicly many people reported just what I experienced myself multiple times - botnet pingings and malicious clients connecting from all over the world. Since standart DNS implementations and clients don't support authentication for the DNS request to succeed I looked for hacky ways to achieve just that.

Proposed solution

Apparently AdGuard DNS (afaik your paid DNS service) just added this feature 2 days ago!

  • https://adguard-dns.io/en/blog/private-adguard-dns-v2-7.html
    This way we can easily authenticate users and control who can use our selfhosted instances way better. I believe it would be a gamechanger and many people would be interested in this. It would be great to have authentication for DNS-over-TLS & DNS-over-QUIC and DNSCrypt as well but seeing there is a ready implementation for DoH would make it easier for AdGuardHome to support this.

Alternatives considered and additional information

Alternative solutions one can use for now:

  • Under Access Settings > Allowed Clients add your local subnet(s) like 192.168.0.1/24 etc.
  • If you still want to use DoT/DoH also paste your ClientID in a new line.

This works well, but many use different reverse proxies in front of AdGuardHome, configuring some of them will be hard, especially having to configure level-2 subdomains (ones like client-name.adguardhome.example.org - a certificate would be needed for *.adguardhome.example.org).
@ghost
Copy link

ghost commented Apr 25, 2024

This can also be done with Pomerium, and they've setup a [guide](https://www.pomerium.com/docs/guides/ad-guard) to do just that.

@bioluks
Copy link
Author

bioluks commented Apr 28, 2024

Thanks for the link. That's good to know, the guide you provided is for the web interface, Pomerium is also another reverse proxy to my knowledge... Maybe it works this way I have to test it. Eventually every modern reverse proxy should be able to do this, it could be complicated to combine this with other reverse proxies or switching to it.
An implementation natively supported by AdGuardHome looks more beneficial and can be secured easier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bioluks