Adguardhome: Provide a smarter way to detect & block DNS amplification
First of all, this feature is important only to those who run AGH as a public DNS server.
Currently, we just ship AGH with a relatively small rate limit value by default. This is enough to guarantee that we don't do much harm, but the server stats are distorted anyway.
It'd be better if AGH could automatically block domain names used for amplification.
I suggest using a rather simple algorithm for now:
- If the client is being constantly rate-limited
- Most of this client's DNS queries are for the same domain name
- We should add this domain name to "Disallowed domains" automatically
Users should be able to disable this behavior.
Add a new setting to "DNS settings -> Access settings":
- Name: "Smart DNS amplification detection"
- Description: "Automatically detect and block domain names that are being used for DNS amplification attacks. Please note, that this feature makes sense only if you run AdGuard Home on a public server."
ameshkov
All 4 comments
Waiting for the smarter way.... to protect open dns resolvers.
Thanks
shimuldn
on 12 May 2020
This task also linked with my previous questions: https://github.com/AdguardTeam/AdGuardHome/issues/1660 and https://github.com/AdguardTeam/AdGuardHome/issues/1177
ammnt
on 12 May 2020
Something similar to what I suggested here #805
But I too like what you've suggested
Eyeborgs
on 12 May 2020
Actually we are many to use it a "public" because even if we don't spread our url or ip, if we want to use it outside of our home, it become "public" we just hide it's url.
So i hope to see this king of security soon ^^
Macqael
on 19 Jan 2021
Related issues
Iconology
路
3Comments
ajongsma
路
3Comments
Techguyprivate
路
3Comments
yanniedog
路
3Comments
xenio
路
4Comments
Most helpful comment
Something similar to what I suggested here #805
But I too like what you've suggested