insecure recursive DNS resolver?

[ghoshorn]

I have set up the AdGuard Home in my vps server, and it worked fine for several minutes. After a while, something happened and the DNS cannot be used. The reason for it is that the vps provider "has detected an insecure recursive DNS resolver on IP ***(my vps ip), which may result in your server getting involved in DNS Amplification DoS attacks." and blocked the 53 port.

Then I removed the block rule and reopen the AdGuard Home, it worked fine again. But after a while, the same thing happened again.

In the client area, I can see some normal client ip as well as 127.0.0.1 and 2a06:e881:5100::1, I don't know if it matters.

Your environment

Description	Value
Version of AdGuard Home server:	v0.92-hotfix2
How did you setup DNS configuration:	System
Operating system and version:	Centos 6 x86_64 minimal

[mveplus]

@ghoshorn
You have to make sure you do not listen and respond to your public IP & IPv6 on 53 from AGH!
And you do only listen and do resolving for your private subnets that you hand out to VPN client. If I were your VPS provider, I'll do the same!
Set AHG to listen only on 127.0.0.1 and your VPN server to query it as DNS.
AHG may be overkill for VPN - you may use instead DNSes provided by AdGuard for routers - It does not have a way to see a nice log reports and can't add custom records but does the same job.

[ameshkov]

I guess your VPS provider is hetzner as I recognize this type of notifications. They simply do not allow public DNS resolvers so the only viable solution would be to use another VPS provider (or maybe restrict the IP addresses you allow as @mveplus has suggested).

AdGuard Home by default takes some anti-DNS-amplification measures:

• Rate-limiter is set to 20 rps
• ANY requests are disabled

[ghoshorn]

@ghoshorn
You have to make sure you do not listen and respond to your public IP & IPv6 on 53 from AGH!
And you do only listen and do resolving for your private subnets that you hand out to VPN client. If I were your VPS provider, I'll do the same!
Set AHG to listen only on 127.0.0.1 and your VPN server to query it as DNS.
AHG may be overkill for VPN - you may use instead DNSes provided by AdGuard for routers - It does not have a way to see a nice log reports and can't add custom records but does the same job.

I tried as you said, the in the new round test, there are no vps public IP(v4 & v6) on 53, only my Mac IP and 127.0.0.1 as clients. But the same problem happened again after a while. So maybe there are some other configs I didn't set right? @mveplus

[ghoshorn]

I guess your VPS provider is hetzner as I recognize this type of notifications. They simply do not allow public DNS resolvers so the only viable solution would be to use another VPS provider (or maybe restrict the IP addresses you allow as @mveplus has suggested).

AdGuard Home by default takes some anti-DNS-amplification measures:

• Rate-limiter is set to 20 rps
• ANY requests are disabled

@ameshkov
The provider is bandwagon.
Deploying on a vps can make it faster and more convenient than on my mac, so maybe I'll have some other tries to avoid this problem.

[ameshkov]

@ghoshorn just in case, I run my own private AG Home instances on Vultr and Digitalocean, and they never had any issues with it.

[ghoshorn]

@ameshkov Thank you for your extra test on your vps, and sad to hear my vps does not support it. Maybe I should try to find another way to make it work, thanks.

[mveplus]

@ghoshorn do you use standard DNS as upstream resolvers? You can try to use TLS:// instead classic DNS and see if it makes any difference? I hear you that you listen only on IPV4 - 127.0.0.1 but what about IPv6? Make sure you have firewall rules disabling queries on UDP/TCP 53 on both IP4 and IPV6 public interfaces check with nmap without VPN from outside and do change upstream to DoH or DoT may help mitigate the issue.
If after that still does not work as per @ameshkov hint you could migrate to another VPS, I do use Linode, DigitalOcean and VPS.net never heard about bandwagon until now.
Cheers,

[ghoshorn]

@mveplus No IPv6 traffic during my test, seen from the query logs. And upstream_dns set as:
upstream_dns:

• tls://1.1.1.1
• tls://1.0.0.1
  So maybe I need to migrate to another VPS. Thank you a lot!

P.S. bandwagon --> https://bandwagonhost.com/index.php

[adrianrudnik]

Related to this, hetzner relayed an email to me today send by the bsi.bund.de (translates to something like Federal Office for Security in Information Technology) which is a government branch. I've had setup a small test instance on a docker machine of mine. Following this lead I did a small check on the official adguard home dns servers and they also seem to be not secured against reflection attacks, see:

http://openresolver.com/?ip=176.103.130.130
http://openresolver.com/?ip=176.103.130.132

So basically the official setup could be abused right now?

[ameshkov]

Well, almost any public DNS resolver can be abused:
http://openresolver.com/?ip=8.8.8.8

That's why we have strict rate limiting rules, and AGH has it even more stricter by default (~20 rps as I recall).