I’ve noticed that documentation on making AdGuard Home servers available from outside one’s actual home is pretty sparse, and that a bunch of security experts (both qualified and unqualified ones) warn against it.
Thing is, I can’t see why it’s a bad thing at all. Especially since doing it is technically as easy as just port forwarding port 53 into the AGH (or Pi-Hole) unit.
Sure that leaves it open for questionable IPs to try to send requests to it, especially Chinese IPs that are known to port-scan, but there’s also been requests from IPs from (what I presume are) more benign Western security groups who just to keep statistics on the internet. Traditionally such request attempts have been few enough that they feel almost charming to me, but they’ve increased in number after I had to move my AGH configuration earlier today to a different router and IP addresses (both local and public ones).
Turning off public access is not an option I want to consider, and what little I know of DNS-over-HTTPS sounds like it supports pretty much none of my electronic objects.
Long story short: In which ways can someone make it more safe to run a public DNS server through e.g. AdGuard Home or Pi-Hole?
My presumptions are firewalls are an option (but I have no idea how to set one up), or perhaps finetuning whether the TDP and/or UCP ports are opened. I also think I should ask the AGH team to consider making it possible to use IP-address blacklists to deny requests instead of web connections.
Are there also any less obvious/visible dangers that can occur when having a publicly accessible DNS server?