Remote access to AGH/Pi-Hole DNS servers: The do-s and don't-s

I’ve noticed that documentation on making AdGuard Home servers available from outside one’s actual home is pretty sparse, and that a bunch of security experts (both qualified and unqualified ones) warn against it.

Thing is, I can’t see why it’s a bad thing at all. Especially since doing it is technically as easy as just port forwarding port 53 into the AGH (or Pi-Hole) unit.

Sure that leaves it open for questionable IPs to try to send requests to it, especially Chinese IPs that are known to port-scan, but there’s also been requests from IPs from (what I presume are) more benign Western security groups who just to keep statistics on the internet. Traditionally such request attempts have been few enough that they feel almost charming to me, but they’ve increased in number after I had to move my AGH configuration earlier today to a different router and IP addresses (both local and public ones).

Turning off public access is not an option I want to consider, and what little I know of DNS-over-HTTPS sounds like it supports pretty much none of my electronic objects.

Long story short: In which ways can someone make it more safe to run a public DNS server through e.g. AdGuard Home or Pi-Hole?

My presumptions are firewalls are an option (but I have no idea how to set one up), or perhaps finetuning whether the TDP and/or UCP ports are opened. I also think I should ask the AGH team to consider making it possible to use IP-address blacklists to deny requests instead of web connections.

Are there also any less obvious/visible dangers that can occur when having a publicly accessible DNS server?

1 Like

The main issue with running a public DNS server is that it will be used for DNS amplification DDOS attacks and there’s little you can do with it.

AG Home provides “Access settings” where you can decide which IP addresses are allowed or not allowed to do the DNS requests. For instance, I am just trying to keep an eye on what unknown clients are trying to use the server, and manually add them to the list of disallowed.

Also, AGH comes with the default 20rps rate limit and it’s enough to make sure your public resolver won’t do any harm to the DNS amplification target. And if you’re using Pi-Hole, make sure you configure rate limit as well.

Are there also any less obvious/visible dangers that can occur when having a publicly accessible DNS server?

Not much, just make sure that you’re using a password strong enough because there will be bruteforce attempts.