Adguard - DNS Amplification Issues - HELP ( SOS )
deepak_leb
OG
Dear Les-bians,
Greeting, Hope Everyone is safe and sound in good shape.
\
Well, Recently I installed a Adguard + Wireguard on a VPS Server. To my suprise am getting New Spam Clients from China and Some other Countries.
Especaillay pizzaseo .com& other clients.
So, kindly say how to stop these, and let me get to know that what i have messed up.
Comments
@Freek may be able to help?
How it works?
Email address get from whois domain?
Not Spam emails but Spam clients.
Client(s) who got the IP Address of new DNS server and started using it for DDoS.
Disable DNS over UDP.
Enable DNS over TLS.
No amplification attack possible.
Accepting submissions for IPv6 less than /64 Hall of Incompetence.
You mean AdGuard home right? The below works if you are only using AdGuard home to serve your VPS and WireGuard clients.
Under Settings | DNS settings, scroll down to the Access Control fields at the bottom. Under allowed clients, enter in ip ranges to whitelist. For example, I have whitelisted my VPS and wireguard clients in the 10.9.0.0/24 range.
127.0.0.1
10.9.0.0/24
@Freek is the DNS Master
Acl local private ip only
Could you elaborate & PM me ?
Need some detailed description, since am not much into these things
Will contact him
Thank you. Will get back to him
Let me check on to it & pm you
Thanks for the mention
This will indeed fix your problems, @deepak_leb .But if you absolutely must DNS over UDP, you can try the following:
refuse_any: true
But I do wonder; is AdGuard listening on the correct interface? Since it shouldn't be listening on your public IP if you use WireGuard to connect...
LinuxFreek.com
Yes you might be 100% correct as probably in listening interface all interfaces were selected instead of only wireguard interface . Saw the same issue when i did this exact mistake . Once Wireguard interface is selected their are no unknown clients
I only selected eth0 Wireguard interface alone
eth0 should be the NIC and wg0 as wireguard interface or whatever name was given for listening interface
Any guides pls
No guide required . Just select wg0 in listen interface when you setup Adguard
Add the domain in disallowed domains and limit the rate limit for example 3 per second
Action and Reaction in history
But I couldnt get the wg0. On interfaces, am getting only eth0 and l0 interfaces
Whats is your wireguard interface ? Select that interface on Adguard setup page , listen interface
Will pm u
ok .
Or maybe you can stop setting up your own DNS server and use 94.140.14.14 / 94.140.15.15 instead
Everything has been sorted out. Thank all for your time 🙂
Write a tutorial for LES blog .
Please share how you solved your issue. Like I told you via PM; a forum is to share knowledge, not to keep it secret in private messages.
LinuxFreek.com
🥺 Nothing special, Before Installating the wireguard, I simply installed the Adguard, that's in DNS Interface I haven't got the wireguard WgO interface.
Besides I followed the NAT Vps Guide blindly though I don't use that NAT VPS
So I guess OP replicated the setup I use.
1) have the adguard/pihole/ANY_dnsserver listen exclusively on wg0 (wireguard nic)
2) use wireguard tunnel for all internet traffic and the private wg0 ip for dns-nameserver value .
The dns bots will move on.
Yep