All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Advice on AdGuard and Self-Hosted DNS Protection
nqservices
Member
Hi,
I have a client that as suffered a phishing attack on his company a few weeks ago. One employee as clicked on an email link that went to a phishing website and a lot of problems have occurred from that.
Their antivirus did not work on that situation. So, I suggested him to setup on their company router, a DNS service that can provide an additional layer of security like OpenDNS or Quad9.
But the client wants to have its own “private” protection DNS service hosted on a server owned by him to have full control and privacy.
The main objective is to protect its network from phishing, malware and overall “bad links”. He does not care about blocking ads or hide user browser tracking/history.
So, I’m thinking on installing/using AdGuard. Any other suggestions? Looking for a good open-source solution that can be self-hosted.
Any advice or suggestion is appreciated. Thanks!
Comments
Without sounding rude but this "client" sounds like the type that you have to convince to do something that is not the way they want so just make it sound like it is there idea just better, hard to explain.
If done correctly a half decent Hardware Firewall can stop most and if not all attacks from being an issue, I would consider looking into this before even doing anything with DNS, for example look into pFsense, this seems like it would be a better solution then just inserting a DNS server.
If you must use a DNS server use something like PiHole and good lists.
Maybe https://pi-hole.net/
Adguard home works well.
Thanks for the advice, but in this case a firewall is not an option. Just a protection DNS service to act as one more layer of security.
Thanks for the advice. Will look into it. Seems similar to AdGuard.
After applying your Pi-hole/Adguard blocking rules, requests are still (unless cached) forwarded to the upstream DNS server(s) you need to specify, i.e. OpenDNS or Quad9 so I’d question the client’s belief they’re getting any extra privacy by running AdGuard/Pi-hole.
If you want everything self-contained, the alternative is to setup something like Unbound and run your own recursive DNS server. But you’re then sending out clear-text DNS queries labeled with your own IP address so “privacy” is still questionable.
pi-hole is more older and in the beginning pi-hole is better but now i kinda liking adguard home more, that is no way dis-respecting pi-hole though.
I can vouch for AdGuardHome because I use it myself. The dns-over-https/tls feature is easy to set up, so you can even use it on your employees' phones as a private dns setting. AdGuardHome also has a wider range of filtering rules syntax.
If we're talking about a corporate network, it might be a good idea to consider a firewall that can make sure all dns traffic goes through the AdGuardHome instance (at very least redirecting udp/53). Something like pfsense, mikrotik, or juniper, a dedicated firewall can handle that easily
Adguard is not an authoritative dns server. Yes it can filter some crap but its still a recursive server. You gotta pair it with bind or unbound that xafr icann root zone and acted as authoritative to be 100% self reliant.
Or use a dns server that can act as both recursive and authoritative at the same time like technitium. My own setup is using bind as authoritative, filter out crap using rpz zone blacklist and nginx as mitm proxy to serve encrypted dot and doh dns to my devices. Bind itself can act as both authoritative and recursive but it can't serve dot and doh so i introduced nginx in the mix for my needs.
I use pi-hole
OpenWRT or pfSense
on OpenWRT dnsmasq will do the job
have some scripts to curl all the database from the various providers
then awk, sed etc to normalize the files captured with 0.0.0.0 or 127.0.0.1 or other ip to a specific internal web server serving a warning page.
beautifulsoup also can help as this database capture part can be done on any other machine and set up in a shared directory somewhere for scripts on the OpenWRT device to capture via cron scripts
set you configuration in dnsmasq so all your clients goes through the listing.
If need be, setup DNS hijack on the OpenWRT device to ensure all internal clients goes through your box.
Have your OpenWRT in a virtualbox or a powerful custom built miniPC
If your client's main goal is protecting the network from phishing, malware, bad links, etc., the easiest way is to set up Cloudflare's DNS service (1.1.1.1). It offers automatic blocking of malicious domains,
has and maintains its own list of malicious/spammy domains (where they may be known to send massive amounts of spam, host malware, etc.) that the server won't resolve when a request for connection matches a domain on this list; if the domain will not resolve, then no connection is made.
Also, it supports DNS over TLS (DoT) for encrypted connections.
Phishing, as a rule, does not appear on domain lists instantly, and if there is targeted phishing, then no public DNS lists will protect.
What your client needs is an email security suite like MS Defender for O365 or any other similar solutions. DNS surely can block known malicious domains but what if it’s a freshly registered one not on any lists? Or what if users are accessing mails from their personal devices off company network?
Probably gotta train those average joes employees too about the do's and the don'ts. No antivirus, no solution would save oneself from own stupidity.
Like most if not all phishing link is obvious from miles away. And even if the phishing link is masked behind html in email body, simply hovering or long click link to double confirm before visiting goes a long way. The email is also like 99% always got telltale with grammar errors, weird paragraph, weird spacing etc. And the 1% time they do it right, down to perfection, the email address sending the phish mail itself can't be spoofed without breaking dkim and triggering dmarc/spf. Any attachment shouldn't be directly opened without some sort or sandbox.
But yeah, something like o365 fine tuned by proper sysadmin should be good as first firewall against general human error and stupidity.