Feature request: stop using a upstream DNS server if it returns REFUSED a few times.

[js-d-coder]

I serve Adguard Home as public DNS server serving plain DNS, DoH, DoT.
Sometimes I have spam request bunch of times every second to my server. The problem with such requests are they query less number of times (per second) than legitimate requests, and they spam for days, so I cannot rate-limit them.
So what happens is the upstream DNS servers blacklist my VPS IP and they refuse every DNS query including legitimate ones.
Since I set many upstream DNS servers in settings, I would this software to stop using the ones who return 'REFUSED' a few times and switch to other from the list.
One solution would be to monitor Dashboard every day and change settings or block someone which is very tedious and not possible for me.
Thanks!

[agneevX]

If you're running a public resolver, getting DDoS'd should be expected and you should not even be using AdGuard Home I'd argue.

[js-d-coder]

If you're running a public resolver, getting DDoS'd should be expected and you should not even be using AdGuard Home I'd argue.

It only serves like few thousand requests a day. I had to keep it public for my friends and my Wifi router which only uses plain DNS.

Btw, @agneevX why do you think it should not be used as public resolver?

[js-d-coder]

Any update/comments you guys?

[ameshkov]

The question is do you really need to keep the plain DNS working on this public server? Wouldn't it be easier to close port 53 and just use encrypted DNS exclusively?

[js-d-coder]

The original question is really about blacklisting an upstream DNS server if it refuses or goes down on-demand. Not a help for the situation I took as an example :)

[ameshkov]

You see, REFUSED is a type of response that some suggest using for blocking resources, we cannot judge the upstream by a couple of responses.

[js-d-coder]

I see your point.