Open DNS server - warning from ISP

[vlig]

Hello! How to restrict the DNS server only to VPN connections to my VPS? How to make it unavailable for the rest of the world?

My VPS hosting had been warned by a local ISP about open DNS server running on my VPS's IP-address as insecure fact for country's networking. So, I got an email asking me to disable it.
Being not too pro with, I've blocked a 53 port temporarily trying to googling the solution, but no luck yet.

I have:

• VPS (OpenBSD 7.4, Netherlands);
• VPN (L2TP IPSec with npppd);
• AGH (default installation).

[ainar-g]

Hello. The most direct response is that you can use the access settings' allowlist to restrict access to only those IPs/subnets/ClientIDs you've selected. A draft of a more expansive guide can be found here. It should show up in our DNS Knowledge Base soon-ish.

[vlig]

Thanks, but for the such always-newbie like me it is still hard to figure out - what certainly and where to type.
Here is ifconfig out:

lo0: flags=2008049<UP,LOOPBACK,RUNNING,MULTICAST,LRO> mtu 32768
        index 3 priority 0 llprio 3
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
vio0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
        lladdr ***
        index 1 priority 0 llprio 3
        groups: egress
        media: Ethernet autoselect
        status: active
        inet *** netmask 0xffffffc0 broadcast ***
        inet6 ***%vio0 prefixlen 64 scopeid 0x1
        inet6 *** prefixlen 64
enc0: flags=0<>
        index 2 priority 0 llprio 3
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136
        index 4 priority 0 llprio 3
        groups: pflog
pppx0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1270
        description: user
        index 5 priority 0 llprio 3
        groups: pppx
        inet 10.0.0.1 --> 10.0.0.171 netmask 0xffffffff

Here we can see one user named "user" is connected to the VPN. Should I fill in some field (where?) in AdGuardHome.yaml with a name of some interface? enc? enc0? pppx? pppx0? Or it ought to be a network in some form? 10.0.0.0/24?

Too much of obscurity. I'm looking forward for the mentioned guide.

[ainar-g]

AdGuard Home currently does not bind to network interfaces, only IP addresses. So you need to select a set of IP addresses that are only accessible from the VPN.

[vlig]

Here is my AdGuardHome.yaml file.

http:
  pprof:
    port: 6060
    enabled: false
  address: 0.0.0.0:80
  session_ttl: 720h
users:
  - name: MY_NAME
    password: MY_PASSWORD_HASH
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
  bind_hosts:
    - MY_VPS_IPV4
  port: 53
  anonymize_client_ip: false
  ratelimit: 20
  ratelimit_subnet_len_ipv4: 24
  ratelimit_subnet_len_ipv6: 56
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - 94.140.14.14
    - 94.140.14.15
  upstream_dns_file: ""
  bootstrap_dns:
    - 9.9.9.10
    - 149.112.112.10
    - 2620:fe::10
    - 2620:fe::fe:10
  fallback_dns: []
  all_servers: false
  fastest_addr: false
  fastest_timeout: 1s
  allowed_clients:
    - MY_VPS_IPV4
    - 10.0.0.0/24
  disallowed_clients: []
  blocked_hosts:
    - version.bind
    - id.server
    - hostname.bind
  trusted_proxies:
    - 127.0.0.0/8
    - ::1/128
  cache_size: 4194304
  cache_ttl_min: 0
  cache_ttl_max: 0
  cache_optimistic: false
  bogus_nxdomain: []
  aaaa_disabled: false
  enable_dnssec: false
  edns_client_subnet:
    custom_ip: ""
    enabled: false
    use_custom: false
  max_goroutines: 300
  handle_ddr: true
  ipset: []
  ipset_file: ""
  bootstrap_prefer_ipv6: false
  upstream_timeout: 10s
  private_networks: []
  use_private_ptr_resolvers: true
  local_ptr_upstreams: []
  use_dns64: false
  dns64_prefixes: []
  serve_http3: false
  use_http3_upstreams: false
  serve_plain_dns: true
tls:
  enabled: false
  server_name: ""
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: false
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
  strict_sni_check: false
querylog:
  ignored: []
  interval: 2160h
  size_memory: 1000
  enabled: true
  file_enabled: true
statistics:
  ignored: []
  interval: 2160h
  enabled: true
filters:
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_1.txt
    name: AdGuard DNS filter
    id: 1
  - enabled: true
    url: https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
    name: AdAway Default Blocklist
    id: 2
whitelist_filters: []
user_rules: []
dhcp:
  enabled: false
  interface_name: ""
  local_domain_name: lan
  dhcpv4:
    gateway_ip: ""
    subnet_mask: ""
    range_start: ""
    range_end: ""
    lease_duration: 86400
    icmp_timeout_msec: 1000
    options: []
  dhcpv6:
    range_start: ""
    lease_duration: 86400
    ra_slaac_only: false
    ra_allow_slaac: false
filtering:
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_services:
    schedule:
      time_zone: Local
    ids: []
  protection_disabled_until: null
  safe_search:
    enabled: false
    bing: true
    duckduckgo: true
    google: true
    pixabay: true
    yandex: true
    youtube: true
  blocking_mode: default
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  rewrites: []
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  filters_update_interval: 24
  blocked_response_ttl: 10
  filtering_enabled: true
  parental_enabled: false
  safebrowsing_enabled: false
  protection_enabled: true
clients:
  runtime_sources:
    whois: true
    arp: true
    rdns: true
    dhcp: true
    hosts: true
  persistent: []
log:
  file: ""
  max_backups: 0
  max_size: 100
  max_age: 3
  compress: false
  local_time: false
  verbose: false
os:
  group: ""
  user: ""
  rlimit_nofile: 0
schema_version: 27

As you can see, I tried here to limit connections only to MY_VPS_IPV4 and to its VPN LAN: 10.0.0.0/24.

Here is console output from my another country VPS:

$ dig cnn.com @MY_VPS_IPV4
;; communications error to MY_VPS_IPV4#53: timed out
;; communications error to MY_VPS_IPV4#53: timed out
;; communications error to MY_VPS_IPV4#53: timed out

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> cnn.com @MY_VPS_IPV4
;; global options: +cmd
;; no servers could be reached

$ nmap MY_VPS_IPV4
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-03 16:54 UTC
Nmap scan report for *** (MY_VPS_IPV4)
Host is up (0.036s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE
53/tcp open  domain
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 13.50 seconds

As you can see, port 53 is opened, but not reachable from random IPs.

Now AGH isn't functioning as ad blocker, but its webfig is still reachable.