Adguard - DNS Amplification Issues - HELP ( SOS )

edited May 2021 in Technical

Dear Les-bians,

Greeting, Hope Everyone is safe and sound in good shape.
\

Well, Recently I installed a Adguard + Wireguard on a VPS Server. To my suprise am getting New Spam Clients from China and Some other Countries.

Especaillay pizzaseo .com& other clients.

So, kindly say how to stop these, and let me get to know that what i have messed up.

«1

Comments

  • @Freek may be able to help?

    Thanked by (2)deepak_leb Freek
  • How it works?

    Email address get from whois domain?

    Thanked by (1)deepak_leb
  • @youandri said:
    How it works?

    Email address get from whois domain?

    Not Spam emails but Spam clients.
    Client(s) who got the IP Address of new DNS server and started using it for DDoS.

    Thanked by (2)deepak_leb youandri
  • Disable DNS over UDP.
    Enable DNS over TLS.
    No amplification attack possible.

    Thanked by (2)_MS_ deepak_leb

    ServerFactory aff best VPS; HostBrr aff best storage.

  • You mean AdGuard home right? The below works if you are only using AdGuard home to serve your VPS and WireGuard clients.

    Under Settings | DNS settings, scroll down to the Access Control fields at the bottom. Under allowed clients, enter in ip ranges to whitelist. For example, I have whitelisted my VPS and wireguard clients in the 10.9.0.0/24 range.
    127.0.0.1
    10.9.0.0/24

    Thanked by (1)deepak_leb
  • @Freek is the DNS Master

    Thanked by (2)deepak_leb Freek
  • edited May 2021

    Acl local private ip only

    Thanked by (2)deepak_leb vimalware
  • MS said:

    @youandri said:
    How it works?

    Email address get from whois domain?

    Not Spam emails but Spam clients.
    Client(s) who got the IP Address of new DNS server and started using it for DDoS.

    @yoursunny said:
    Disable DNS over UDP.
    Enable DNS over TLS.
    No amplification attack possible.

    Could you elaborate & PM me ?

  • @isunbejo said:
    Acl local private ip only

    Need some detailed description, since am not much into these things

  • @StuderSolutions said:
    @Freek is the DNS Master

    Will contact him

  • @Mr_Tom said:
    @Freek may be able to help?

    Thank you. Will get back to him

  • @jnraptor said:
    You mean AdGuard home right? The below works if you are only using AdGuard home to serve your VPS and WireGuard clients.

    Under Settings | DNS settings, scroll down to the Access Control fields at the bottom. Under allowed clients, enter in ip ranges to whitelist. For example, I have whitelisted my VPS and wireguard clients in the 10.9.0.0/24 range.
    127.0.0.1
    10.9.0.0/24

    Let me check on to it & pm you

  • edited May 2021

    @StuderSolutions said:
    @Freek is the DNS Master

    @Mr_Tom said:
    @Freek may be able to help?

    Thanks for the mention :)

    @yoursunny said:
    Disable DNS over UDP.
    Enable DNS over TLS.
    No amplification attack possible.

    This will indeed fix your problems, @deepak_leb .But if you absolutely must DNS over UDP, you can try the following:

    But I do wonder; is AdGuard listening on the correct interface? Since it shouldn't be listening on your public IP if you use WireGuard to connect...

  • @Freek said:

    @StuderSolutions said:
    @Freek is the DNS Master

    @Mr_Tom said:
    @Freek may be able to help?

    Thanks for the mention :)

    @yoursunny said:
    Disable DNS over UDP.
    Enable DNS over TLS.
    No amplification attack possible.

    This will indeed fix your problems, @deepak_leb .But if you absolutely must DNS over UDP, you can try the following:

    But I do wonder; is AdGuard listening on the correct interface? Since it shouldn't be listening on your public IP if you use WireGuard to connect...

    Yes you might be 100% correct as probably in listening interface all interfaces were selected instead of only wireguard interface . Saw the same issue when i did this exact mistake . Once Wireguard interface is selected their are no unknown clients

  • @kuduku said:

    @Freek said:

    @StuderSolutions said:
    @Freek is the DNS Master

    @Mr_Tom said:
    @Freek may be able to help?

    Thanks for the mention :)

    @yoursunny said:
    Disable DNS over UDP.
    Enable DNS over TLS.
    No amplification attack possible.

    This will indeed fix your problems, @deepak_leb .But if you absolutely must DNS over UDP, you can try the following:

    But I do wonder; is AdGuard listening on the correct interface? Since it shouldn't be listening on your public IP if you use WireGuard to connect...

    Yes you might be 100% correct as probably in listening interface all interfaces were selected instead of only wireguard interface . Saw the same issue when i did this exact mistake . Once Wireguard interface is selected their are no unknown clients

    I only selected eth0 Wireguard interface alone

  • @deepak_leb said:

    @kuduku said:

    @Freek said:

    @StuderSolutions said:
    @Freek is the DNS Master

    @Mr_Tom said:
    @Freek may be able to help?

    Thanks for the mention :)

    @yoursunny said:
    Disable DNS over UDP.
    Enable DNS over TLS.
    No amplification attack possible.

    This will indeed fix your problems, @deepak_leb .But if you absolutely must DNS over UDP, you can try the following:

    But I do wonder; is AdGuard listening on the correct interface? Since it shouldn't be listening on your public IP if you use WireGuard to connect...

    Yes you might be 100% correct as probably in listening interface all interfaces were selected instead of only wireguard interface . Saw the same issue when i did this exact mistake . Once Wireguard interface is selected their are no unknown clients

    I only selected eth0 Wireguard interface alone

    eth0 should be the NIC and wg0 as wireguard interface or whatever name was given for listening interface

  • @kuduku said:

    @deepak_leb said:

    @kuduku said:

    @Freek said:

    @StuderSolutions said:
    @Freek is the DNS Master

    @Mr_Tom said:
    @Freek may be able to help?

    Thanks for the mention :)

    @yoursunny said:
    Disable DNS over UDP.
    Enable DNS over TLS.
    No amplification attack possible.

    This will indeed fix your problems, @deepak_leb .But if you absolutely must DNS over UDP, you can try the following:

    But I do wonder; is AdGuard listening on the correct interface? Since it shouldn't be listening on your public IP if you use WireGuard to connect...

    Yes you might be 100% correct as probably in listening interface all interfaces were selected instead of only wireguard interface . Saw the same issue when i did this exact mistake . Once Wireguard interface is selected their are no unknown clients

    I only selected eth0 Wireguard interface alone

    eth0 should be the NIC and wg0 as wireguard interface or whatever name was given for listening interface

    Any guides pls

  • @deepak_leb said:

    @kuduku said:

    @deepak_leb said:

    @kuduku said:

    @Freek said:

    @StuderSolutions said:
    @Freek is the DNS Master

    @Mr_Tom said:
    @Freek may be able to help?

    Thanks for the mention :)

    @yoursunny said:
    Disable DNS over UDP.
    Enable DNS over TLS.
    No amplification attack possible.

    This will indeed fix your problems, @deepak_leb .But if you absolutely must DNS over UDP, you can try the following:

    But I do wonder; is AdGuard listening on the correct interface? Since it shouldn't be listening on your public IP if you use WireGuard to connect...

    Yes you might be 100% correct as probably in listening interface all interfaces were selected instead of only wireguard interface . Saw the same issue when i did this exact mistake . Once Wireguard interface is selected their are no unknown clients

    I only selected eth0 Wireguard interface alone

    eth0 should be the NIC and wg0 as wireguard interface or whatever name was given for listening interface

    Any guides pls

    No guide required . Just select wg0 in listen interface when you setup Adguard

    Thanked by (3)deepak_leb Freek Ouji
  • Add the domain in disallowed domains and limit the rate limit for example 3 per second

    Action and Reaction in history

  • edited May 2021

    @kuduku said:

    @deepak_leb said:

    @kuduku said:

    @deepak_leb said:

    @kuduku said:

    @Freek said:

    @StuderSolutions said:
    @Freek is the DNS Master

    @Mr_Tom said:
    @Freek may be able to help?

    Thanks for the mention :)

    @yoursunny said:
    Disable DNS over UDP.
    Enable DNS over TLS.
    No amplification attack possible.

    This will indeed fix your problems, @deepak_leb .But if you absolutely must DNS over UDP, you can try the following:

    But I do wonder; is AdGuard listening on the correct interface? Since it shouldn't be listening on your public IP if you use WireGuard to connect...

    Yes you might be 100% correct as probably in listening interface all interfaces were selected instead of only wireguard interface . Saw the same issue when i did this exact mistake . Once Wireguard interface is selected their are no unknown clients

    I only selected eth0 Wireguard interface alone

    eth0 should be the NIC and wg0 as wireguard interface or whatever name was given for listening interface

    Any guides pls

    No guide required . Just select wg0 in listen interface when you setup Adguard

    But I couldnt get the wg0. On interfaces, am getting only eth0 and l0 interfaces

  • Whats is your wireguard interface ? Select that interface on Adguard setup page , listen interface

  • @kuduku said:
    Whats is your wireguard interface ? Select that interface on Adguard setup page , listen interface

    Will pm u

  • Or maybe you can stop setting up your own DNS server and use 94.140.14.14 / 94.140.15.15 instead

  • Everything has been sorted out. Thank all for your time 🙂

  • @deepak_leb said:
    Everything has been sorted out. Thank all for your time 🙂

    Write a tutorial for LES blog :).

    Thanked by (1)deepak_leb
  • @deepak_leb said:
    Everything has been sorted out. Thank all for your time 🙂

    Please share how you solved your issue. Like I told you via PM; a forum is to share knowledge, not to keep it secret in private messages.

  • @Freek said:

    @deepak_leb said:
    Everything has been sorted out. Thank all for your time 🙂

    Please share how you solved your issue. Like I told you via PM; a forum is to share knowledge, not to keep it secret in private messages.

    🥺 Nothing special, Before Installating the wireguard, I simply installed the Adguard, that's in DNS Interface I haven't got the wireguard WgO interface.

    Besides I followed the NAT Vps Guide blindly though I don't use that NAT VPS

  • So I guess OP replicated the setup I use.

    1) have the adguard/pihole/ANY_dnsserver listen exclusively on wg0 (wireguard nic)
    2) use wireguard tunnel for all internet traffic and the private wg0 ip for dns-nameserver value .

    The dns bots will move on.

    Thanked by (2)deepak_leb Freek
  • @vimalware said:
    So I guess OP replicated the setup I use.

    1) have the adguard/pihole/ANY_dnsserver listen exclusively on wg0 (wireguard nic)
    2) use wireguard tunnel for all internet traffic and the private wg0 ip for dns-nameserver value .

    The dns bots will move on.

    @vimalware said:
    So I guess OP replicated the setup I use.

    1) have the adguard/pihole/ANY_dnsserver listen exclusively on wg0 (wireguard nic)
    2) use wireguard tunnel for all internet traffic and the private wg0 ip for dns-nameserver value .

    The dns bots will move on.

    Yep

Sign In or Register to comment.