However the setup is pretty simple, go to the DNS Settings in Adguard Home and give some names for your client IDs

When you entered ClientIDs the DNS will not be available anymore for anyone who is NOT in your Client IDs list. If you want to update your non static IP from your internet service provider, you could do that and put in your public IP. In that case your local clients can use the DNS even without having a named Client ID

Then you can use the Tab "Setup Guide" in Adguard Home to get guidance how to get your devices configured.

If you want to configure Chrome, Brave or Firefox for DoH you can then use the URL to your Adguard Home DNS Name with appending your ClientId like this for example:
https://DNS-NAME-TO-YOUR-ADGUARDHOME/dns-query/CLIENTID

Please be aware that you should understand what you do and in case of concerns just don't do it. You will be responsible yourself for anything you do.

Unless there's an auth of some sort, port knocking or VPN access to it.

Let's go Wireguard.

The way things are now, it's very likely that folks misconfigure their DNS server. Part of Cloudron's draw is that users don't have to think so hard about "doing the right thing". The best way to do that would be to not bind only to a VPN interface and support the VPN setting the DNS server as the default.

A setting to "do the wrong thing" could be there for folks that really know what they are doing, but maybe a little more difficult to get to so someone who enables it will also know how to manage their firewalls. Either through their VPS provider or on the machine.

Personally, I host mine at home and access over a VPN.

Upon installation, it could ask you what you would like to do:

1. Block port 53 - allow internal traffic only for AdGuard (recommended)
2. Do not configure firewall.

WDYT?

Playing around with ADGuard today. The inbuilt IP limiter works great and correctly blocks amp attacks.

Do you mean the requests per second limit?
Which setting blocks amp attacks?

Only issue i found was the ability to use DDNS hostnames as a whitelist for dynamic IP nets. CIDR works just aswell i guess...

I had an issue with this too, as I couldn't come up with a CIDR address that would exclude some of the abusing IPs without blocking my own (same network provider).

Only issue i found was the ability to use DDNS hostnames as a whitelist for dynamic IP nets. CIDR works just aswell i guess...

• DNS amplification prevention
• Automatically block IP when it reaches a configurable requests limit
• Provide a smarter way to detect & block DNS amplification- Looks like they might add a setting for this
• Allow the use of IP blocklists to reject DNS requests from the listed IPs

What I am suggesting is to limit it to an actual interface not an IP. Anything flowing through a VPN interface for example which is a higher abstraction.

Since private networks use RFC1918 addressing that's what ends up flowing through those interfaces. Hence the effect.

Having a by default secure install is the only option IMO.
Anyone installing it will need to configure it properly, be it for VPN access and network interfaces, or by going lower into the networking stack and using IP:port settings.

It's also a question of liability for you, allowing deployment for DDoS or not.

Subsequent modification is the users responsibility.

Even if you had an app level firewall, how will it dynamically configure itself for a new client IP every hour? (there are ways but beyond the scope of this discussion)

I think a good solution is to add a app level firewall to Cloudron. I think it's something we can easily add for next release.

I though ADGuard had an inbuilt feature to allow only whitelisted IP's through?

Indeed, I will put this in the docs and the POSTINSTALL.

Unless you install Pihole on your public facing adapter instead of your VPN adapter. Then you're in abit of trouble.....