.webp?table=collection&id=fff97571-0fee-81cf-8d7c-000bfde68952&t=fff97571-0fee-81cf-8d7c-000bfde68952&width=800&cache=v2){kind=small}
type
status
date
slug
summary
tags
category
icon
password
My AdGuard Home has been running stably for a while now. Recently, while checking the configuration file, I noticed that the default configuration listens on all addresses, which means if someone knew my side router's IPv6 address, it would be possible for them to directly use my AdGuard Home DNS service, especially since my ADG is listening on the default port 53. This is not very secure, and even if it's not attacked or misused, it could easily be flagged by the ISP.
📝 Configuration Notes
Modifying AdGuard Home Listening Address
The configuration file is located at
/etc/AdGuardHome.yaml. The configuration item for the listening address is under the dns main configuration item, bind_host. The default configuration is:This listens to all addresses of the current machine, including local addresses, LAN addresses, IPv6 public network addresses, etc., which poses a significant security risk, and we don't need AdGuard Home to listen on so many addresses.
Since I use WireGuard to get home, with a configured subnet of 10.1.X.X, I've added this subnet to the configuration file for listening. The reason for also adding the 127.0.0.1 localhost address is to allow the local machine to use this DNS service. Additionally, some services running on the side router itself have DNS addresses configured as 127.0.0.1, and it's troublesome to find and change them, so I've included it here.
After the modification:
This includes the localhost address, home LAN address, WireGuard virtual LAN address (or Zerotier virtual LAN address), as well as the local IPv6 address. Here, it's important to note the IPv6 address should be filled in with your DNS server's local IPv6 address, starting with
fe80::. Do not simplify it to fe80::1. It's recommended to check your local IPv6 address using the ifconfig command to avoid any issues with AdGuard Home not starting due to listening failure.Restart AdGuard Home for the changes to take effect.
Configuring Firewall Rules
Adding via Luci Interface
If your main router's default firewall wan rules are set to deny inbound and forwarding, there is no need to configure firewall rules separately, as access and forwarding requests on port 53 already follow the default rules and are denied.
However, if your default wan rules allow inbound and forwarding, it is recommended to set communication rules, especially for the IPv6 configuration, which can be directly added in the OpenWRT firewall settings:
Source Zone: wan and wan6
Source Address: Do not select
Source Port: Do not fill in
Destination Zone: lan, if your AdGuard Home is configured on the main router, then for this device.
Destination Address:
::<last four digits of the mac address>/::ffff:ffff:ffff:ffff for address matching., filling in the local IPv4 address of the AdGuard Home.Destination Port: 53, if your AdGuard Home does not use port 53, fill in the port that your AdGuard Home is listening on.
Action: Deny
Save to apply.
Adding via nftables
The approach for adding nftables is the opposite of the Luci part, which is to allow only the corresponding subnet to access port 53 via the nft firewall. Any subnet not within the configured rules that tries to access port 53 will be dropped.
IPv4 Part
IPv6 Part
🤗 Summary
No summary provided.
📎 Reference
- Configuration · AdguardTeam/AdGuardHome Wiki
For any questions about OpenWRT or router installation or usage, feel free to leave a comment at the bottom, and let's exchange ideas together~