Skip to content

Latest commit

 

History

History
190 lines (133 loc) · 12.1 KB

mitigations.md

File metadata and controls

190 lines (133 loc) · 12.1 KB

Mitigation Strategies Analysis for adguardteam/adguardhome

Mitigation Strategy: DNSSEC Validation

Mitigation Strategy: Enable and Enforce DNSSEC

  • Description:

    1. Access AdGuard Home Interface: Log in to the AdGuard Home web interface.
    2. Navigate to Settings: Go to "Settings" -> "DNS settings".
    3. Enable DNSSEC: Find the option for "Enable DNSSEC" (or similar wording) and ensure it is checked.
    4. Save Changes: Click "Save" or "Apply" to apply the changes.
    5. Verification (Optional): Use an external DNSSEC validation tool (e.g., online validators) to confirm that DNSSEC is working correctly for known DNSSEC-signed domains.

  • Threats Mitigated:

    • DNS Cache Poisoning: (Severity: High) - Prevents attackers from injecting forged DNS records into AdGuard Home's cache.
    • DNS Spoofing: (Severity: High) - Prevents attackers from impersonating legitimate DNS servers.
    • Man-in-the-Middle (MitM) Attacks (related to DNS): (Severity: High) - Helps prevent attackers from intercepting and modifying DNS responses.

  • Impact:

    • DNS Cache Poisoning: Risk reduced significantly (close to elimination if upstream servers also support DNSSEC).
    • DNS Spoofing: Risk reduced significantly.
    • MitM (DNS-related): Risk reduced significantly.

  • Currently Implemented: Yes, enabled in the AdGuard Home configuration file (AdGuardHome.yaml) and verified via the web interface.

  • Missing Implementation: Need to add automated monitoring to check if DNSSEC validation is consistently successful (e.g., alert if validation failures increase). This would require external tooling, so it's not strictly an internal AdGuard Home mitigation.

Mitigation Strategy: Multiple Diverse Upstream DNS Servers

Mitigation Strategy: Configure Multiple, Diverse Upstream DNS Servers

  • Description:

    1. Access AdGuard Home Interface: Log in to the AdGuard Home web interface.
    2. Navigate to Settings: Go to "Settings" -> "DNS settings".
    3. Upstream DNS Servers: Locate the section for configuring "Upstream DNS servers".
    4. Add Multiple Servers: Enter the IP addresses or hostnames of at least three reputable and diverse DNS providers (e.g., Cloudflare (1.1.1.1), Google (8.8.8.8), Quad9 (9.9.9.9), OpenDNS, etc.). Avoid using only one provider.
    5. Prioritize (Optional): If desired, set priorities for the servers (e.g., prefer faster or more reliable ones).
    6. Save Changes: Click "Save" or "Apply".

  • Threats Mitigated:

    • Upstream DNS Server Compromise: (Severity: High) - Reduces the impact if one upstream server is compromised or becomes unavailable.
    • DNS Outages: (Severity: Medium) - Provides redundancy and improves availability if one upstream server experiences an outage.

  • Impact:

    • Upstream DNS Server Compromise: Risk significantly reduced; impact limited to a fraction of DNS queries.
    • DNS Outages: Risk significantly reduced; AdGuard Home can continue functioning using other upstream servers.

  • Currently Implemented: Partially. We have three upstream servers configured, but they are all from the same provider (Google).

  • Missing Implementation: Need to add upstream servers from different providers (Cloudflare, Quad9) to achieve true diversity.

Mitigation Strategy: Strong Authentication

Mitigation Strategy: Enforce Strong, Unique Passwords

  • Description:

    1. Access AdGuard Home Interface: Log in to the AdGuard Home web interface.
    2. Navigate to Settings: Go to "Settings" -> "General settings" or a similar section related to authentication.
    3. Change Password: Locate the option to change the administrative password.
    4. Use a Strong Password: Create a strong, unique password that is at least 12 characters long and includes a mix of uppercase and lowercase letters, numbers, and symbols. Use a password manager to generate and store the password.
    5. Save Changes: Click "Save" or "Apply".

  • Threats Mitigated:

    • Brute-Force Attacks: (Severity: Medium) - Makes it significantly harder for attackers to guess the administrative password.
    • Credential Stuffing: (Severity: Medium) - Prevents attackers from using credentials stolen from other breaches to access AdGuard Home.
    • Unauthorized Access: (Severity: High) - Reduces the likelihood of unauthorized access due to weak or compromised credentials.

  • Impact:

    • Brute-Force Attacks: Risk significantly reduced; strong passwords are exponentially harder to crack.
    • Credential Stuffing: Risk significantly reduced; unique passwords prevent reuse of compromised credentials.
    • Unauthorized Access: Risk significantly reduced.

  • Currently Implemented: Yes, a strong password is in use, generated by a password manager.

  • Missing Implementation: Need to implement a policy to require periodic password changes (e.g., every 90 days). This is a policy, not a direct AdGuard Home setting.

Mitigation Strategy: Regular Software Updates

Mitigation Strategy: Keep AdGuard Home Updated

  • Description:

    1. Access AdGuard Home Interface: Log in to the AdGuard Home web interface.
    2. Check for Updates: Look for an "Update" or "Check for Updates" button or section in the interface.
    3. Install Updates: If updates are available, follow the instructions to install them.
    4. Enable Automatic Updates (Recommended): If possible, enable automatic updates to ensure that AdGuard Home is always running the latest version. This is usually found in the "Settings" area.
    5. Configure update channel: Select stable update channel.

  • Threats Mitigated:

    • Exploitation of Known Vulnerabilities: (Severity: Critical to Low, depending on the vulnerability) - Patches security vulnerabilities.
    • Zero-Day Vulnerabilities (Indirectly): (Severity: Critical) - Reduces the window of opportunity for attackers.

  • Impact:

    • Exploitation of Known Vulnerabilities: Risk dramatically reduced.
    • Zero-Day Vulnerabilities: Risk indirectly reduced.

  • Currently Implemented: Yes, automatic updates are enabled.

  • Missing Implementation: Need to configure monitoring to alert us if automatic updates fail (requires external tools).

Mitigation Strategy: Rate Limiting (DNS Queries)

Mitigation Strategy: Configure DNS Query Rate Limiting

  • Description:

    1. Access AdGuard Home Interface: Log in to the AdGuard Home web interface.
    2. Navigate to Settings: Go to "Settings" -> "DNS settings".
    3. Rate Limiting: Find the section for "Rate limiting" or "Clients rate limit".
    4. Set Limits: Configure the maximum number of DNS queries allowed per client (or IP address) per second (or other time interval).
    5. Save Changes: Click "Save" or "Apply".

  • Threats Mitigated:

    • Denial-of-Service (DoS) Attacks (DNS Flooding): (Severity: Medium)

  • Impact:

    • DoS (DNS Flooding): Risk reduced.

  • Currently Implemented: Yes, rate limiting is enabled with a default value of 20 queries per second per client.

  • Missing Implementation: Need to monitor the effectiveness of the rate limiting and adjust the values if necessary.

Mitigation Strategy: Disable Unnecessary Features

Mitigation Strategy: Disable Unused AdGuard Home Features

  • Description:

    1. Review Features: Examine all features and settings in the AdGuard Home interface.
    2. Identify Unused Features: Determine which features are not strictly required. Examples: API, DHCP server, certain advanced DNS settings.
    3. Disable Features: Disable the identified unused features through the AdGuard Home interface or configuration file.
    4. Document: Document which features have been disabled and why.

  • Threats Mitigated:

    • Vulnerabilities in Unused Features: (Severity: Variable)

  • Impact:

    • Vulnerabilities in Unused Features: Risk reduced; the attack surface is minimized.

  • Currently Implemented: Partially. The DHCP server is disabled.

  • Missing Implementation: Need to review other features (e.g., the API) and disable any that are not essential.

Mitigation Strategy: Filter List Management

Mitigation Strategy: Use Curated and Updated Filter Lists

  • Description:

    1. Access AdGuard Home Interface: Log in to the AdGuard Home web interface.
    2. Navigate to Filters: Go to "Filters" -> "DNS blocklists" (or similar).
    3. Add/Remove Lists: Add or remove filter lists as needed. Use reputable and well-maintained lists (e.g., AdGuard's lists, EasyList, etc.). Avoid obscure lists.
    4. Enable Automatic Updates: Ensure that the "Update filters automatically" option (or similar) is enabled. Set a reasonable update interval (e.g., daily).
    5. Whitelist/Blacklist (Manual): Use the "Custom filtering rules" section to manually add whitelist entries (for sites that are incorrectly blocked) or blacklist entries (for sites that should be blocked but aren't).
    6. Save Changes: Click "Save" or "Apply".

  • Threats Mitigated:

    • False Positives (Blocking Legitimate Sites): (Severity: Low to Medium) - Using well-maintained lists reduces the chance of blocking legitimate sites.
    • False Negatives (Allowing Malicious/Unwanted Content): (Severity: Medium to High) - Using up-to-date lists ensures that newly discovered malicious domains are blocked.

  • Impact:

    • False Positives: Risk reduced; fewer legitimate sites are blocked.
    • False Negatives: Risk reduced; more malicious/unwanted content is blocked.

  • Currently Implemented: Yes, we are using several reputable filter lists with automatic updates enabled.

  • Missing Implementation: Need to establish a more formal process for reviewing and managing whitelist/blacklist entries based on user feedback and monitoring.

Mitigation Strategy: Configure Query Logging (Privacy and Security)

Mitigation Strategy: Carefully Configure Query Logging

  • Description:

    1. Access AdGuard Home Interface: Log in to the AdGuard Home web interface.
    2. Navigate to Settings: Go to "Settings" -> "General settings".
    3. Query Log Configuration: Find the section for "Query log configuration".
    4. Disable or Configure:
      • Disable: If query logging is not strictly necessary, disable it entirely ("Do not keep logs"). This is the most privacy-preserving option.
      • Configure (if needed): If logging is required (e.g., for troubleshooting), set a short retention period (e.g., 24 hours, 7 days). Avoid storing logs indefinitely.
    5. Anonymize (if possible): If the "Anonymize client IPs" option (or similar) is available, enable it to reduce the privacy impact of logging.
    6. Save Changes: Click "Save" or "Apply".

  • Threats Mitigated:

    • Privacy Violations (from Log Data): (Severity: Medium to High) - Reduces the risk of exposing sensitive user browsing data.
    • Data Breach (of Log Data): (Severity: Medium to High) - Limits the amount of sensitive data that could be compromised in a breach.

  • Impact:

    • Privacy Violations: Risk significantly reduced (especially if logging is disabled).
    • Data Breach: Risk reduced; less data is stored for a shorter period.

  • Currently Implemented: Partially. Query logging is enabled with a 7-day retention period.

  • Missing Implementation: Need to evaluate whether logging is strictly necessary. If not, disable it. If it is, enable IP anonymization.