Re: [Dnsmasq-discuss] Partial denial of service with dnsmasq on resource constrained systems

2021-04-02 Thread e9hack 

Am 02.04.2021 um 10:56 schrieb Kevin 'ldir' Darbyshire-Bryant:


The adblock package solution on openwrt (I’m being specific ‘cos there are a 
number of ‘adblock’ solutions with ‘adblock’ name :-)

Deny uses 'address=/foo.bar/‘ to block ‘foo.bar’ and ‘*.foo.bar'


Such a definition is put in a variable of type struct server. Struct server 
contains the member interface with a size of 65 bytes. Since the number of 
interfaces is limited, it would be nice, if an additional list for interface 
names can be used.

Regards,
Hartmut

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] Partial denial of service with dnsmasq on resource constrained systems

2021-04-02 Thread Dominik 
Hey Simon,

On Thu, 2021-04-01 at 23:55 +0100, Simon Kelley wrote:
> I could do with a handle on exactly how people are configuring dnsmasq
> to do ad blocking. It's not something I have much experience of.

The situation for Pi-hole (a popular ad blocker based on dnsmasq) is the
following:

Traditionally, Pi-hole used "addn-hosts" to add HOSTS-like files containing
domains (example: 
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts). This
list contains roughly 80,000 domains. This is doable with dnsmasq on all
platforms having at least 512 MB of memory. However, Pi-hole users
typically want to take it to the extremes. They added more and more lists,
often going beyond the one million domains mark. This became a problem
regarding memory. I don't recall complains about slow replies, though.

Anyway, as this became more and more an issue and since we wanted to have
something more professional than a text file (so users can easily add
comments, etc.), we amended the dnsmasq code with an interface to a SQLite3
database holding all domains to be blocked. We also added support for
regular expressions (and hereby wildcards). With this new approach, we
stopped storing anything about blocked domains in dnsmasq's cache: blocked
domains are short-circuited and replied to with a mock answer. They are
never added to the cache. This is done because we allow different lists to
be assigned to different clients so some devices using the DNS server can
be limited further down while other may be fully open on the same process.

This works really fast because the balanced-tree (B-tree) index on the
domain is very efficient. The tree lives transparently in page cache so
accessing it is very fast even in the 1 mio. range (lookup speed scales
logarithmic, typically < 5 ms on Raspberry Pis for 3mio. blocked domains).

Note that we are hooking into dnsmasq's code from "outside" to keep changes
in the dnsmasq codebase minimal so we can straightaway apply any patches
from dnsmasq's git.

So even when this is a bit outside of the current discussion, I thought
it'd be interesting to mention that Pi-hole used to use "addn-hosts" but
stopped to do so some time ago.

Best,
Dominik


___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss