[Dnsmasq-discuss] Dnsmasq with Gigantic hosts file
Jan 'RedBully' Seiffert
redbully at cc.fh-luh.de
Sun Jan 28 05:19:07 GMT 2007
Jason wrote:
> Hello all,
>
Hi
> I'm considering replacing squidguard, a filtering redirector for the
> squid cache proxy, with a BIG hosts file and dnsmasq (716,093
> entries!). Currently, my network serves less than 10 clients(dns only,
> no dhcp), but may reach 200 in the next few years. Will this work.
> It'd be nice to consolidate the functions and have the option to
> shutdown the squid cache.
If you are talking about a traditional hosts file:
AFAIK dnsmasq uses a hash table for such lookups, so basically even a
large number should not be a problem. I for example have 10.000
"bad-hosts" in an extra file read by dnsmasq (50k where also already
mentioned here on the list), and my DNS lookups are "lightning fast" (I
also run dnsmasq with nice -1 + some traffic shaping rules prioritizing
DNS packets, but thats to reduce latencies).
But 700k may drive it to it's limits...
First you will need a little RAM for it (my dnsmasq uses 2MB ATM, so
_very_ roughly * 70 ~= 140MB), but secondly scalability-issues in the
hash table may surface (hash collision, but you may fix it locally by
setting a higher number of hash buckets in the source code and recompile).
But the ultimate answer to this is only known by Simon.
I also have a patch installed to use RegEx on host names, so you can do
things like:
address=/:(double|fast|value|(euros|pay)4)[kc]lick?\.(com|net|tld):/127.0.0.1
This can compress a list of "bad hosts" in traditional hosts file format
and match things you never thought of in the first place.
Downside is, it internally uses a linked list, so it scales linear with
the number of rules (for every lookup!) + RegEx overhead (but you can
squeeze a lot in one RegEx ;).
But i'm still testing if it runs smoothly before letting it escape in to
the wild :-/
> Also, squidguard can block a specific url
> inside a domain, ie, www.goodsite.com/badarea/badstuff.html. Can
> dnsmasq emulate this? I know this is outside the design intent of
> dnsmasq, but it's not a bad application.
As Richard Voigt already mentioned, the URL is never transfered to your
DNS resolver, only the hostname.
IMHO the right tool for such a task is a proxy, like squid. I mean you get:
* Content cache to speed things up and save bandwidth (esp. with 200
clients)
* Filtering on URL, source, target, authentication, foo and bar
* Possibility to pass every file through clamav, for example
But since dnsmasq is so easy to set up and well performing you may split
up your task:
Basic host based blocking (and get a DNS cache for free ;) -> dnsmasq
Advanced URL filtering and other magic -> squid
But if this complication is wise, the question may has to be: Whats the
problem with your current setup?
(Oh, and no, i personally do not use squid, so i cannot help you on
problems with squid)
> Jason
>
Greetings
Jan
PS: Jippie, first Post on the list.
I want to thank Simon for this great program.
And sorry for my bad English.
--
error compiling committee.c: too many arguments to function
More information about the Dnsmasq-discuss
mailing list