[Dnsmasq-discuss] Many immortals slow down dnsmasq. Bug or expected ?
richardvoigt at gmail.com
richardvoigt at gmail.com
Mon Oct 5 21:21:06 BST 2015
There are some awesome data structures for simultaneously matching against
huge numbers of patterns (as opposed to literal fixed strings). dnsmasq
would get a lot more complicated if it tried to implement them, and
complication in an internet-facing daemon is a "BAD thing" because it
increases the chance that there's an exploitable bug. Since the feature
you're using is designed for something completely different from request
blocking, perhaps there should be a pluggable interface just for filtering
requests (e.g. open a pipe to an external process, just like it does for
lease script, and writes nul-separated hostnames getting back a boolean
response whether to allow or block each request). Then the external
process could be compiled for speed using antlr or bison or any other
parser generator that knows how to build the fancy state machine tables.
And buffer overflows or anything else that went seriously wrong in the
request filter couldn't impact dnsmasq -- it would just cause a broken
pipe. Because the request filter wouldn't need root access like the
leasefile script, it could respawn on SIGUSR.
Just my two cents, I'm not volunteering to write the code.
Ben
On Mon, Oct 5, 2015 at 9:35 AM, wkitty42 at gmail.com <wkitty42 at gmail.com>
wrote:
> On 10/03/2015 06:37 PM, Simon Kelley wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> address=/abcd/0.0.0.0/ does NOT use the cache code. There's an implied
>> wildcard in the domain name, it matches *.abcd. The matching for this
>> is a relatively slow, linear, search. It is certainly not suitable for
>> 250000 names!
>>
>> If you don't need the wildcard matching, then using
>>
>> host-record=abcd,0.0.0.0
>>
>> instead will make real cache entries, which are efficently searched.
>> That will be much, much faster.
>>
>
> what does one do if they do need wildcard matching?
>
> --
> NOTE: No off-list assistance is given without prior approval.
> *Please keep mailing list traffic on the list* unless
> private contact is specifically requested and granted.
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20151005/1f065ff3/attachment.html>
More information about the Dnsmasq-discuss
mailing list