[Dnsmasq-discuss] Partial denial of service with dnsmasq on resource constrained systems

Simon Kelley simon at thekelleys.org.uk
Fri Apr 2 07:58:33 UTC 2021



On 02/04/2021 03:11, Neal P. Murphy wrote:
> On Thu, 1 Apr 2021 23:55:08 +0100
> Simon Kelley <simon at thekelleys.org.uk> wrote:
> 
>>>
>>> One other thing I saw while testing with large blocklists was a noticeable
>>> latency increase, likely related to lookup times. I recall some discussion
>>> on the ML where you mentioned work on a hash/tree solution was in
>>> progress. Were those changes completed?
>>>   
>>
>>
>> This seems to be the crucial aspect here: large blocklists. Is we move
>> the large blocklists to a subsystem designed to handle them, then the
>> problem goes away.
>>
>> I could do with a handle on exactly how people are configuring dnsmasq
>> to do ad blocking. It's not something I have much experience of.
> 
> On Smoothwall Express, I've conf'ed dnsmasq to 'undefine' a large number of FQDNs using the form 'local=/8teenporno.com/' I pull the Shalla data and use the ads, pron, warez, and a few other categories.
> 
> 768 000 FQDNs makes dnsmasq use around 100MiB of RAM. On an Atom N270 running SWE, response time is generally in the range of 75 ms to 100 ms when there's no traffic. With the DL saturated (using speedtest.net), response times range from 500ms to 2s. Saturated UL doesn't seem to affect response time much.
> 
> I've been satisfied with its operation; I see almost no ads and pretty much nothing in the other categories I use.
> 

Thanks.

Question:

local=/8teenporno.com/

actually covers *.8teenporno.com ie www.8teenporno.com,
server1.8teenporno.com etc. Is that desired behaviour, or just
happenstance you could live without?


Simon.




More information about the Dnsmasq-discuss mailing list