[Dnsmasq-discuss] Partial denial of service with dnsmasq on resource constrained systems
Neal P. Murphy
neal.p.murphy at alum.wpi.edu
Fri Apr 2 08:29:51 UTC 2021
On Fri, 2 Apr 2021 08:58:33 +0100
Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 02/04/2021 03:11, Neal P. Murphy wrote:
> > On Thu, 1 Apr 2021 23:55:08 +0100
> > Simon Kelley <simon at thekelleys.org.uk> wrote:
> >>> One other thing I saw while testing with large blocklists was a noticeable
> >>> latency increase, likely related to lookup times. I recall some discussion
> >>> on the ML where you mentioned work on a hash/tree solution was in
> >>> progress. Were those changes completed?
> >> This seems to be the crucial aspect here: large blocklists. Is we move
> >> the large blocklists to a subsystem designed to handle them, then the
> >> problem goes away.
> >> I could do with a handle on exactly how people are configuring dnsmasq
> >> to do ad blocking. It's not something I have much experience of.
> > On Smoothwall Express, I've conf'ed dnsmasq to 'undefine' a large number of FQDNs using the form 'local=/8teenporno.com/' I pull the Shalla data and use the ads, pron, warez, and a few other categories.
> > 768 000 FQDNs makes dnsmasq use around 100MiB of RAM. On an Atom N270 running SWE, response time is generally in the range of 75 ms to 100 ms when there's no traffic. With the DL saturated (using speedtest.net), response times range from 500ms to 2s. Saturated UL doesn't seem to affect response time much.
> > I've been satisfied with its operation; I see almost no ads and pretty much nothing in the other categories I use.
> actually covers *.8teenporno.com ie www.8teenporno.com,
> server1.8teenporno.com etc. Is that desired behaviour, or just
> happenstance you could live without?
That is just peachy by me. If something in that domain is related to pron (or wares, or other Shalla categories that I want nothing to do with), then I assume that *everything* in that semi-toplevel domain contains stuff I want nothing to do with.
It's comparable to snort detecting an attempt to access a mysql server from a remote IP via my firewall. When that happens, I want absolutely *no* access to or from that IP. That is, if *one* application or service on that host performs nefarious acts, then I assume that *all* apps and svcs on that host are nefarious. Similarly, if one host in a sub-domain contains pron, then I want *no* traffic between that semi-top-level domain and my network.
Analog: if you see a stranger prowling about your home looking for unlocked windows, would you then welcome her in when she knocks on your front door? Similarly, if someone tries to sell you kiddie porn, would you, later in the afternoon, decide to buy a vacuum cleaner from him as he sells door-to-door?
In the words of the fictional Montgomery Scott, "Fool me once, shame on you. Fool me twice, shame on me."
More information about the Dnsmasq-discuss