[Dnsmasq-discuss] Partial denial of service with dnsmasq on resource constrained systems

Kevin 'ldir' Darbyshire-Bryant ldir at darbyshire-bryant.me.uk
Fri Apr 2 08:56:59 UTC 2021 


> On 2 Apr 2021, at 08:58, Simon Kelley <simon at thekelleys.org.uk> wrote:
> 
> 
> 
> On 02/04/2021 03:11, Neal P. Murphy wrote:
>> On Thu, 1 Apr 2021 23:55:08 +0100
>> Simon Kelley <simon at thekelleys.org.uk> wrote:
>> 
>>>> 
>>>> One other thing I saw while testing with large blocklists was a noticeable
>>>> latency increase, likely related to lookup times. I recall some discussion
>>>> on the ML where you mentioned work on a hash/tree solution was in
>>>> progress. Were those changes completed?
>>>> 
>>> 
>>> 
>>> This seems to be the crucial aspect here: large blocklists. Is we move
>>> the large blocklists to a subsystem designed to handle them, then the
>>> problem goes away.
>>> 
>>> I could do with a handle on exactly how people are configuring dnsmasq
>>> to do ad blocking. It's not something I have much experience of.
>> 
>> On Smoothwall Express, I've conf'ed dnsmasq to 'undefine' a large number of FQDNs using the form 'local=/8teenporno.com/' I pull the Shalla data and use the ads, pron, warez, and a few other categories.
>> 
>> 768 000 FQDNs makes dnsmasq use around 100MiB of RAM. On an Atom N270 running SWE, response time is generally in the range of 75 ms to 100 ms when there's no traffic. With the DL saturated (using speedtest.net), response times range from 500ms to 2s. Saturated UL doesn't seem to affect response time much.
>> 
>> I've been satisfied with its operation; I see almost no ads and pretty much nothing in the other categories I use.
>> 
> 
> Thanks.
> 
> Question:
> 
> local=/8teenporno.com/
> 
> actually covers *.8teenporno.com ie www.8teenporno.com,
> server1.8teenporno.com etc. Is that desired behaviour, or just
> happenstance you could live without?
> 

The adblock package solution on openwrt (I’m being specific ‘cos there are a number of ‘adblock’ solutions with ‘adblock’ name :-)

Deny uses 'address=/foo.bar/‘ to block ‘foo.bar’ and ‘*.foo.bar'

Allow uses 'local=/baz.foo.bar/#’ to permit host ‘baz’ in domain ‘foo.bar’ that would otherwise be blocked.

A mechanism that informs the OS this list is effectively ‘read-only’ in the tcp handling forked processes would hopefully alleviate the out of memory problem.  If the list could be hashed so it turns into o(not many) as opposed to o(list size) then that’s an excellent bonus.


Cheers,

Kevin D-B

gpg: 012C ACB2 28C6 C53E 9775  9123 B3A2 389B 9DE2 334A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210402/6964e459/attachment.sig>

More information about the Dnsmasq-discuss mailing list