[Dnsmasq-discuss] patch: block-file/allow-file - for review/feedback

Ercolino de Spiacico bellocarico at hotmail.com
Thu May 21 17:42:55 UTC 2026 

In dnsmasq, domain filtering (for example, adblocking) currently relies 
on built-in directives such as local and address. That approach works 
well up to a point, but it does not scale: around 15 MB (≈700–800k 
domains) the process hangs regardless of available system resources.

To take a different approach I developed this patch in attachment that 
adds two new directives: block-file and allow-file. Summary of the 
functionality:

  - Uses mmap() to load domain lists into RAM.

  - Multiple block-file directives are supported.

  - Multiple allow-file directives are supported.

  - Example syntax:

block-file=/path/to/blockfile#NX,1

NX is optional and can be replaced with any IP address to return instead 
of NX.

The trailing ,1 is optional too, and enables logging when domains from 
that file are matched (useful to log only blocked domains).

allow-file=/mnt/USB/blockfile-override,1

  - Mapped files must be pre-sorted (sorting is not included in this 
patch to keep the code minimal).

  - Blocking/allowing behaviour mimics dnsmasq’s current semantics. For 
example:

   dnsmasq config:
   local=/example.com/ (blocked)
   server=/www.example.com/ (unblocked)

After the patch:

   example.com → listed in block-file
   www.example.com → listed in allow-file

  - Files are loaded one at a time and assesses against the amount of 
RAM available. If Current RAM usage + blockfile >= 80% of Total RAM, the 
loading is skipped and logged as a warning.

  - This code does not change DNS resolution itself; it performs a very 
fast name match to decide whether a query should proceed or be answered 
with NX or a custom IP.


I developed this patch for FreshTomato router (dnsmasq v2.93rc1). On 
those small devices I performed a functional test loading 2.2M domains 
(55 MB blockfile) and reload the configuration without interruptions; no 
packet drops were observed during a config when reloading. This is 
already 3 time the current limit, but I haven't performed any proper 
capacity testing yet, which is expected to be much higher.


Any comments or considerations are greatly appreciated.
Thanks.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnsmasq-block-file.zip
Type: application/x-zip-compressed
Size: 7380 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20260521/4729a361/attachment.bin>

More information about the Dnsmasq-discuss mailing list