[Dnsmasq-discuss] Scalability of DNS blackhole configuration?

Discussion:

Mike Lee

2017-02-16 19:19:19 UTC

Hi folks, I'm redirecting undesirable domains to a "black hole" to prevent
normal DNS resolution.

Specifically, I have this line in my dnsmasq.conf:

conf-file=/etc/dnsmasq-blackhole.conf

That file in turn has multiple lines of the form:

address=/example.com/127.0.0.1

I just recently added a new source of domains from malwaredomains.com, and
my blackhole.conf has now ballooned to roughly 20k lines. Those 20k lines
appear to consume about 3MB of memory. The daemon appears to be running
fine, but memory aside, for future reference is there a practical or hard
limit to how this type of configuration will scale? Will it gracefully
handle 200k such domain configuration lines? 2M lines?

Thanks!

--Mike

Simon Kelley

2017-02-19 18:10:08 UTC

Permalink

There are two ways to do this: one is the way you have.

The second is using either a file in the same format as /etc/hosts
and --addn-hosts, using --host-record.

Either probably have similar memory-footprint implications, but the
first does wildcards, so your example actually matches
www.example.com, mail.example.com etc. The second doesn't do
wildcards, but will be much faster as you go through the next couple
of orders of magnitude.

There are no hard limits, but there are always pratical limits.

Cheers,

Simon.

Post by Mike Lee
Hi folks, I'm redirecting undesirable domains to a "black hole" to
prevent normal DNS resolution.
conf-file=/etc/dnsmasq-blackhole.conf
address=/example.com/127.0.0.1 <http://example.com/127.0.0.1>
I just recently added a new source of domains from
malwaredomains.com <http://malwaredomains.com>, and my
blackhole.conf has now ballooned to roughly 20k lines. Those 20k
lines appear to consume about 3MB of memory. The daemon appears to
be running fine, but memory aside, for future reference is there a
practical or hard limit to how this type of configuration will
scale? Will it gracefully handle 200k such domain configuration
lines? 2M lines?
Thanks!
--Mike
_______________________________________________ Dnsmasq-discuss
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Mike Lee

2017-02-20 00:02:30 UTC

Permalink

For the purposes of blocking subdomains of known-bad domains I definitely
want the "free" wildcard functionality so I'll continue using what I'm
using. Thanks for the information!

--Mike

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
There are two ways to do this: one is the way you have.
The second is using either a file in the same format as /etc/hosts
and --addn-hosts, using --host-record.
Either probably have similar memory-footprint implications, but the
first does wildcards, so your example actually matches
www.example.com, mail.example.com etc. The second doesn't do
wildcards, but will be much faster as you go through the next couple
of orders of magnitude.
There are no hard limits, but there are always pratical limits.
Cheers,
Simon.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBCAAGBQJYqd9/AAoJEBXN2mrhkTWi2EMP/RmPgJFhIBn9en2hl6RTAQYR
YEC2NWt+8qdI0u6MyQUTqqtXVvM3b+AcuxX1OhQEfFu8NRgm03LcIYAAVNXRd73+
CkF9/t7lzGRsgo6RwJG9xDnJaFVaE93J0eCRzEm7PhdLWH7BuBhIUM5TAfmIKL4v
TKsFLOv5H0bZONq29UpBcO19MzRGC6JnsCzBSgLJbz+UK+n0y60HLdc+xegWGT68
EmdZXyMA6mYCEw0p0Q3UUGgclAQzd7XTkiwKezdZmfUK6t0UICLnmz907D7b3Frn
6rqW0Mh7o8rMQBk7LGXB+W5zQpswXV8wNtg2aUboEECqa9lHBZdd071Nf+M1SLcv
ybheNLrsXoIct9elTo9U9b6bqRgJUYXaRwDXviYCqCif41mnf51K9KDJP3kwM/we
NSLUqmYTnDkiEFrOXQHhLAkosKbs17B4+7jCIJk8D+6PInBpStc0Ms3PAp0fwK+o
wC8Mus7dOQU/1nMu4vSjyOD+CYOTGLqWotaOLIqAtIdfF/Z1zsgwWdezDux3tK9v
FwsXfBoA60pdWBZlhvMIYAtjyEvWM6tjKESUEfJ73nnbWRk1mj6g4eqSfFm/IKA/
PRpo0nHSQ69rw9YQt9CF5AgnjU7YAvCjptlDDwsoJRmLEf6tIJrqp29I9Y+M8506
iRDOQreoY3ZUVwsUPaEn
=SQMw
-----END PGP SIGNATURE-----
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss