[OpenWrt-Devel] Slow DNSMasq with > 100, 000 entries in additional addresses file
Lucian Cristian
luci at createc.ro
Tue Dec 27 08:01:10 EST 2016
On 27.12.2016 04:54, TheWerthFam wrote:
> Problem with this method is that it misses lots of HTTPS based sites.
> I do already run squid though. Am I wrong that it will not proxy
> https sites unless you use MITM type setup?
> Thanks
>
>
> On 12/26/2016 08:47 PM, Lucian Cristian wrote:
>> On 26.12.2016 19:32, TheWerthFam wrote:
>>> Using the adblock set of scripts to block malware and porn sites.
>>> The porn sites list is 800,000 entries, about 10x the number of
>>> sites adblock normally uses. With the full list of malware and porn
>>> domains loaded, dnsmasq takes 115M of memory and normally sits
>>> around 50% CPU usage with moderate browsing usage. CPU and RAM usage
>>> isn't really a problem other than lookups are slow now. Platform is
>>> cc 15.05.1 r49389 on banana pi r1.
>>>
>>> The adblock script takes the different lists, creates files in
>>> /tmp/dnsmasq.d/ entries looking like
>>> local=/domainnottogoto.com/ one entry per line. The goal is to
>>> return NXDOMAIN to entries in the lists. Lists are sorted and with
>>> unique entries.
>>>
>>> I've tried increasing the cachesize to 10,000 but that made no
>>> change. Tried neg-ttl=3600 with default negative caching enabled
>>> with no change.
>>>
>>> Are there dnsmasq setting that will improve the performance? or
>>> should it be configured differently to achieve this goal?
>>> Perhaps unbound would be better suited?
>>>
>>> Cheers
>>> Derek
>>> _______________________________________________
>>> openwrt-devel mailing list
>>> openwrt-devel at lists.openwrt.org
>>> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
>>
>> use squid and squidguard
>>
>> regards
>> _______________________________________________
>> openwrt-devel mailing list
>> openwrt-devel at lists.openwrt.org
>> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
I'm guessing that if you implement those restrictions I think that every
client has the proxy enforced into the browser so https would be
processed by squidguard too, for transparent https proxy you would need
to do sslbump
regards
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list