Re: [Dnsmasq-discuss] Add IPs to BSD pf table from dnsmasq?
On Fri, Dec 22, 2017 at 09:17:08PM +, Andrew White wrote: > I've used it for a while on freebsd without issue, configured as per > dnsmasq man page syntax > Thanks for the max-ttl tip. I have used it on pfSense(based on freebsd) for several days now. No issue! > I would add to docs the risk that this feature can lead to a growing table > of ips that never gets pruned or expired, that could lead to allowing more > ip addrs within a Table over time, than might be anticipated. i.e. you > could end up that the hostname of the endpoint moves ip, but your firewall > still allows traffic from the old ip, under some circumstance this is a > significant risk. I use max-ttl feature of dnsmasq with the pf Table > expires feature to prune the table every 15 mins. YMMV as the client using > this feature would need to support re-resolving ip's. > > On Tue, Dec 19, 2017 at 1:38 AM, Chen Wei <weichen...@zoho.com> wrote: > > > On Mon, Dec 18, 2017 at 07:21:37PM +0000, Simon Kelley wrote: > > > On 17/12/17 08:02, Chen Wei wrote: > > > > is very fast. Is it possible to add the results of DNS lookup to pf > > > > table from dnsmasq? > > > > > > > Yes, it is. pf tables is supported on BSD using the same --ipset > > > dnsmasq configuration option. Looking, there's not explicit > > -- Chen Wei ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Add IPs to BSD pf table from dnsmasq?
Ipset in dnsmasq is a very useful feature. The pf table in BSD family is similar to ipset in it can hold large amount of IP addresses and lookups is very fast. Is it possible to add the results of DNS lookup to pf table from dnsmasq? -- Chen Wei ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Huge hosts file and CPU usage
On Tue, Apr 26, 2016 at 03:43:34PM -0700, Mike Leong wrote: > I have a blacklist of 1.5 million entries loaded into dnsmasq via "address" > definitions. eg: > address="/bad-site.com/192.168.5.1" https://github.com/infinet/dnsmasq > The 1.5 million entries are a list of porn/warze sites collected from > various blacklists. > According to top, dnsmasq uses about 200MB of RAM w/ that list loaded. > I'm noticing high CPU usage w/ that blacklist. (spikes to about 80% on an > i7) > dnsmasq version: 2.62-3+deb7u3 (from debian wheezy) > Are there any tuning (compiler options, code changes) what would reduce the > CPU usage? > I also tried using addn-hosts format but CPU usage was the same. -- Chen Wei ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH V2] check bogus-nxdomain even when ip is from --address
On Sun, Mar 15, 2015 at 09:11:58PM +, Simon Kelley wrote: On 12/03/15 08:29, Chen Wei wrote: This patch is mainly for blocking malware domains. Why use a fake address. It seems more sensible to have some syntax we could re-use that syntax so that address=/malware.com/# means return NXDOMAIN for *.malware.com It is cleaner indeed. -- Chen Wei --- src/dnsmasq.h |1 + src/forward.c |2 ++ src/option.c | 13 ++--- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/src/dnsmasq.h b/src/dnsmasq.h index de95d0e..c96e074 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -485,6 +485,7 @@ union mysockaddr { #define SERV_NO_REBIND 2048 /* inhibit dns-rebind protection */ #define SERV_FROM_FILE 4096 /* read from --servers-file */ #define SERV_LOOP 8192 /* server causes forwarding loop */ +#define SERV_NXDOMAIN 16384 /* domain should return NXDOMAIN */ struct serverfd { int fd; diff --git a/src/forward.c b/src/forward.c index 7c0fa8d..471e667 100644 --- a/src/forward.c +++ b/src/forward.c @@ -162,6 +162,8 @@ static unsigned int search_servers(time_t now, struct all_addr **addrpp, { if (serv-flags SERV_NO_REBIND) *norebind = 1; +else if (serv-flags SERV_NXDOMAIN) + flags = F_NXDOMAIN; else { unsigned int sflag = serv-addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6; diff --git a/src/option.c b/src/option.c index eace40b..ba54a48 100644 --- a/src/option.c +++ b/src/option.c @@ -2290,9 +2290,16 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma else if (strcmp(arg, #) == 0) { - newlist-flags |= SERV_USE_RESOLV; /* treat in ordinary way */ - if (newlist-flags SERV_LITERAL_ADDRESS) - ret_err(gen_err); +if (option == 'S') + { +newlist-flags |= SERV_USE_RESOLV; /* treat in ordinary way */ +if (newlist-flags SERV_LITERAL_ADDRESS) + ret_err(gen_err); + } +else if (option == 'A') + { +newlist-flags |= SERV_NXDOMAIN; /* domain return NXDOMAIN */ + } } else { -- 1.7.10.4 signature.asc Description: Digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] check bogus-nxdomain even when ip is from --address
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This patch is mainly for blocking malware domains. Usage scenario: Let's say we want block malware.com, in dnsmasq configure file, use: bogus-nxdomain=192.0.2.1 address=/malware.com/192.0.2.1 where 192.0.2.1 can be any ip that we know doesn't exist on the LAN. Then the query for *.malware.com will return 0 answer, together with the query status set to NXDOMAIN. - -- Chen Wei - --- src/rfc1035.c | 30 ++ 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/src/rfc1035.c b/src/rfc1035.c index 5ef5ddb..5998757 100644 - --- a/src/rfc1035.c +++ b/src/rfc1035.c @@ -1198,6 +1198,8 @@ unsigned int extract_request(struct dns_header *header, size_t qlen, char *name, size_t setup_reply(struct dns_header *header, size_t qlen, struct all_addr *addrp, unsigned int flags, unsigned long ttl) { + struct bogus_addr *baddrp; + int is_nxdomain = 0; unsigned char *p = skip_questions(header, qlen); /* clear authoritative and truncated flags, set QR flag */ @@ -1216,10 +1218,30 @@ size_t setup_reply(struct dns_header *header, size_t qlen, SET_RCODE(header, NXDOMAIN); else if (p flags == F_IPV4) { /* we know the address */ - - SET_RCODE(header, NOERROR); - - header-ancount = htons(1); - - header-hb3 |= HB3_AA; - - add_resource_record(header, NULL, NULL, sizeof(struct dns_header), p, ttl, NULL, T_A, C_IN, 4, addrp); + + /* set bogus address even when ip is from --address */ + if (addrp) +{ + for (baddrp = daemon-bogus_addr; baddrp; baddrp = baddrp-next) +if (memcmp(baddrp-addr, addrp-addr, INADDRSZ) == 0) + { +SET_RCODE(header, NXDOMAIN); +is_nxdomain = 1; +cache_start_insert(); +cache_insert(daemon-namebuff, NULL, dnsmasq_time(), 86400, + F_IPV4 | F_FORWARD | F_NEG | F_NXDOMAIN); +cache_end_insert(); +break; + } +} + + if(!is_nxdomain) +{ + SET_RCODE(header, NOERROR); + header-ancount = htons(1); + header-hb3 |= HB3_AA; + add_resource_record(header, NULL, NULL, sizeof(struct dns_header), p, ttl, NULL, T_A, C_IN, 4, addrp); +} } #ifdef HAVE_IPV6 else if (p flags == F_IPV6) - -- 1.7.10.4 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJVAUnrAAoJEFXRMNWCXLEmq8cP/02Z9mUNjXT9Bxmy2tUJKtRB 49cME6DRomQv+zGexBZ0y5HePj7Ppucn7kfq5hXI7iwZZpqcFrOLXZRTG58rwDH3 O5NkWyMnu0/tBvOpOjaDD07S5C/jlkCE0qyh7R3DgQOAttkKYiqqctEsV7joTXIX JvgjmnWfDcc0WsI6yWZWA+pO6xHob2qSdhVZZlc+tlC8XtQ6oFfiq999e/ViGKdB RQf6Oarza16HUiJH2Vx7w39qTzGgU9Ll/9uwYA6OsXiHLhofKnPoiAiIhQZhML6d 2ebxNUQoW0vCuxc9IUWYrkT5HgGPpg8Xg3YZGv0E16a4lOE+PQAzBulWa5RjviNK JQ9II8fppoElkcb8RrwoArvzEYfuZMGg1Fo8nZKY9Bsk6DYy93xPutCYJI/b564C txhP/7BLEdKfQzI3jSZQiXrNOxsXD8ldlQouW7bVVQyo1Bv4tsBNJLjktodHmKMp jXtobx3gDZzSo50+AWkGa4lSauNTg6TJPRLOr22D0faf5Ra52EhZbt7UA1DnB92B B/ZTrqOvWVbY68U0Wv6zT8F6VkAOYOuY1LFwzTal2AffmzrXCYMic7fHf/FsT0Dj gDJn32ReXu+YWpTWqPZRL6RRoi9urAc7z5fW5vukRjzHwQlsLcR7sqH9fA0o3BId TYTSCGK1DvP3m3RSsoUk =gLr9 -END PGP SIGNATURE- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Dnsmasq on high load
On Tue, Mar 10, 2015 at 11:15:38AM +0200, Анатолий Мулярский wrote: I'm using dnsmasq as a caching DNS-server for 2000+ users. cache-size=9500 dns-forward-max=4000 Periodically I got the message: dnsmasq[2272]: failed to send packet: Resource temporarily unavailable Can someone suggest me how to optimize my configuration for high load and get rid of the above message? Sounds like the 10k problem. My understanding is dnsmasq was designed to be small and portable. Its select() loop works very well for most of us, but has limitation when comes to high concurrency connections. FD_SETSIZE along has a upper limit of 1024 on Linux. Assuming most dnsmasq are running on Linux, I have contemplated a simple wrap over select and epoll so dnsmasq can use the more efficient epoll when available. But then should dnsmasq go multi-threading? and if the features keeps piling up, could dnsmasq still small enough for embedded devices? -- Chen Wei ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Feature suggest: combine --bogus-nxdomain
On Tue, Mar 10, 2015 at 02:40:03PM +, Allen Coates wrote: It is going off at a tangent, but I have been experimenting with real-time blacklists, for use with (say) a mail server. Or you could also use something like:- address=/badass.com.blacklist.mydomain.co.uk/127.0.0.1 to blacklist individual domains. so the return status of dig badass.com will be NXDOMAIN? -- Chen Wei ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Feature suggest: combine --bogus-nxdomain and --address
Hi list, When using dnsmasq to block malware site, the address usually is set to an valid IP address with a listening webserver, for example: --address=/malware.com/10.0.0.254 What if combine it with --bogus-nxdomain=10.0.0.254 So that the DNS record of malware.com is essentially deleted from network. The current implementation skips --bogus-nxdomain if the IP is from --address. This feature will only add few lines of code. What are the cons to combine --bogus-nxdomain and --address? -- Chen Wei ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH v2] Optimize ipset/server/local/address/rebind-domain-ok performance
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi list, Current --ipset/server/local/address/rebind-domain-ok takes O(n) to match a domain name. This patch attempts to achieve O(1). Let's call the basic element of this patch htree_node: struct htree_node { char *label; /* key */ void *ptr; uint32_t h1; /* from hash function 1 */ /* * hash value from hash function 2, used for double hashing in open * addressing hash table */ uint32_t h2; struct htree_node **sub; /* the hash table */ unsigned sub_size;/* size of hash table */ int sub_count;/* items stored in hash table */ int sub_loadmax; /* max items stored before upsizing sub */ int sub_maxprobe; /* max probes for insertion, upsizing upon reach */ }; The htree_node mapes key(label) to value(ptr), serve as a container for a generic pointer and a hash table. It supports at least two operations: * add a new key, struct htree_node *htree_add(struct htree_node *np, char *key) The added key is returned as an allocated new node, which can then be used to carry a pointer, or a hash table * lookup a key struct htree_node *htree_find(struct htree_node *np, char *key) The lookup return a htree_node for extracting the ptr/hash table, or for modifying the ptr/hash table. In fact, htree_node-sub does not necessarily need to be a hash table, other data structure, such as binary tree can also be used. Test on a list of few thousands domain names, the size of an open addressing hash table for N items is close to 2N, and all lookup take less than 7 probes for that table size. Therefor the space efficiency and performance is acceptable. An open addressing hash table can work with table size of 2^n, which is a bonus. Although deletion is difficult, but it is not an issue for this patch since only add and lookup involved. Combine with few helper functions, the htree_node is used to match domain name by chaining hash tables together: root | +-+ com org | | +--+ +-+ yahoo google twitter debian freebsd | | | | wwwmail +-+ www cn jp uk us | ftp hash table for [com, org, ...] table for [yahoo, google, twitter, ...](com), table for [debian, freebsd, ...](org) ... table for [www, mail] table for [cn, jp, uk, us, ...] ... Cheers, Chen Wei - --- Makefile |4 +- src/dnsmasq.c |4 +- src/dnsmasq.h | 48 +++- src/forward.c | 793 ++--- src/htree.c | 486 +++ src/network.c |8 +- src/option.c | 427 --- 7 files changed, 1232 insertions(+), 538 deletions(-) create mode 100644 src/htree.c diff --git a/Makefile b/Makefile index 2910320..0ccbbe4 100644 - --- a/Makefile +++ b/Makefile @@ -24,7 +24,7 @@ MANDIR= $(PREFIX)/share/man LOCALEDIR = $(PREFIX)/share/locale BUILDDIR = $(SRC) DESTDIR = - -CFLAGS= -Wall -W -O2 +CFLAGS= -Wall -W -O0 -g LDFLAGS = COPTS = RPM_OPT_FLAGS = @@ -73,7 +73,7 @@ objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ - - domain.o dnssec.o blockdata.o tables.o loop.o inotify.o + domain.o dnssec.o blockdata.o tables.o loop.o inotify.o htree.o hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ dns-protocol.h radv-protocol.h ip6addr.h diff --git a/src/dnsmasq.c b/src/dnsmasq.c index e903a24..e62b6e4 100644 - --- a/src/dnsmasq.c +++ b/src/dnsmasq.c @@ -250,7 +250,7 @@ int main (int argc, char **argv) #endif #ifdef HAVE_IPSET - - if (daemon-ipsets) + if (daemon-htree_ipsets) ipset_init(); #endif @@ -627,6 +627,8 @@ int main (int argc, char **argv) } #ifdef HAVE_LINUX_NETWORK + free(hdr); + free(data); if (option_bool(OPT_DEBUG)) prctl(PR_SET_DUMPABLE, 1, 0, 0, 0); #endif diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 89e758b..8f64b08 100644 - --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -510,10 +510,31 @@ struct server { struct server *next; }; - -struct ipsets { - - char **sets; - - char *domain; - - struct ipsets *next; +struct htree_node { + char *label; /* key */ + void *ptr; + uint32_t h1; /* from hash function 1 */ + /* + * hash value from hash function 2, used for double hashing in open + * addressing hash table + */ + uint32_t h2; + struct htree_node **sub; /* the hash table */ + unsigned
[Dnsmasq-discuss] Precompiled OpenWrt package
On Sun, Feb 08, 2015 at 06:11:19PM +0800, weichen...@icloud.com wrote: dnsmasq with thousands of --server and --ipset rules This patch makes dnsmasq handle it with ease. Precompiled package for OpenWrt 12.09 and 14.07, ar71xx only. https://github.com/infinet/dnsmasq -- Chen Wei ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] [PATCH] free used pointers during loading
Valgrind reports three leaks. Those unfreed pointers are only used during loading. --- src/dnsmasq.c |2 ++ src/option.c | 11 +-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/src/dnsmasq.c b/src/dnsmasq.c index e903a24..e6dabbf 100644 --- a/src/dnsmasq.c +++ b/src/dnsmasq.c @@ -627,6 +627,8 @@ int main (int argc, char **argv) } #ifdef HAVE_LINUX_NETWORK + free(hdr); + free(data); if (option_bool(OPT_DEBUG)) prctl(PR_SET_DUMPABLE, 1, 0, 0, 0); #endif diff --git a/src/option.c b/src/option.c index e4b4865..ae0ad00 100644 --- a/src/option.c +++ b/src/option.c @@ -4361,7 +4361,7 @@ void read_opts(int argc, char **argv, char *compile_opts) { char *buff = opt_malloc(MAXDNAME); int option, conffile_opt = '7', testmode = 0; - char *arg, *conffile = CONFFILE; + char *arg, *conffile = NULL; opterr = 0; @@ -4476,7 +4476,14 @@ void read_opts(int argc, char **argv, char *compile_opts) } if (conffile) -one_file(conffile, conffile_opt); +{ + one_file(conffile, conffile_opt); + free(conffile); +} + else +{ + one_file(CONFFILE, conffile_opt); +} /* port might not be known when the address is parsed - fill in here */ if (daemon-servers) -- 1.7.10.4 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss