From owner-freebsd-questions@FreeBSD.ORG Sun Dec 30 16:52:58 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EBFF216A46E for ; Sun, 30 Dec 2007 16:52:58 +0000 (UTC) (envelope-from mkhitrov@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.190]) by mx1.freebsd.org (Postfix) with ESMTP id 5110C13C45B for ; Sun, 30 Dec 2007 16:52:58 +0000 (UTC) (envelope-from mkhitrov@gmail.com) Received: by rv-out-0910.google.com with SMTP id l15so4640693rvb.43 for ; Sun, 30 Dec 2007 08:52:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=0I0Z9QzQRYXBeTemM0/q/cYU0zEeKNFdnS84XEnbNx8=; b=k7cgTGqlzS4afMQvNt/7pFQaT+K0meHllaaxyEhTfQbuVUfd/0VwSyf9zi91nFtmCNMpV0Dp0xVdESb2iCT5klJ4PQImageTH7lIDpb0/UVK4ouyB98vFINdI8w+j5O05KIxTM8dpKMHXdtug59Ds31ba62itdx4Gw92razeU3Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=xrmbrJPTl91KJN3q3tOXIGl7rhlVnsj63joqsxn+edYJCP//Neae+C9dWmXQ+iy0jOg0rYipxhGdVRl8XUKVP9G4S6qKYd6i+wo57zyHtC3YcVWM0QYkdCTcLGTxqj7fRwa18gsdrwDax/L+f9uGbEdCFCuHBaFZjcMdGnXT6r4= Received: by 10.142.225.11 with SMTP id x11mr3455047wfg.141.1199033577935; Sun, 30 Dec 2007 08:52:57 -0800 (PST) Received: by 10.142.242.11 with HTTP; Sun, 30 Dec 2007 08:52:57 -0800 (PST) Message-ID: <26ddd1750712300852p5835e094nf20f85a9f8e0356d@mail.gmail.com> Date: Sun, 30 Dec 2007 11:52:57 -0500 From: "Maxim Khitrov" To: Rob In-Reply-To: <47752446.8090908@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <26ddd1750712271246j14795cf3wf8e9727f0f7cc148@mail.gmail.com> <47744048.6020202@daleco.biz> <47752446.8090908@gmail.com> Cc: User Questions Subject: Re: Blocking undesirable domains using BIND X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Dec 2007 16:52:59 -0000 On Dec 28, 2007 11:28 AM, Rob wrote: > Kevin Kinsey wrote: > > Just a question, and I'm not trying to cast doubt on your plan; I'm > > curious why using BIND for this purpose instead of a proxy, which is > > a more typical application as I understand it? > > I was trying to do something similar. I didn't research too hard, but figured the only way to use Bind would be to make my server authoritative for all those domains, which meant a huge config file and potential overhead, as well as > possibly breaking access to desirable servers in the domains. > > So hosts seemed easier, but apparently Bind never looks at hosts. I did find that Squid (which I already had installed and in limited use) has its own DNS resolver, and it does look at hosts first before going to the nameserver. > > Then I found this site: http://everythingisnt.com/hosts.html and put their list in hosts, and now client PCs get a squid error in place of ad junk. Works ok for me ;) > > -Rob > Well... you were right about overhead. In the last two days I wrote a script that would fetch a list of domains from several different sites, and output a valid BIND configuration file that could be included in the main config. I just ran the second test and the results are extremely poor. With only 27,885 blocked domains the server is now consuming 208 MB of ram. The first time I tried reloading the full list of domains (91,137 of them) and that nearly crashed my server. Had to kill bind, remove two of the largest sources, and try a second time. Honestly, I can't figure out what BIND could possibly be using so much memory for. It's taking up about 7 KB for each zone. The zone file itself is not even 1 KB, and given that all the records are pointing to the exact same thing it seems to be needlessly wasting memory. In addition to that, if I comment out the blacklist config file and run rndc reload, it only frees up about 16 MB. So it doesn't even release memory when it is no longer needed. It looks like my plan of using BIND for filtering purposes will not work. Given how poorly it performed on this test I'm actually inclined to try another name server to see if something else would be more memory-efficient. If I can't find anything then I'll need to put some other piece of software to intercept BIND's recursive queries and block the domains that way. - Max