Pfblockerng-devel 3.1 stops unbound

Gertjan

The solution will be :
Make this go away :

@jperezme said in Pfblockerng-devel 3.1 stops unbound:

TLD analysis....................xxxxxxxxxxxxxxxxxxxxxxxxxxx completed [ 09/18/22 00:05:11 ]
** TLD Domain count exceeded. [ 2000000 ] All subsequent Domains listed as-is **

this

@jperezme said in Pfblockerng-devel 3.1 stops unbound:

Stopping Unbound Resolver..............................

and be aware that every dot printed is a one (1) second delay :
So, just to stop your unbound, it needs more then 10 minutes .....

Two solutions :
Ditch your system, take something with a big fat Xeon processor. Multi threading is meaningless here, as PHP is execute on one core.
Or lower the number of feeds / DNSBL entries.
Lower it until this line :

TLD analysis....................xxxxxxxxxxxxxxxxxxxxxxxxxxx completed [ 09/18/22 00:05:11 ]

doesn't show 'x' anymore.

jperezme

@gertjan
This is my system cpu:
Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz
Current: 2100 MHz, Max: 2101 MHz
16 CPUs: 1 package(s) x 8 core(s) x 2 hardware threads

It's strange because I have three other systems exactly like this one and it doesn't happen.
Could you tell me exactly where I can download the number of feeds?

Thanks in advance.

Gertjan

@jperezme said in Pfblockerng-devel 3.1 stops unbound:

Could you tell me exactly where I can download the number of feeds?

What do you mean ?
You don't know what (how much) you download ?

The info is here :

Or here : /var/db/pfblockerng/dnsbl

Or here - example of one feed :

'DNSBL feeds' or just 'Internet' text pages - big files with host names.

The thing is : you have to many of them : it seems that unbound can't handle it.
If unbound needs more then, 10 minutes to react on a stop signal, something is definitely wrong. While its stopping, your pfSense has no DNS ....
pfBlocker fails to stop it, fails to start it.

jperezme

@gertjan
I understand you. Could be my ut1 list?

This is my dnsbl groups:

Gertjan

@jperezme

This :

would be a lot to keep in memory if the file was read by a binary executable.
PHP is interpreted language, so a 1000 times slower.
Added to that, for every DNS request, the entire list hast to be parsed through to see if there is a DNSBL hit.

Solution : don't use such a big list.
edit : with just 5 hits ...

jperezme

@gertjan As I was saying, it is very strange because on other exactly the same machines with the same software installation, even with some more lists, it never happens. In this image can you see.

Gertjan

@jperezme
I know.
Start hating me for this one : between pfSense 1&2 and this third one, there is a difference ^^

Also : 23 hits for a 4 million+ list ..... , I wouldn't bother.

jperezme

@gertjan
Calm. I don't hate you, on the contrary.
I really appreciate your comments. Blame it on my ignorance. Really the most important thing for me is to be able to block porn, because we are in a school.

Gertjan

@jperezme

A small one : Pfblockerng never download my custom list new entries?

https://github.com/klabacita

jperezme

@gertjan
Where a good list to block porn pages?

Thanks.

NogBadTheBad

@jperezme

You could try replacing Unified hosts = (adware + malware) with Unified hosts + porn

https://github.com/StevenBlack/hosts