Number of Domains Supported by DNSLBL?

  • Attempting to block porn I extracted the adult list from the UT1 list here: Then in pfBlockerNG DNS-BL list I pointed it at the domains text file that is inside. While doing and after reload DNS breaks completely with this list, but the only thing in the logs is "unbound restarting" once like it normally does (logging verbosity 2).  It has about 2 million domains, but I'm not sure if it is just this list or the size that is the problem. My system specs are Intel(R) Atom(TM) CPU C2758 @ 2.40GHz, 8GB of DDR3 RAM, and 50GB Intel SSD.  Is that enough for 2 million domains?  Do I need to modify the advanced settings tab in Unbound? I am using Custom Options so that I can use to try the new DNS servers and also the BIND line so I can route to BIND which is also running on pfsense so that is always routed to my IPv4 gateway.  It doesn't like my IPv6 HETunnel because it is a proxy.  I have DNSSEC turned on too, but not forwarding.

    Custom Options:

    # pfBlockerNG DNSBL
    include: /var/unbound/pfb_dnsbl.*conf 
    # BIND IPv6 Forwards
    do-not-query-localhost: no
    do-tcp: yes
    # Speed and privacy
    minimal-responses: yes
    prefetch: yes
    qname-minimisation: yes
    rrset-roundrobin: yes
      name: "."
      # To keep local overrides and avoid slow downs
      forward-ssl-upstream: yes
      # Below addresses are Cloudflare DNS
      forward-addr: 2606:4700:4700::1111@853
      forward-addr: 2606:4700:4700::1001@853

  • The problem is not so much what unbound can handle, that seems to be limited by RAM, the list updates from pfBlocker can be done seamlessly.

    The problem you’ll have is that if you have DHCP allocating names to IPs then every time you do so it restarts unbound which reloads everything and that takes time with a big list.  My system (N3150, 8gb + SSD) starts getting grumpy after ~600,000 domains but it’s just reload time.

    I looked at looking at how DHCP sets up the names to use the seamless method that pfB does, though it may be possible to double up on DNS servers somehow with a clever config.