How to increase TLD Domain count exceeded. [ 4000000 ]

fsantoro · Jan 25, 2022, 7:37 PM

I'm getting the following messagem: TLD Domain count exceeded. [ 4000000 ]

How to increase this limit?

dma_pf · Jan 26, 2022, 2:14 PM

If I remember correctly it's in the pfsense gui at System/Advanced/Firewall & NAT/Firewall Maximum Table Entries/

fsantoro · Jan 26, 2022, 7:47 PM

@dma_pf I already changed this parameter, put 10M and still it keeps crashing at 4M

dma_pf · Jan 26, 2022, 8:09 PM

@fsantoro Sorry my bad! I remember now that the amount of tld's is limited by the available RAM in the system. Are you using "Unbound Python Mode" at Firewall/pfBlockerNG/DNSBL/DNSBL Mode/ ? If not, then try switching it to the python mode.

The Unbound Mode has a limitation on the amount of tld's because the list of tlds has to be stored in memory. The Unbound Python Mode does not load everything into memory and can handle a lot more tlds.

Also make sure you're running the latest version of pfblockerng-devel (3.1.0_1). I know it says devel but it is stable and is recommended by the developer as the stable branch. The other pfblockerNG 2.x.x is considered obsolete at this point.

fsantoro · Jan 26, 2022, 8:12 PM

@dma_pf Hmm... I have 32gb of RAM on my PfSense and I only use unbound, because python mode has problems with DNS server and DHCP Server. And my PF has these 2 services active.

Yes my package is 3.1.0.1 DEVEL

dma_pf · Jan 26, 2022, 10:17 PM

I would expect that with 32gb there would be plenty of memory. I found a discussion about a similar issue with @BBcan177 who is the developer of pfblockerng. Here it is: https://www.reddit.com/r/pfBlockerNG/comments/lrd6ah/tld_domain_count_exceeded_800000_all_subsequent/

python mode has problems with DNS server and DHCP Server.

I've been using the Python mode for a year now with no issues. I use DNS Resolver in Unbound mode (not forwarding mode). And yes, there is an issue with DHCP Registration that messes things up in Python mode. The work around is to uncheck Services/DNS Resolver/General Settings/DHCP Registration/. And if you do have clients that connect through DHCP which you need to access by their host name, then assign them a static IP in DHCP. Then enable Services/DNS Resolver/General Settings/Static DHCP/ and you will still be able to resolve them by host name.

fsantoro · Jan 28, 2022, 4:03 PM

@dma_pf Thanks a lot! I Just changed the configuration file.
File: /usr/local/pkg/pfblockerng/pfblockerng.inc

From:
$pfb['pfs_mem'] = array( '0' => '200000', '1500' => '300000', '2000' => '400000', '2500' => '500000', '3000' => '400000',

To:
$pfb['pfs_mem'] = array( '0' => '200000', '1500' => '300000', '2000' => '400000', '2500' => '500000', '3000' => '900000',

dma_pf · Jan 28, 2022, 4:03 PM

@fsantoro Cool! Did that fully resolve your issue?

fsantoro · Jan 28, 2022, 7:32 PM

@dma_pf said in How to increase TLD Domain count exceeded. [ 4000000 ]:

Cool! Did that fully resolve your issue?

Completely!!!

dma_pf · Jan 28, 2022, 7:53 PM

Fantastic! We both learned something new...big win for both of us.

SteveITS · Jan 28, 2022, 8:08 PM

@fsantoro Interesting, 400000 on that line is a bit less than the 4000000 in the post title...

FYI I seem to recall PHP has a limit of 512 MB on pfSense.