-
-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
domains-dotted-format.list is actually Squid-Cache dstdomain ACL format . #277
Comments
Thanks @elico I made the dotted format list for DNSMASQ users and would be great if it applies to Squid too. We also have Blackweb using our lists too. |
@mitchellkrogza from first look it seems that it'w not 100% compatible but it only requires a simple cleanup:
and squid will accept only the first in the list and since it's a dotted format and by that defining that this is a "prefix" line in the ACL. ( the trie tree only accepts one end to a tree and will not accept collision\overlapping rules) However since the list is a full match only and aimed towards a specific domains compared to a full domain and all subdomains then: domains.list
and will match only these two domains as blacklisted |
So ... is the correct solution not then the dotted format list but with no duplicates and only root domains ? |
@mitchellkrogza Since this blacklist is composed and designed to target specific domains domain overlapping each other from upper level to lower level is expected to exist. Squid has a very specific trie data structure for a domain list which uses a dotted format in a very standard way.
A dot prefix means that all this specific domain and all it's subdomains are a match for the ACL and are blacklisted. Also if we have a subdomain in the ACL ie Hope it gives more sense now. |
Please do let us know the outcome as we are always striving to perfect what we do and support all systems 100% what you say makes total sense to me and with clarification on that we will perfect our raw lists even more |
@mitchellkrogza @funilrys I tested here and there to make sure what and how things are at dnsmasq.
/etc/dnsmasq.d/blackhole.conf
I created 3 scripts that takes the
Most of the domains should be blocked with all their subdomains but some exist on a very specific hosting service and should be present without a dot prefix. What do you both think? |
@mitchellkrogza @funilrys I don't know if dnsmasq have issues on specific versions such as in alpine linux but on alpine linux that I tested the dnsmasq service consumed almost 300 MB and didn't replied. Also I just finished the basic skeleton for a DNS domains BL service that just answers if the domain is in the list or not. I will need to have an option for the list to be inclusive or exclusive: Technically speaking if a sub tld exists in the list it mostly should block also all subdomains. |
@mitchellkrogza I have tested DNSMasq with couple versions and it seems that the only system that has an issue with the block list is dnsmasq ontop of Alpine linux x86(32bit). |
@funilrys @mitchellkrogza I noticed that the domains-dotted-format.list is compatible with Squid-Cache dstdomain ACL.
I will try to test it in the next few days.
If it is compatible you just need to add it as compatible in the files table.
The text was updated successfully, but these errors were encountered: