Changes between Version 2 and Version 3 of DnsHosts

2020-02-06T06:12:48+01:00 (13 days ago)



  • DnsHosts

    v2 v3  
    7474== Common security issues ==
    7575The hosts file may present an attack vector for malicious software. The file may be modified, for example, by adware, computer viruses, or trojan horse software to redirect traffic from the intended destination to sites hosting malicious or unwanted content. The widespread computer worm Mydoom.B blocked users from visiting sites about computer security and antivirus software and also affected access from the compromised computer to the Microsoft Windows Update website. In some cases malware has modified the library responsible for loading the hosts file in order to redirect it to a file it is able to control freely.
     77== Hosts file vs Unbound test ==
     78In this test I'm going to give you a quick and dirty idea about why the usage hosts file is the worst idea ever for content blocking.
     80First of is the hosts file only designed to have a very limited number of records, the second reason is simple the share size of modern hosts files.
     82Take a Look at these examples of issues where Windows Users simply looses there entire network, do to timeout in loading the hosts file.
     83  * [[|Project should not be listed as working on Windows #537]]
     84  * [[|Unable to connect to internet after changing hosts file. #533]]
     85  * [[|Slow to connect on computer restart #17]]
     86  * [[|No internet after restart for minutes #12]]
     88This took me only 4 - 5 minutes to locate...
     90== The test data ==
     92wc -l output/domains/ACTIVE/list
     931.789.872 output/domains/ACTIVE/list
     96=== Test command used with unbound ===
     98time dig +noall @ -p 53 -f output/domains/ACTIVE/list
     101  Explanation:::
     102    * `time` is a Unix tool to measure the time taken for a command to complete
     103    * `dig` The best tool to test DNS. It's part of the bind-tools
     104    * `+noall` Set or clear all display flags
     105    * `@` Which DNS-server to use for the test `@` therefore means `localhost`
     106    * `p` Which port to forward the query too
     107    * `f` input file which contains domains to test
     109== Unbound test Data ==
     110All data is setup as `always_nxdomain`
     113local-zone: "" always_nxdomain
     116Test stat before first run:
     119unbound-control stats | grep total
     138==== 1. Unbound test ====
     140real    4m31,098s
     141user    3m0,287s
     142sys     2m10,670s
     162Notice the `total.num.queries=1789872` and `total.num.cachehits=1789872` are ''equal''
     164==== 2. Unbound test ====
     166real    4m38,948s
     167user    3m6,641s
     168sys     2m14,106s
     188Again the `total.num.queries=3579744` and `total.num.cachehits=3579744` are ''equal''
     190Thats good +1
     192=== Unbound caching ===
     193In this test we will use dig to lookup an external domain which isn't in our blocklist.
     195First dig is a lookup of []
     198time dig +noall @ -p 53
     200real    0m1,681s
     201user    0m0,016s
     202sys     0m0,004s
     205  Second run::
     208time dig +noall @ -p 53
     210real    0m0,025s
     211user    0m0,016s
     212sys     0m0,009s
     215Now let's get the cache stats
     222This time the queries is `+1` to cachehits :smiling_imp:
     224== Hosts test Data ==
     225Let's do the same, where the records is added to the `/etc/hosts` files and the local DNS is disabled
     228cat /etc/resolv.conf
     235time dig +noall
     237real    0m1,031s
     238user    0m0,021s
     239sys     0m0,008s
     243time dig +noall
     245real    0m0,026s
     246user    0m0,015s
     247sys     0m0,012s
     250=== Test command Hosts ===
     252time while read line; do getent ahosts $line; done < output/domains/ACTIVE/list
     255==== 1. Hosts test ====
     258real    9411m8,908s
     259user    8732m51,608s
     260sys     675m54,859s
     263==== 2. Hosts test ====
     264Do to the consumed time by this test, there won't be a second test run, and the time diffrents speaks laoudly for them self.
     266=== New Unbound test ===
     267As notices later in the original thraed where [user:spirillen] have originally published this simplified test, there is in fact an issue using dig to test hosts files, therefore I'm starting a third test of unbound, with the same test string, as with the hosts file.
     270time while read line; do getent ahosts $line; done < output/domains/ACTIVE/list
     273  Result::
     274    {{{#!shell
     275    real    98m8,897s
     276    user    48m50,247s
     277    sys     49m41,709s
     278    }}}
     280==== Unbound test with wget ====
     281  Test command::
     283time wget --no-config --spider -4 --delete-after -i output/domains/ACTIVE/list
     286  Test result::
     288real    7m5,683s
     289user    1m58,984s
     290sys     2m43,794s
     294real    6m53,000s
     295user    1m58,163s
     296sys     2m42,103s
     299As this "quick" dirty test shows, there are several god reasons to consider switching to a [wiki:DnsResolver DNS Resolver] like Unbound on Windows and Apple.
     301== Note for Apple OS ==
     302I've crome across a site that stated there should be a prebuild of unbound. is should be posible to install it by `brew install unbound`