Changes between Version 2 and Version 3 of DnsHosts


Ignore:
Timestamp:
2020-02-06T06:12:48+01:00 (13 days ago)
Author:
AnonymousPoster
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • DnsHosts

    v2 v3  
    7474== Common security issues ==
    7575The hosts file may present an attack vector for malicious software. The file may be modified, for example, by adware, computer viruses, or trojan horse software to redirect traffic from the intended destination to sites hosting malicious or unwanted content. The widespread computer worm Mydoom.B blocked users from visiting sites about computer security and antivirus software and also affected access from the compromised computer to the Microsoft Windows Update website. In some cases malware has modified the library responsible for loading the hosts file in order to redirect it to a file it is able to control freely.
     76
     77== Hosts file vs Unbound test ==
     78In this test I'm going to give you a quick and dirty idea about why the usage hosts file is the worst idea ever for content blocking.
     79
     80First of is the hosts file only designed to have a very limited number of records, the second reason is simple the share size of modern hosts files.
     81
     82Take a Look at these examples of issues where Windows Users simply looses there entire network, do to timeout in loading the hosts file.
     83  * [[https://github.com/mitchellkrogza/Ultimate.Hosts.Blacklist/issues/537|Project should not be listed as working on Windows #537]]
     84  * [[https://github.com/mitchellkrogza/Ultimate.Hosts.Blacklist/issues/533|Unable to connect to internet after changing hosts file. #533]]
     85  * [[https://github.com/ScriptTiger/Unified-Hosts-AutoUpdate/issues/17|Slow to connect on computer restart #17]]
     86  * [[https://github.com/ScriptTiger/Unified-Hosts-AutoUpdate/issues/12|No internet after restart for minutes #12]]
     87
     88This took me only 4 - 5 minutes to locate...
     89
     90== The test data ==
     91{{{#!shell
     92wc -l output/domains/ACTIVE/list
     931.789.872 output/domains/ACTIVE/list
     94}}}
     95
     96=== Test command used with unbound ===
     97{{{#!bash
     98time dig +noall @127.0.0.1 -p 53 -f output/domains/ACTIVE/list
     99}}}
     100
     101  Explanation:::
     102    * `time` is a Unix tool to measure the time taken for a command to complete
     103    * `dig` The best tool to test DNS. It's part of the bind-tools
     104    * `+noall` Set or clear all display flags
     105    * `@` Which DNS-server to use for the test `@127.0.0.1` therefore means `localhost`
     106    * `p` Which port to forward the query too
     107    * `f` input file which contains domains to test
     108
     109== Unbound test Data ==
     110All data is setup as `always_nxdomain`
     111
     112{{{#!python
     113local-zone: "example.org" always_nxdomain
     114}}}
     115
     116Test stat before first run:
     117
     118{{{#!shell
     119unbound-control stats | grep total
     120total.num.queries=0
     121total.num.queries_ip_ratelimited=0
     122total.num.cachehits=0
     123total.num.cachemiss=0
     124total.num.prefetch=0
     125total.num.zero_ttl=0
     126total.num.recursivereplies=0
     127total.requestlist.avg=0
     128total.requestlist.max=0
     129total.requestlist.overwritten=0
     130total.requestlist.exceeded=0
     131total.requestlist.current.all=0
     132total.requestlist.current.user=0
     133total.recursion.time.avg=0.000000
     134total.recursion.time.median=0
     135total.tcpusage=0
     136}}}
     137
     138==== 1. Unbound test ====
     139{{{#!shell
     140real    4m31,098s
     141user    3m0,287s
     142sys     2m10,670s
     143
     144total.num.queries=1789872
     145total.num.queries_ip_ratelimited=0
     146total.num.cachehits=1789872
     147total.num.cachemiss=0
     148total.num.prefetch=0
     149total.num.zero_ttl=0
     150total.num.recursivereplies=0
     151total.requestlist.avg=0
     152total.requestlist.max=0
     153total.requestlist.overwritten=0
     154total.requestlist.exceeded=0
     155total.requestlist.current.all=0
     156total.requestlist.current.user=0
     157total.recursion.time.avg=0.000000
     158total.recursion.time.median=0
     159total.tcpusage=0
     160}}}
     161
     162Notice the `total.num.queries=1789872` and `total.num.cachehits=1789872` are ''equal''
     163
     164==== 2. Unbound test ====
     165{{{#!shell
     166real    4m38,948s
     167user    3m6,641s
     168sys     2m14,106s
     169
     170total.num.queries=3579744
     171total.num.queries_ip_ratelimited=0
     172total.num.cachehits=3579744
     173total.num.cachemiss=0
     174total.num.prefetch=0
     175total.num.zero_ttl=0
     176total.num.recursivereplies=0
     177total.requestlist.avg=0
     178total.requestlist.max=0
     179total.requestlist.overwritten=0
     180total.requestlist.exceeded=0
     181total.requestlist.current.all=0
     182total.requestlist.current.user=0
     183total.recursion.time.avg=0.000000
     184total.recursion.time.median=0
     185total.tcpusage=0
     186}}}
     187
     188Again the `total.num.queries=3579744` and `total.num.cachehits=3579744` are ''equal''
     189
     190Thats good +1
     191
     192=== Unbound caching ===
     193In this test we will use dig to lookup an external domain which isn't in our blocklist.
     194
     195First dig is a lookup of [https://www.mypdns.org www.mypdns.org]
     196
     197{{{#!shell
     198time dig +noall @127.0.0.1 -p 53 www.mypdns.org
     199
     200real    0m1,681s
     201user    0m0,016s
     202sys     0m0,004s
     203}}}
     204
     205  Second run::
     206
     207{{{#!shell
     208time dig +noall @127.0.0.1 -p 53 www.mypdns.org
     209
     210real    0m0,025s
     211user    0m0,016s
     212sys     0m0,009s
     213}}}
     214
     215Now let's get the cache stats
     216
     217{{{#!shell
     218total.num.queries=3579746
     219total.num.cachehits=3579745
     220}}}
     221
     222This time the queries is `+1` to cachehits :smiling_imp:
     223
     224== Hosts test Data ==
     225Let's do the same, where the records is added to the `/etc/hosts` files and the local DNS is disabled
     226
     227{{{
     228cat /etc/resolv.conf
     229nameserver 213.133.99.99
     230nameserver 213.133.100.100
     231nameserver 213.133.98.98
     232}}}
     233
     234{{{#!shell
     235time dig +noall www.mypdns.org
     236
     237real    0m1,031s
     238user    0m0,021s
     239sys     0m0,008s
     240}}}
     241
     242{{{#!shell
     243time dig +noall www.mypdns.org
     244
     245real    0m0,026s
     246user    0m0,015s
     247sys     0m0,012s
     248}}}
     249
     250=== Test command Hosts ===
     251{{{#!shell
     252time while read line; do getent ahosts $line; done < output/domains/ACTIVE/list
     253}}}
     254
     255==== 1. Hosts test ====
     256
     257{{{#!shell
     258real    9411m8,908s
     259user    8732m51,608s
     260sys     675m54,859s
     261}}}
     262
     263==== 2. Hosts test ====
     264Do to the consumed time by this test, there won't be a second test run, and the time diffrents speaks laoudly for them self.
     265
     266=== New Unbound test ===
     267As notices later in the original thraed where [user:spirillen] have originally published this simplified test, there is in fact an issue using dig to test hosts files, therefore I'm starting a third test of unbound, with the same test string, as with the hosts file.
     268
     269{{{#!shell
     270time while read line; do getent ahosts $line; done < output/domains/ACTIVE/list
     271}}}
     272
     273  Result::
     274    {{{#!shell
     275    real    98m8,897s
     276    user    48m50,247s
     277    sys     49m41,709s
     278    }}}
     279
     280==== Unbound test with wget ====
     281  Test command::
     282{{{#!shell
     283time wget --no-config --spider -4 --delete-after -i output/domains/ACTIVE/list
     284}}}
     285
     286  Test result::
     287{{{#!shell
     288real    7m5,683s
     289user    1m58,984s
     290sys     2m43,794s
     291------------------------
     292
     293------------------------
     294real    6m53,000s
     295user    1m58,163s
     296sys     2m42,103s
     297}}}
     298
     299As this "quick" dirty test shows, there are several god reasons to consider switching to a [wiki:DnsResolver DNS Resolver] like Unbound on Windows and Apple.
     300
     301== Note for Apple OS ==
     302I've crome across a site that stated there should be a prebuild of unbound. is should be posible to install it by `brew install unbound`