0xERR0R
commented
2 years ago So if I understand you right, you think it is not necessary to prefetch this domain, since it is on the black list?
Open bcookatpcsd opened 2 years ago
0xERR0R
commented
2 years ago So if I understand you right, you think it is not necessary to prefetch this domain, since it is on the black list?
bcookatpcsd
commented
2 years ago (rhetorically..) what result are you prefetching?
(developer.mozilla.com) - dns-prefetch helps developers mask DNS resolution latency.
I don't think there is any resolution which requires a recursive answer. The answer is fixed, and the query is denied.
Blocky I think is doing minimal work to (scanning and comparing array results - all locally) vs anything remotely..
Prefetching previously denied answers to store them in a different array to be able to answer quicker; correct, I do not think it is necessary to prefetch a blocked query..
OT, I did set prefetching to false
blocking:
blockType: zeroIP
blockTTL: 5m
refreshPeriod: 24h
blackLists:
ads:
- https://dblw.oisd.nl/basic/
- https://hosts.oisd.nl/basic/
- https://raw.githubusercontent.com/notracking/hosts-blocklists/master/dnscrypt-proxy/dnscrypt-proxy.blacklist.txt
- https://raw.githubusercontent.com/nextdns/cname-cloaking-blocklist/master/domains
- https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/dnscrypt/spy.txt
- https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
whiteLists:
ads:
- /etc/blocky/whitelist.txt
clientGroupsBlock:
default:
- ads
port: 53
httpPort: 127.0.0.1:4000
bootstrapDns: tcp+udp:45.90.28.0
filtering:
queryTypes:
- AAAA
- HTTPS
- ANY
caching:
minTime: 5m
maxTime: 30m
prefetching: false
logLevel: infodblw.oisd.nl is wildcards.. I've not spent any time looking at if blocky works with wildcards..
I'm not saying it's a problem, I didn't know blocky would want to prefetch a blocked answer.. and then I didn't understand why it came from 'default'.. which is what I was originally trying to determine.. "are my AcL's working.. , nothing should be using that default entry.. "
Hope this helps.. (again) thanks in advance.
0xERR0R
commented
2 years ago Regarding the wildcard in blacklists: it is not supported. You can either use the hosts format or regex (within "/"), see https://0xerr0r.github.io/blocky/configuration/#regex-support
Regarding the prefetching of always blocked entries -> in your example, yes, it doesn't make sense to prefetch the entry, since it is always on the black list. Prefetching has no user/client context information, so if an entry is only blocked for a client A, it should be prefetched, because it is on a whitelist for the user B.
I think, we should check if the entry is always blocked and don't prefetch those entries.
bcookatpcsd
commented
2 years ago Thank you sir..
sorry to hijack this with a regex question..
assuming the 'allowlist' and 'blocklist' work with regex entries.. that listed example only says block..
I didn't find that regex example when reading the docs.. and had problems with the wildcards.. (not being supported) is what I came up with as well.. and assumed no regex was supported.. just wildcards aren't.. ok.. thank you for the clarification..
So..
/media.domain.(com|net)$/
Would match blahmedia.domain.com or blahmedia.domain.net as well as www.blahmedia.com and www.blahmedia.net
/^media.domain.(com|net)$/
only media.domain.com and only media.domain.net would be matched
right?
Thank you in advance
github-actions[bot]
commented
2 years ago This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
github-actions[bot]
commented
2 years ago This issue is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 5 days.
I saw this in the logs:
[2022-05-22 19:21:35] ERROR can't prefetch 'lcprd1.samsungcloudsolution.net' can't resolve request via upstream server 127.0.0.1:52: read udp 127.0.0.1:16898->127.0.0.1:52: read: connection refused
and was happy to see the prefetch entry.. but
(if there is a better way to do ACL's - please let me know)
So prefetching works from the default entry..
I added an entry for 127.0.0.1/32 as that's where prefetch seems to come from..
So the oddity/casualty seems to be that entry never should have been included in the prefetch..
This is by no means a problem, it just was not what I was expecting.
Thank you in advance.