<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div dir="ltr">
<div dir="ltr">
<div>Hi,</div>
<div> I'm in the process of tuning my dns server
configuration and starting to blackhole some categories of
domains, in order to block ads, scams, malware, ransomware
& more... <br>
</div>
<div>I've been inspired by the piHole project [0]<br>
</div>
<div><br>
</div>
<div>I've implemented my blackhole using the directive
"local-zone", basically making unbound authoritative for those
malicious/unwanted domains, i.e.:<br>
</div>
<div><br>
</div>
<div>local-zone: "spam.com" redirect<br>
local-data: "spam.com A 0.0.0.0"<br>
</div>
<div><br>
</div>
<div>as per documentation [1] :</div>
<div>
<pre class="gmail-man"><b>local-zone:</b> <i><zone></i> <i><type></i>
Configure a local zone. The type determines the answer to give
if there is no match from local-data. The types are deny,
refuse, static, transparent, redirect, nodefault, typetranspar-
ent, inform, inform_deny, inform_redirect, always_transparent,
always_refuse, always_nxdomain, noview, and are explained below.
After that the default settings are listed. Use local-data: to
enter data into the local zone. Answers for local zones are
authoritative DNS answers. By default the zones are class IN.</pre>
</div>
<div><br>
</div>
<div>
<div>The blackhole conf file I've produced now count 835.133
zones <br>
</div>
<div><br>
</div>
<div>
<div># fgrep -c local-zone
/etc/unbound/local.d/blocklist.conf <br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div>you can find at the url:</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="http://goodfellow.it/blackhole.conf.xz">http://goodfellow.it/blackhole.conf.xz</a></div>
<br>
<div>and btw is working great with the default unbound
configuration on Fedora with latest version:<br>
</div>
<div><br>
</div>
<div>Version 1.9.1<br>
linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL
1.1.1b FIPS 26 Feb 2019<br>
<br>
</div>
<div><br>
</div>
<div>I'm only surprise by the memory consumption of this
configuration:</div>
<div><br>
</div>
<div># cat /proc/25276/status <br>
Name: unbound<br>
Umask: 0022<br>
State: S (sleeping)<br>
Tgid: 25276<br>
Ngid: 0<br>
Pid: 25276<br>
PPid: 1<br>
TracerPid: 0<br>
Uid: 995 995 995 995<br>
Gid: 991 991 991 991<br>
FDSize: 128<br>
Groups: 991 <br>
NStgid: 25276<br>
NSpid: 25276<br>
NSpgid: 25276<br>
NSsid: 25276<br>
VmPeak: 7413084 kB<br>
VmSize: 7347548 kB<br>
VmLck: 0 kB<br>
VmPin: 0 kB<br>
VmHWM: 4043688 kB<br>
VmRSS: 4043408 kB<br>
RssAnon: 4036636 kB<br>
RssFile: 6772 kB<br>
RssShmem: 0 kB<br>
VmData: 7140080 kB<br>
VmStk: 148 kB<br>
VmExe: 884 kB<br>
VmLib: 6392 kB<br>
VmPTE: 14004 kB<br>
VmSwap: 16 kB<br>
HugetlbPages: 0 kB<br>
CoreDumping: 0<br>
THP_enabled: 1<br>
Threads: 4<br>
</div>
<div><br>
</div>
<div>Is it expected that with such configuration unbound
consume 4GB of RAM?</div>
<div>Is there anything that may be done in order to reduce the
memory consumption?</div>
<div><br>
</div>
<div>Replicating a similar configuration with dnsmasq, with
half of dataset, consume just 230MB.</div>
<div><br>
</div>
<div>Am I doing something wrong, or can my goal be achieved in
a more resource effective way?</div>
<div><br>
</div>
<div>Thanks for the clarifications you may provide</div>
<div><br>
</div>
<div>
<div>[0] <a
href="https://docs.pi-hole.net/main/prerequesites/#hardware"
moz-do-not-send="true">https://docs.pi-hole.net/main/prerequesites/#hardware</a>
</div>
<div>[1] <a
href="https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/"
moz-do-not-send="true">https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/
</a></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Andrea<br>
</div>
</div>
</div>
</div>
</body>
</html>