Lynx
882
Try disabling blocklist compression (assuming your router has sufficient free memory) and using the force option mentioned above. Surely the restart is just seconds then, no?
Otherwise I can’t see how the dedicated PiHole would help.
I'll try disabling blocklist compression and random delay and see if that alleviates the issue. However could you explain how setting the force option will aid this issue?
Sorry I'm not sure how to setup the force option... seems a bit confusing as to how to set it up correctly... currently I've disabled blocklist compression and random delay to test out the downtime at 5AM and the whole dnsmasq restarting process takes around a minute. Currently my scraper doesn't face any downtime but checking EventViewer on Windows I get these logs
Name resolution for the name mobile.events.data.microsoft.com timed out after none of the configured DNS servers responded.
Indicating the downtime for the DNS server but so far it's stable...
You can use LuCI to go to Network, Interfaces, LAN (edit), Advanced Settings, “Force DHCP on this network even if another server is detected.”
1 Like
Should I setup DHCP-Options as well or is the tick box enough only? what does forcing effectively do? does it provide clients with different DNS servers?
The tick box is enough to eliminate the extra check for another DHCP server on the LAN. It will shave a couple seconds off the dnsmasq restart time, but not really address the problem you’re reporting (not really a problem, but a requirement for almost 100% dns uptime).
2 Likes
Thanks a-lot! I'll report my findings.
1 Like
Lynx
890
Is that the total time for only the dnsmasq restart? If so that seems to me a little excessive.
As mentioned we could add an optional nftables hijack to temporarily divert over to a configurable DNS resolver.
@dave14305 I don’t suppose you’d have an idea about the relevant nft calls to add / remove the appropriate hijack rule?
From the time adblock says dnsmasq restarting to the time adblock says dnsmasq restart finished is about 1 minute.
Okay so it looks like even with force DHCP enabled it takes about ~1 minute for the entire dnsmasq to restart based on what adblock-lean shows on the logs.
Mon May 27 05:00:00 2024 cron.err crond[32001]: USER root pid 7238 cmd /etc/init.d/adblock-lean enabled && export RANDOM_DELAY="0" && /etc/init.d/adblock-lean start
Mon May 27 05:00:00 2024 user.notice adblock-lean: Started adblock-lean.
Mon May 27 05:00:00 2024 user.notice adblock-lean: Exporting and saving existing uncompressed blocklist.
Mon May 27 05:00:14 2024 user.notice adblock-lean: No local blocklist identified.
Mon May 27 05:00:14 2024 user.notice adblock-lean: Downloading new blocklist file part(s).
Mon May 27 05:00:14 2024 user.notice adblock-lean: Downloading new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/pro.txt.
Mon May 27 05:00:18 2024 user.notice adblock-lean: Download of new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/pro.txt suceeded (downloaded file size: 4309 KB; line count: 160796).
Mon May 27 05:00:18 2024 user.notice adblock-lean: Sanitizing blocklist file part.
Mon May 27 05:00:30 2024 user.notice adblock-lean: Checking for any rogue elements.
Mon May 27 05:00:38 2024 user.notice adblock-lean: Downloading new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/tif.txt.
Mon May 27 05:00:40 2024 user.notice adblock-lean: Download of new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/tif.txt failed.
Mon May 27 05:00:40 2024 user.notice adblock-lean: Sleeping for 5 seconds after failed download attempt.
Mon May 27 05:00:45 2024 user.notice adblock-lean: Downloading new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/tif.txt.
Mon May 27 05:01:00 2024 user.notice adblock-lean: Download of new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/tif.txt suceeded (downloaded file size: 18982 KB; line count: 709578).
Mon May 27 05:01:00 2024 user.notice adblock-lean: Sanitizing blocklist file part.
Mon May 27 05:01:53 2024 user.notice adblock-lean: Checking for any rogue elements.
Mon May 27 05:02:27 2024 user.notice adblock-lean: Downloading new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/native.winoffice.txt.
Mon May 27 05:02:28 2024 user.notice adblock-lean: Download of new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/native.winoffice.txt suceeded (downloaded file size: 5 KB; line count: 110).
Mon May 27 05:02:28 2024 user.notice adblock-lean: Sanitizing blocklist file part.
Mon May 27 05:02:28 2024 user.notice adblock-lean: Checking for any rogue elements.
Mon May 27 05:02:28 2024 user.notice adblock-lean: Downloading new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/native.apple.txt.
Mon May 27 05:02:29 2024 user.notice adblock-lean: Download of new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/native.apple.txt suceeded (downloaded file size: 1 KB; line count: 18).
Mon May 27 05:02:29 2024 user.notice adblock-lean: Sanitizing blocklist file part.
Mon May 27 05:02:29 2024 user.notice adblock-lean: Checking for any rogue elements.
Mon May 27 05:02:29 2024 user.notice adblock-lean: Downloading new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/native.amazon.txt.
Mon May 27 05:02:29 2024 user.notice adblock-lean: Download of new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/native.amazon.txt suceeded (downloaded file size: 8 KB; line count: 228).
Mon May 27 05:02:29 2024 user.notice adblock-lean: Sanitizing blocklist file part.
Mon May 27 05:02:29 2024 user.notice adblock-lean: Checking for any rogue elements.
Mon May 27 05:02:30 2024 user.notice adblock-lean: Downloading new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/native.huawei.txt.
Mon May 27 05:02:30 2024 user.notice adblock-lean: Download of new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/native.huawei.txt suceeded (downloaded file size: 4 KB; line count: 88).
Mon May 27 05:02:30 2024 user.notice adblock-lean: Sanitizing blocklist file part.
Mon May 27 05:02:30 2024 user.notice adblock-lean: Checking for any rogue elements.
Mon May 27 05:02:30 2024 user.notice adblock-lean: Downloading new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/native.oppo-realme.txt.
Mon May 27 05:02:31 2024 user.notice adblock-lean: Download of new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/native.oppo-realme.txt suceeded (downloaded file size: 11 KB; line count: 296).
Mon May 27 05:02:31 2024 user.notice adblock-lean: Sanitizing blocklist file part.
Mon May 27 05:02:31 2024 user.notice adblock-lean: Checking for any rogue elements.
Mon May 27 05:02:31 2024 user.notice adblock-lean: Downloading new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/native.tiktok.extended.txt.
Mon May 27 05:02:32 2024 user.notice adblock-lean: Download of new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/native.tiktok.extended.txt suceeded (downloaded file size: 15 KB; line count: 409).
Mon May 27 05:02:32 2024 user.notice adblock-lean: Sanitizing blocklist file part.
Mon May 27 05:02:32 2024 user.notice adblock-lean: Checking for any rogue elements.
Mon May 27 05:02:32 2024 user.notice adblock-lean: Downloading new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/native.vivo.txt.
Mon May 27 05:02:33 2024 user.notice adblock-lean: Download of new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/native.vivo.txt suceeded (downloaded file size: 4 KB; line count: 85).
Mon May 27 05:02:33 2024 user.notice adblock-lean: Sanitizing blocklist file part.
Mon May 27 05:02:33 2024 user.notice adblock-lean: Checking for any rogue elements.
Mon May 27 05:02:33 2024 user.notice adblock-lean: Downloading new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/native.xiaomi.txt.
Mon May 27 05:02:34 2024 user.notice adblock-lean: Download of new blocklist file part from: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/dnsmasq/native.xiaomi.txt suceeded (downloaded file size: 12 KB; line count: 356).
Mon May 27 05:02:34 2024 user.notice adblock-lean: Sanitizing blocklist file part.
Mon May 27 05:02:34 2024 user.notice adblock-lean: Checking for any rogue elements.
Mon May 27 05:02:34 2024 user.notice adblock-lean: Successfully generated preprocessed blocklist file with 871964 line(s).
Mon May 27 05:02:34 2024 user.notice adblock-lean: No local allowlist identified.
Mon May 27 05:02:34 2024 user.notice adblock-lean: Removing duplicates and forming new preprocessed blocklist file.
Mon May 27 05:03:17 2024 user.notice adblock-lean: Processed blocklist file size: 22298 KB.
Mon May 27 05:03:17 2024 user.notice adblock-lean: Performing dnsmasq --test on the processed blocklist.
Mon May 27 05:03:29 2024 user.notice adblock-lean: dnsmasq --test output: dnsmasq: syntax check OK.
Mon May 27 05:03:29 2024 user.notice adblock-lean: The dnsmasq --test on the processed blocklist passed.
Mon May 27 05:03:29 2024 user.notice adblock-lean: New blocklist file check passed.
Mon May 27 05:03:29 2024 user.notice adblock-lean: Successfully imported new blocklist file for use by dnsmasq with size: 22298 KB.
Mon May 27 05:03:29 2024 user.notice adblock-lean: Restarting dnsmasq.
Mon May 27 05:03:42 2024 daemon.info dnsmasq[1]: started, version 2.90 cachesize 150
Mon May 27 05:03:42 2024 daemon.info dnsmasq[1]: DNS service limited to local subnets
Mon May 27 05:03:42 2024 daemon.info dnsmasq[1]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-nftset no-auth no-cryptohash no-DNSSEC no-ID loop-detect inotify dumpfile
Mon May 27 05:03:42 2024 daemon.info dnsmasq[1]: UBus support enabled: connected to system bus
Mon May 27 05:03:42 2024 daemon.info dnsmasq-dhcp[1]: DHCP, IP range 192.168.0.100 -- 192.168.0.249, lease time 12h
Mon May 27 05:03:42 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon May 27 05:03:42 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon May 27 05:03:42 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon May 27 05:03:42 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon May 27 05:03:42 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon May 27 05:03:42 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon May 27 05:03:42 2024 daemon.info dnsmasq[1]: using only locally-known addresses for zzzzzzzzzzzzzz.no-ip.biz
Mon May 27 05:03:42 2024 daemon.info dnsmasq[1]: using only locally-known addresses for zzzzzzzzzzzzz.com
Mon May 27 05:03:42 2024 daemon.info dnsmasq[1]: using 832005 more local addresses
Mon May 27 05:04:04 2024 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Mon May 27 05:04:04 2024 daemon.info dnsmasq[1]: using nameserver 213.42.20.20#53
Mon May 27 05:04:04 2024 daemon.info dnsmasq[1]: using nameserver 195.229.241.222#53
Mon May 27 05:04:04 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon May 27 05:04:04 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon May 27 05:04:04 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon May 27 05:04:04 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon May 27 05:04:04 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon May 27 05:04:04 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon May 27 05:04:04 2024 daemon.info dnsmasq[1]: using only locally-known addresses for zzzzzzzzzzzzzz.no-ip.biz
Mon May 27 05:04:04 2024 daemon.info dnsmasq[1]: using only locally-known addresses for zzzzzzzzzzzzz.com
Mon May 27 05:04:04 2024 daemon.info dnsmasq[1]: using 832005 more local addresses
Mon May 27 05:04:27 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Mon May 27 05:04:27 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 3 names
Mon May 27 05:04:27 2024 daemon.info dnsmasq[1]: read /tmp/hosts/odhcpd - 2 names
Mon May 27 05:04:27 2024 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Mon May 27 05:04:27 2024 user.notice adblock-lean: Restart of dnsmasq completed.
Mon May 27 05:04:27 2024 user.notice adblock-lean: Checking dnsmasq instance.
Mon May 27 05:04:27 2024 user.notice adblock-lean: The dnsmasq check passed with new blocklist file.
Mon May 27 05:04:27 2024 user.notice adblock-lean: New blocklist installed with good line count: 832006.
Mon May 27 05:04:29 2024 user.notice adblock-lean: The locally installed adblock-lean is the latest version.
Lynx
893
Seems slow to me. On my RT3200 it takes under thirty seconds, and that’s even with compression and without force. What device and OpenWrt version are you running?
RT-AX53U, OpenWrt 23.05.3 r23809-234f1a2efa
If it helps for any point of reference for dnsmasq restart time... R7800 with approx 860k block entries. No force dhcp and no compression, approx 19 seconds
Lynx
896
I see from my own DNS hijack rule in LuCi:
that the correspondingly generated firewall chain looks like:
chain dstnat_guest {
meta nfproto ipv4 tcp dport 53 ether saddr { XX:XX:XX, YY:YY:YY } counter packets 0 bytes 0 dnat ip to 8.8.8.8:53 comment "!fw4: GUEST-TVs-Intercept-DNS"
meta nfproto ipv4 udp dport 53 ether saddr { XX:XX:XX, YY:YY:YY } counter packets 25030 bytes 1835646 dnat ip to 8.8.8.8:53 comment "!fw4: GUEST-TVs-Intercept-DNS"
}
And so I suppose we could have adblock-lean inject something like /root/adblock-lean/nft.rules:
# DNS resolver to use whilst dnsmasq is restarting
define DNS_RESOLVER = {
1.1.1.1:53
}
table inet adblock-lean {
chain dstnat_guest {
meta l4proto { tcp, udp } th dport 53 dnat ip to $DNS_RESOLVER"
}
}
whilst the dnsmasq restart is pending, thereby obviating any DNS downtime whatsoever?
@dave14305 would something like this likely work in a generic sense for everyone?
I wouldn’t recommend it for everyone. It gets complicated. For example, you personally have at least a LAN and Guest interface to consider. How to deal with multiple interfaces? There may be existing DNS intercept rules. What nft hook and priority to use? You have to deal with IPv6 queries as well.
1 Like
Lynx
898
OK thanks. Seems that we should drop this idea.
@Azuriye regarding why your RT-AX53U takes so much longer:
https://openwrt.org/toh/asus/rt-ax53u
than say @Wizballs's R7800:
https://openwrt.org/toh/netgear/r7800
I suppose the processor is slightly weaker?
Here is a suggestion for dealing with the dnsmasq downtime.
You could set up a DNS hijack rule - see:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns
to redirect all DNS queries to 1.1.1.1.
And make it operate between say 5am and 6am (the time window which which adblock-lean operates) by having the hijack rule match on mark under advanced settings:
and then creating a separate firewall rule to apply that mark only during the 5am to 6am time window.
All of this could be done from the LuCi firewall GUI.
Is it possible to maybe make a DNS hijack rule and keep it disabled and probably run a scheduled task where it uses uci to enable and commit it at 5AM then do the same in reverse at 6AM?
Lynx
900
I’d go with the recipe I outlined above.
Any idea how to make a firewall rule which is time based and use it to match mark? Seems new to me and I can't seem to find anything relevant online...
