Adblock slow dns queries. Is that worth at that level?

Installing and Using OpenWrt
1

Hi,
I've run some DNS query benchmark from my PC, and I was surprised to see that adblock significantly slow DNS queries. Hence the questions I have:

  • At these levels (see test below), will it make any difference if I try to optimize adblock or dnsmasq?
  • Do you face the same thing? Could I have incorrectly setup adblock using too many lists? Should I use something faster than dnsmasq?

Thank you for your suggestions!

Technical background:

  • My router is a Xiaomi mi 3G (MediaTek MT7621 dual core 880MHz), running 18.06.4 with dnsmasq and adblock. I also added a few custom entries in dnsmasq for my local network. Its Cpu and ram usage are fairly low.
  • Probably useless info, my network is gigabit ethernet, connected to ISP with fiber network via a local modem/router (the 'ISP box').
  • I use default adblock lists + FR easylist + winspy, so activaled lists are adaway, disconnect, malware, reg_fr, winspy, yoyo, accounting for 35131 entries.

Benchmark results:

dnsmasq alone   |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
Cached Name   | 0,000 | 0,000 | 0,001 | 0,000 | 100,0 |
Uncached Name | 0,008 | 0,041 | 0,253 | 0,065 | 100,0 |
DotCom Lookup | 0,014 | 0,017 | 0,019 | 0,001 | 100,0 |

dnsmasq+adblock   |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
Cached Name   | 0,000 | 0,000 | 0,001 | 0,000 | 100,0 |
Uncached Name | 0,055 | 0,083 | 0,313 | 0,057 | 100,0 |
DotCom Lookup | 0,062 | 0,065 | 0,068 | 0,001 | 100,0 |

ISP (direct)        |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
Cached Name   | 0,000 | 0,000 | 0,001 | 0,000 | 100,0 |
Uncached Name | 0,006 | 0,036 | 0,256 | 0,062 | 100,0 |
DotCom Lookup | 0,013 | 0,015 | 0,017 | 0,001 | 100,0 |
2

I use unbound (instead of dnsmasq) and there are more than 350,000 blacklisted entries:

~# grep refuse /var/lib/unbound/unbound_srv.conf | wc -l
351339

The average recursion time is around 126ms:

 [1856:0] info: server stats for thread 0: 111577 queries, 81429 answers from cache, 30148 recursions, 905 prefetch, 0 rejected by ip ratelimiting
 [1856:0] info: server stats for thread 0: requestlist max 69 avg 4.02428 exceeded 0 jostled 0
 [1856:0] info: average recursion processing time 0.125649 sec
 [1856:0] info: histogram of recursion processing times
 [1856:0] info: [25%]=0.127329 median[50%]=0.226333 [75%]=0.479697
 [1856:0] info: lower(secs) upper(secs) recursions
 [1856:0] info:    0.000000    0.000001 1603
 [1856:0] info:    0.000256    0.000512 1
 [1856:0] info:    0.000512    0.001024 2
 [1856:0] info:    0.002048    0.004096 1
 [1856:0] info:    0.004096    0.008192 30
 [1856:0] info:    0.008192    0.016384 36
 [1856:0] info:    0.016384    0.032768 13
 [1856:0] info:    0.032768    0.065536 179
 [1856:0] info:    0.065536    0.131072 6015
 [1856:0] info:    0.131072    0.262144 9897
 [1856:0] info:    0.262144    0.524288 5823
 [1856:0] info:    0.524288    1.000000 2700
 [1856:0] info:    1.000000    2.000000 1696
 [1856:0] info:    2.000000    4.000000 997
 [1856:0] info:    4.000000    8.000000 768
 [1856:0] info:    8.000000   16.000000 340
 [1856:0] info:   16.000000   32.000000 43
 [1856:0] info:   32.000000   64.000000 1
 [1856:0] info:   64.000000  128.000000 1

Personally I don't see ad-blocking entries increasing look-up time for dnsmasq or unbound. Contributing slowness is almost always caused by forward requests.

1 Like
3

Thanks for the reply. Would you mind comparing dns queries speed with adblock activated and deactivated, using a tool like the well-known DNS benchmark ( https://www.grc.com/dns/benchmark.htm )? It takes just a 2-3 min.

4

Not sure what you expect to see. Your numbers show ~40 ms added time, though with a standard deviation greater than that. The difference is small (and, without knowing the number of sample points, dubious in accuracy) compared to resolution time often 10-100x greater.

GRC is the infamous Shields Up, so I wouldn’t trust their results or some Windows executable from them.

1 Like
5

You can most likely shave off a bit by globally disabling MIPS16 and enabling -O2 if you want some "quick hacks".


(Use make menuconfig as the patch only applies to ARM CPUs)

Switching to GCC 8 and Binutils 2.32 probably doesn't hurt either...

Might also with to do the same change for 4.14 (set 1000 instead of the default 100)

6

Thanks all for your replies!

7

Using adblock on both my EdgeRouter-X and J1900 x86 slow down dnsmasq, not sure about unbound.
Check the attached screenshot I made.
Without adblock:
Cached: 0.000, Uncached: 0.083, DotCom: 0.044

with_adblock_350kdomain
with_adblock_350kdomain964×729 172 KB

Using simple-adblock works fine, no performance penalty.

8

unbound has an enterprise capable memory model. It will handle huge record sets better than dnsmasq. The unbound design for ".conf" dead static zones also allows it to respond quickly without going through too much trouble. A small adblock download set will show no difference. If you get crazy with additive lists though, you can see the difference.

9

..or just use something like blocky (Go application - https://github.com/0xERR0R/blocky ) but that probably doesn't fly on most devices running OpenWrt