After more testing, having just around around 5 domains is ok during boot, but having 20 or more domains it seems the boot-up has hanged.
It seems by the time the firewall is being booted, my WAN is still not up and since the script tries to resolve the domains via nslookup, this is where it looks like it hanged. Based on testing, if there is no network, it takes nslookup around 5 secs before it fails.
So using "5secs x 100 domains" means it will take 500secs before the script stops and let the router continue its boot-up.
There are quite a few issues for IP level content filtering that relies on DNS:
Frequent writing on flash can exhaust its resource.
Runtime configs are stored in tmpfs/RAM that is lost on device restart.
Clients can use their own DNS cache at the level of browser/OS.
Once resolved the domain, clients might not query DNS server for some time.
Clients can use DoH/DoT at the level of browser/OS.
Populating the IP sets relies on plain DNS that can be problematic to enforce.
DNS records can expire and change.
The more domains are tracked, the higher probability of their change.
Resolving domains can take time.
The more domains are tracked, the longer time is required to resolve them.
Domains can use CDNs.
Blocking their CDN can impact unrelated domains served by the same CDN.
The way to solve one of the problems may contradict others.
So, trying to solve all the issues is difficult and likely impossible.
In your case, a possible solution can be replacing the preresolve script with persistent IP sets.
Another option is to install banIP and populate its blocklist with IPs resolved by Dnsmasq.
However that deserves a separate thread.
Thanks.. your script worked.. although i changed it a little bit to store the saved ipsets to my backup flash.. it also saved the ipset of banip which is good since I can't find why banip doesn't load the IP sets during boot, might be because there are lots of stuff loaded on my router
Why don't you use DNSMASQ ipset instead of resolving domains and adding their IPs in the script? DNSMASQ ipsets work quite gracefully, they are resolved upon request or during downtime. You will need dnsmasq-full for them tho.
That is already my current setup. And I'm not sure if you where replying to another topic I created that was related to my setup with IPSET DNS (about using UNBOUND), but that is literally on another topic
ohh a litte miss-comm on both of us ahahaha anyway, i'll be looking into the ipset option of DNSMASQ.. maybe it can be incorporated into the IPSET DNS wiki
@AcidSlide, thanks, this is a known issue #4, I updated the scripts.
However, note that flushing IP sets can lead to issues #2 and #5.
So, traffic can leak to cached subdomains which IP doesn't match the parent domain.
@stangri, unfortunately, the built-in IP sets in Dnsmasq are not supported by LuCI.
Minor code optimization vs. web interface to edit domains, the latter is preferable in general case.
Those who don't need web interface, are skilled enough and free to utilize the built-in feature.
#2 is fully taken care by my setup, outside DNS has already been blocked on my internal network.
For #4 i've also did a daily refresh using the sh /etc/firewall.dnsmasq script
#5 I know is a potential issue, but I also don't plan on creating a big list.. most of them are actually just temporary banning for the kids, most of other more generic blocking is via adblock
Wow... thanks! I'll check this out as soon as I can. Looking at the script, this was something I was trying to do ahahahaha.. your code looks so much better and simpler