REDIR - Unbound DNS for Adblock

This article introduces REDIR, aka "redirection module", an extension to Unbound DNS that I have developed for very quickly answering queries of blocked domains (ads, trackers, malware sites and etc) and requires little extra resources. For example, a fresh instance of Unbound with REDIR enabled occupies less than six Mbyte RAM.

Background

Two commonly used DNS servers for adblock are DNSmasq and Unbound. As we know, DNSmasq is a lightweight DNS forwarder with simple caching. Unbound is a lightweight caching and recursive DNS resolver. You could run Unbound in forwarder mode only (for saving local resources) and exploit its excellent caching capability.

Using Unbound for Adblock, people usually generate blocked domains as "local-data/local-zone." Unbound does a good job in storing minimal data in such way. However, if you have a few hundred thousands of blocked entries, the amount of required memory is non-trivial. On small embedded devices (such as SOHO routers), perhaps you'll have to trade off between the number of entries and an robust system. Personally I could always sacrifice on advertisements. But I could hardly let go malware sites. REDIR module for Unbound is a slim and fast solution to this problem.    

REDIR - Redirection Module

The "redirection module" implements in C same as Unbound and follows Unbound's internal module architecture. Externally the module interfaces with your personal instance of Redis In-memory database that stores the blocked domains. Redis is very fast and compact. REDIR queries Redis. If a domain is blocked, then it generates a DNS record on the fly and return to Unbound core. REDIR not only can quickly answer the blocked domain but also all its sub-domains. For example, if you have "doubleclock.net" blocked, so will be "www.doubleclock.net", "track.doubleclock.net", "metrics.doubleclock.net" and etc without incurring additional memory consumption.

How does it all work together? It's simple. When Unbound receives a DNS query, internally it performs some checks and then the query will reach REDIR. The redirection module asks Redis database if the domain is blocked. On positive answers, REDIR prepares a valid DNS record of a user-configurable IP address and returns to Unbound core. All processing of the query ends here. On negative answers from Redis, the redirection module signals to Unbound core and Unbound continues its resolving work either by itself or asking an upstream DNS server (as in forwarder mode).

REDIR is super fast. On a dual-core 800MHz ARM Cortex-A9 machine, by today's standard a low-end home router, it takes 1ms or less to serve a query on blocked domains. The speed on single core scales nicely with faster clock. With multiple cores, REDIR benefits from Unbound's multi-threaded architecture and scales with it nicely as well.

REDIR - Usage

[to be updated]

Why would you want to use REDIR?

REDIR is

  • super fast and very light on resources
  • multi-threaded (because Unbound is multi-threaded)
  • segregation between Unbound (core data and functionality) and junk data for adblock and etc
  • able to let blocked domains be updated at any time without a single-second of down time in Unbound
  • able to easily block or unblock a domain, a set of domains, top-level domains or even the whole Internet any time in less than the blink of an eye. Again with zero down time in Unbound

Source Codes

[to be updated]

comments powered by Disqus