Recently our subscribers began complaining that our dns blacklists were no longer importing with the latest version of router OS.
We had to change name= to regexp= in our scripts because we block the topdomain.com as well as all subdomains in our blacklists. Which we did with little effort, the issue however is that we are unable to import our lists because something is broken in routeros now. Do you guys even test this stuff before rolling out changes? Well I dont know how to say this in a constructive way because I am so furiously pissed off at you right now Mikrotik that it is difficult to even type correctly when posting this message.
I thought I should come here before I go on our blog publicly speaking about the issue and justifiably, bashing you for causing a problem when in fact, my problem may be something I simply do not understand at the moment, I thought that I would come here and give you the chance to correct the problem in routeros or at least inform me if Im the one to blame here, the sooner we get this fixed right the better.
As such we would be happy to provide to your engineers access to our blacklists for testing purposes so that you can see there is definitely a problem or problems with large lists. Lists that used to load, 4000-10000 entries, now will not load at all now that we are using regex, we dont even get an error in the system log half the time which is another issue. It just simply stops importing sometimes itll tell us regex too complex , and it does this at random! There are issues with our list formatting, but we are also absolutely positive there are bugs in routeros, we will reach out in this threat to try and correct our regex formatting issues and bring to light some of the actual bugs.
Ok, so this is what we started with, straight conversion from name to regex, and presumably its choking on all of the unescaped dots.
Code: Select all
# TiK-DNS-Ads: Blacklist compiled by SquidBlacklist.org 09-29-2016. -MADE IN USA-
# Blacklists by Squidblacklist.org are licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.
:log info "tik dns ads blacklist script import started"
:local redirectIP "127.0.0.1"
/ip dns static remove [find comment="sbl ads"]
/ip dns static
add regexp=.*004.frnl.de address="$redirectIP" comment="sbl ads"
add regexp=.*01s.net address="$redirectIP" comment="sbl ads"
add regexp=.*01viral.com address="$redirectIP" comment="sbl ads"
add regexp=.*039068a.dialer-select.com address="$redirectIP" comment="sbl ads"
add regexp=.*0427d7.se address="$redirectIP" comment="sbl ads"
add regexp=.*0702.de address="$redirectIP" comment="sbl ads"
add regexp=.*0ca.net address="$redirectIP" comment="sbl ads"
add regexp=.*0day.kiev.ua address="$redirectIP" comment="sbl ads"
add regexp=.*0gee.com address="$redirectIP" comment="sbl ads"
add regexp=.*100-100.ru address="$redirectIP" comment="sbl ads"
add regexp=.*100free.com address="$redirectIP" comment="sbl ads"
add regexp=.*100free.nl address="$redirectIP" comment="sbl ads"
add regexp=.*100suelle.com address="$redirectIP" comment="sbl ads"
add regexp=.*101com.com address="$redirectIP" comment="sbl ads"
add regexp=.*101order.com address="$redirectIP" comment="sbl ads"
add regexp=.*10central.com address="$redirectIP" comment="sbl ads"
add regexp=.*1100ad.de address="$redirectIP" comment="sbl ads"
And for your testing purposes, here is our latest release of our ads blacklist, which as you will find, will not load, every time you try to import it, it will fail on a random line inexplicably.
http://www.squidblacklist.org/downloads/tik-dns-ads.rsc
If you change rexexp= to name= and format the list accordingly, you will see that the list imports just fine as name, but when you try to import as regexp it chokes to death on the lists.
We propose that you consider enabling name PLUS regexp, so that we could add website.com as the name and \*. or something simple as the regexp to block all subsequent subdomains.
Understandably when somebody blocks a website like pornhub.com they mean it, they want it blocked and all subdomains, Anyway, its going to be a nightmare to create the backend script to format for the regex. But well get to work on it, in the meanwhile consider the issues. And I am totally open to any help I can get.
Thank you. Now lets make the world a better place, starting right now.
Signed,
Benjamin E. Nichols
http://www.squidblacklist.org
http://blog.squidblacklist.org/?p=853