howard chen wrote:
Hello, I notice some of our client is typing an additional dot at the end of the domain, which make the squid ACL failed, e.g. acl dstdomain_index dstdomain .example.com So if client is using, e.g. http://www.example.com./, then ACL blocked the client from accessing. But in real sites this should be allowed? e.g. www.facebook.com./
Yes. The trailing . is a placeholder that instructs DNS lookup mechanisms to terminate there and not try to lookup the phrase as a host or subdomain. For example, where I work I can just type www into my browser to get our main page because it has nla.gov.au configured as a search domain. Which, IIRC, means that the lookup of www fails, so it then does a lookup on www.nla.gov.au, then www.gov.au, then www.au, then and only then it reports back to the OS that it was unable to resolve the host. At least, I think that's how it works. Sometimes these are essential where the search domains are implicit, like DNS records. If I forget the . then I end up with errors in the logs referring to hostname.nla.gov.au.nla.gov.au.nla.gov.au.nla.gov.au.nla.gov.au... etc Basically then the trailing dot is acceptable for a FQDN. Your link to facebook worked fine for me, and I would assume that you get these attempts because people are using to ending a type phrase with a full stop <ENTER> sequence.
Howard
-- Daniel Rose National Library of Australia