Search squid archive

Re: dstdomain issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



howard chen wrote:
Hello,

I notice some of our client is typing an additional dot at the end of
the domain, which make the squid ACL failed, e.g.

acl dstdomain_index              dstdomain       .example.com


So if client is using, e.g. http://www.example.com./, then ACL blocked
the client from accessing.

But in real sites this should be allowed? e.g. www.facebook.com./


Yes.  The trailing . is a placeholder that instructs DNS lookup mechanisms to terminate there and not try to lookup the phrase as a host or subdomain.

For example, where I work I can just type www into my browser to get our main page because it has nla.gov.au configured as a search domain.

Which, IIRC, means that the lookup of www fails, so it then does a lookup on www.nla.gov.au, then www.gov.au, then www.au, then and only then it reports back to the OS that it was unable to resolve the host.  At least, I think that's how it works.

Sometimes these are essential where the search domains are implicit, like DNS records.  If I forget the . then I end up with errors in the logs referring to

hostname.nla.gov.au.nla.gov.au.nla.gov.au.nla.gov.au.nla.gov.au... etc

Basically then the trailing dot is acceptable for a FQDN.  Your link to facebook worked fine for me, and I would assume that you get these attempts because people are using to ending a type phrase with a full stop <ENTER> sequence.









Howard


--
Daniel Rose
National Library of Australia

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux