On 28/06/11 23:25, Richard Zulu wrote:
Amos,
Yes, you are right!
My internal DNS Stats are as follows:
Nameservers:
IP ADDRESS # QUERIES # REPLIES
---------------------------------------------- --------- ---------
xxx.xxx.xxx.xx 51219 46320
You realise there is quite a big lap between the queries and replies.
Other than the NAT errors, queue length errors, and large url warnings
in the config file, I cannot seem to pinpoint why my server develops a
long queue and cannot get most of it's queries resolved by the DNS.
DNS is working well for other squid servers. Shifting users from the
failing squid server to another functioning squid server causes the
functioning squid server to experience the same issues.
Sure sign that something they are doing is leading to DNS overload.
Things to do:
* reduce dns_timeout, current recommended is now 30 seconds. That will
not resolve the DNS breakage, but will hopefully reduce waiting queries
a lot.
* check your config for things which cause extra DNS lookups:
srcdomain or dst ACLs. "log_fqdn on". small ipcache size.
* try turning "via on" if you have it disabled. See what happens.
"off" can hide bad looping problems.
* maybe look at the most popular sites and see how fast the DNS
response for AAAA and A lookups are.
What is interesting though, is that no sooner have I started my squid,
than I get queue congestion warning and numerous NAT warnings.
Okay. NAT warnings is a side effect of NAT being done on the other box.
Is a seecurity vulnerability and speed slowdown on accepting new
requests. But otherwise is a separate issue. It will be a little bit of
work to fix, so I think we put it asside for now.
AIO queue congestion is normal on a proxy with many users after startup,
so long as it goes away with increasingly rare messages everything is fine.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.12
Beta testers wanted for 3.2.0.9 and 3.1.12.3
