Search squid archive

Re: Unwanted DNS queries

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 24/09/2013 6:30 p.m., T Ls wrote:
Hi,

today, some users complained about poor respons time of the webproxy. Searching for a possible reason, I found, that the proxy makes a DNS request (mostly AAAA but also A) for every http request. We are behind a firewall and resolving internet names is impossible, we have to use parent proxies to reach the internet and I thought, I configured squid that way (config at the end of the mail). When I saw the DNS queries, my first guess was a dst-ACL, but there are no dst-ACLs.

I recorded some traffic at the proxy and looked inside with wireshark, for every http request the proxy queries both it's nameservers for the IP(v6) of the destination host and after these queries failed the http request ist forwarded to the parend proxy, the content ist fetched from web and delivered to the client.

Last week, I made some changes to the logformat, but switching back to the original format did not stop the DNS queries.

Where is the error in my config, what causes the DNS queries?

In this configuration:

------------------------
squid.conf:
^^^^^^^^^^^
include /mnt/squid3-shared-settings/*.conf

visible_hostname proxy.my.domain.org

hierarchy_stoplist cgi-bin ?

cache_peer parent-ip1 parent 80 7 no-query no-digest
cache_peer    parent-ip2        parent    80    7    no-query no-digest
cache_peer proxy.domain.org parent 9999 7 no-query no-digest

the cache_peer hostnames need to be looked up in DNS, at least on startup/reconfgure maybe other times.


cache_peer_access    proxy.domain.org    allow    MYDOMAINS
cache_peer_access    parent-ip-1        deny    MYDOMAINS
cache_peer_access    parent-ip-2        deny    MYDOMAINS

### MEMORY CACHE OPTIONS ...
### Disk-Cache Optionen ...


------------------------------------------------
access.conf:
^^^^^^^^^^^^

acl localhost src 127.0.0.1/32
acl Safe_ports port "...SafePorts.txt"
acl SSL_ports port 443 563 8443 9443
acl CONNECT method CONNECT

acl MYNET src ip-range1
acl MYNET src ip-range2
acl MYNET ...

acl MY-LOCAL-DOMAIN dstdomain .my.domain.org

acl badURLs dstdomain "...badURLs.txt"
acl goodTLDs dstdomain "...goodTLDs.txt"

If there is any raw IP addresses listed in the above two files they will be needing regular lookups. But that would be PTR type, so unlikely your problem.

acl adminPCs src "...adminPCs.txt"
acl labPcs src "...labor-pcs.txt"

If there is any hostnames listed in the above two files they will need regular DNS lookups.

acl MYDOMAINS dstdomain .domain.org
acl MYDOMAINS dstdomain .domain.net
acl MYDOMAINS dstdomain .domain.eu


http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny labPcs
http_access allow adminPCs
http_access deny  badURLs
http_access deny !goodTLDs

http_access allow MYNET
http_access deny all

htcp_access deny all
htcp_clr_access deny all

----------------------------------------------
common-server.conf:
^^^^^^^^^^^^^^^^^^^

http_port 8080
error_directory /usr/share/squid/errors/de
log_icp_queries on
cache_effective_user squid
cache_effective_group nogroup
cache_mgr me@xxxxxxxxxxxxx

refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%    0
refresh_pattern .        0    20%    4320


-----------------------------------------------------------
logging.conf:
^^^^^^^^^^^^^


logformat myformat %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<A %mt
cache_access_log /var/log/squid/access.log myformat

There is no such directive as "cache_access log". There is however an "access_log" directive.


cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

Unless you are debugging or analyzing the storage the cache_store_log is not necessary.

pid_filename /var/log/squid/squid.pid
debug_options ALL,1

------------------------------------------------------------
request-forward.conf:
^^^^^^^^^^^^^^^^^^^^^


always_direct allow MY-LOCAL-DOMAIN


* requests for "MY-LOCAL-DOMAIN" require DNS lookups to determine where they go due to the above.


never_direct deny MY-LOCAL-DOMAIN
never_direct allow all


If the set of domains being looked up is small (ie your cache_peer or always_direct rule) then you can define them in /etc/hosts file.

Amos




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux