Search squid archive

Re: Unneeded DNS lookups for cache_peer selection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am 30.01.2014 10:45, schrieb Amos Jeffries:
> On 30/01/2014 9:25 p.m., Amon Ott wrote:
>> Am 29.01.2014 21:51, schrieb Amos Jeffries:
>>> On 2014-01-30 03:48, Amon Ott wrote:
>>>> We have a setup with a single parent proxy that shall be used for all
>>>> requests. "never_direct allow all" ensures that the parent is not to be
>>>> bypassed. Still, every request leads to an extra unnecessary (and
>>>> failing) DNS lookup. We enjoyed several complaints because of unwanted
>>>> DNS traffic inside a firewalled area. As all results are negative, even
>>>> the DNS caching does not really help.
>>>>
>>>> I have traced the problem into peerSelectDnsPaths() in
>>>> src/peer_select.cc. It seems that despite the clear fact that only one
>>>> cache_peer can ever be selected (and has to be selected), the code still
>>>> makes a DNS request for the hostname in the requested URL to find the
>>>> best proxy. It would be greatly appreciated if we could suppress these
>>>> lookups without loosing DNS access for parent proxy lookup by DNS name.
>>>> The lookup does not make any sense to me even with multiple parents, if
>>>> the parent selection is never based on the request target host.
>>>>
>>>> The only workaround we have found so far is to specify the parent proxy
>>>> by IP address and tell Squid with "dns_nameservers localhost" to use a
>>>> not existing DNS server. However, this way we loose the DNS based load
>>>> balancing at the parent proxy, which we cannot influence ourselves.
>>>>
>>>> This looks like a similar problem to the one discussed in
>>>> http://www.squid-cache.org/mail-archive/squid-users/201309/0364.html
>>>
>>>
>>> It does indeed sound like a similar problem. The issue is likely the
>>> same, "bad" configuration requiring DNS lookups to happen.
>>> There are two solutions indicated in my response to that referenced post:
>>>  1) fixing the ACL tests and config options requiring DNS
>>
>> I have not found any, please do have a look yourself.
>>
>>>  2) using /etc/hosts (or a localhost DNS resolver)
>>
>> This is no good option, because the uplink proxy's IP address can change
>> at any time, so we need to use its DNS name. That DNS domain is not
>> under our control, so a DNS server at localhost does not help. In worst
>> case I would have to run a cron job updating the host entry every minute
>> or such - sounds horrible.
> 
> Well then. There is the answer.
> 
> Squid has to find the IP address that name points at as often as the TTL
> says to re-check for changes. Without the destination IP address it
> cannot send TCP packets.

It needs to recheck the IP of the parent proxy, but not for the URLs the
users want to see. The parent proxy has to take care of that, and
external DNS does not work in the internal DNS setup anyway. It creates
lots of bogus extra packets in the internal net without any good reason.
If we can get that fixed, it will also reduce network traffic and DNS
server load for many other users with parent proxies, too.

>> Since the DNS lookup fails anyway, the solution could be as simple as
>> having a simple switch to forbid URL target host DNS lookups completely.
>> Parent proxy selection could still continue like after failed DNS lookup.
> 
> If the DNS lookup fails there Squid has no idea where the cache_peer has
> been moved to when it changes. And never_direct prevents alternative IPs
> being looked for.

I seem to have been unclear here: I want to get rid of DNS lookups of
request URL hosts, not of DNS lookups for the parent proxy. ATM, every
single Web request over the proxy seems to trigger a DNS lookup for that
host. tcpdump clearly shows tons of requests for external DNS names to
our DNS server.

It seems to me that the parent selection algorithm always looks up the
host in the user request URL at the place mentioned above, even though
it is only needed with certain per-parent ACLs or if the proxies might
get bypassed for speed. Maybe the lookup could be delayed until it is
really needed for a decision. AFAICS, the new "-n" parameter to ACLs in
3.4 has a similar idea, it avoids DNS traffic.

> Your choices are exactly thse above, or possibly also configuring the IP
> explicitly into squid.conf and reconfiguring whenever it changes. But
> finding out when that change happens will be even more of a problem for
> the process reconfiguring Squid than it is for a localhost DNS server.

As said above: regular DNS lookups for the parent proxy work and are
fine, but not for the Internet hosts users want to visit.

>>> If you are willing to post your config file (without any # comment
>>> lines) I am happy to check it like I did that earlier one.
>>
>> The stripped squid.conf is attached. The outgoing address settings are
>> workarounds for https URL problems without IPv6, which is disabled in
>> our kernel. We have tested with Squid 3.3.11 and 3.4.2.
> 
> PS. in 3.4 the tcp_outgoing_address hack is not doing anything.

Thanks, will remove that for 3.4.

Amon.





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux