On 29/10/2015 3:02 p.m., Jester Purtteman wrote: > Probably a good idea there, I have not used bind in a very, very long > time, but I will give it a shot. > > I am still having some issues, but at least now they're all within > the bounds of consistent and "what-i-expect" behavior, I just need to > think through how to outsmart a couple issues. The big one now is > that many addresses appears to change by the time it the system > downloads a particularly large file (Windows updates, to be > specific), so it ends up releasing it almost immediately (because of > the header spoofing prevention I was talking about in this chain), The Host header verification happens as the first step of message processing before anything else. So it should not be the cause, but a side effect of something else. I think a worse problem is if the DNS TTL is shorter than a client connections TCP connected time. Then requests arriving after the DNS TTL expired would no longer match the initial dst-IP. As a workaround you could try to reduce the client_idle_pconn_timeout (2mins) then if that does not help the client_lifetime (24hrs). It will probably require patching to get a full fix. I've started thinking of solutions. Maybe remembering Host names used on the connection, or closing it ASAP after the DNS TTL runs out. Amos > which is only frustrating because caching big updates would be a huge > gain for us. So far, out of 20 GB transferred, about 6-gb has been > windows/apple updates, and that from several hosts. I'll see if I > can get BIND to grab that and cache that resolution a little longer, > and hang on to it, but my bigger question is: if I setup a parent > proxy that ONLY grabs the big updates down on my big-fast-cheap > connection, then set my little-slow-expensive-connection up to pull > from that connection, would that have a higher chance of success? > Since the proxy on the slow system is requesting the same object, I'm > wondering if that may work out better. Not sure that will have the > desired effect, but I'm going to try it out, I'll let you know how > that works out. >> -----Original Message----- >> From: squid-users On >> Behalf Of Eliezer Croitoru >> >> Hey Jester, >> >> I know that installing bind would probably not be much of a trouble and I >> recommend to use it instead of using dnsmasq. >> It will do everything much better even if you are using it as a forwarder and >> not a recursive DNS service. >> >> Eliezer >> >> On 28/10/2015 20:24, Jester Purtteman wrote: >>> So, I just installed dnsmasq on two of my servers, pointed my clients >> toward that address, and so far it is working a whoel lot better. My hit rate is >> up in the 10% range, and that is with a nearly empty cache, so that may be >> the trick. I only made the change about a short time ago. More importantly, >> that error in the log has gone away and I am getting consistent caching >> behavior, so that is huge. >>> >>> Thank you! _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
