tell the team that is running the IPS to change their policy from DROP to something else, so you are not a captive audience to the timeout. By sending a RST, they can cause Squid to close the connection and fail faster. if they are intercepting the DNS request, have them leverage an RPZ and send a NXDOMAIN response. there are probably other options to consider, too, and a conversation about how to handle these scenarios should have been had before they moved to a Prevent posture. in short they made decisions in a vacuum and didnt include all impacted teams (up or downsteam) that their actions affected. this, as a policy problem, should be addressed with leadership. HTH brendan On Wed, Mar 6, 2024 at 9:58 AM Alex Rousskov <rousskov@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > On 2024-03-06 09:48, Jason Marshall wrote: > > > We have been using squid (version squid-5.5-6.el9_3.5) under RHEL9 as a > > simple pass-through proxy without issue for the past month or so. > > Recently our security team implemented an IPS product that intercepts > > domain names known to be associated with malware and ransomware command > > and control. Once this was in place, we started having issues with the > > behavior of squid. > > > > Through some troubleshooting, it appears that what is happening is that > > that when a user's machine make a request through squid for one of these > > bad domains, the request is dropped by the IPS, squid waits for the DNS > > timeout, and then all requests made to squid after that result > > in NONE_NONE/500 errors, and it never seems to recover until we do a > > restart or reload of the service. > > > DNS errors, including DNS query timeouts, are common, and Squid is > supposed to handle them well. Assuming the DNS server is operational, > what you describe sounds like a Squid bug. Lots of bugs were fixed since > Squid v5.5, but I do not recall any single bug that would have such a > drastic outcome. > > Squid v5 is not supported by the Squid Project. I recommend upgrading to > the latest Squid v6 and retesting. > > > HTH, > > Alex. > > > > Initially the dns_timeout was set for 30 seconds. I reduced this, > > thinking that perhaps requests were building up or something along those > > lines. I set it to 5 seconds, but that just got us to a failure state > > faster. > > > > I also found the negative_dns_ttl setting and thought it might be having > > an effect, but setting this to 0 seconds resulted in no change to the > > behavior. > > > > Are there any configuration tips that anyone can provide that might work > > better with dropped/intercepted DNS requests? My current configuration > > is included here: > > > > acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN) > > acl localnet src 10.0.0.0/8 <http://10.0.0.0/8> # RFC 1918 > > local private network (LAN) > > acl localnet src 100.64.0.0/10 <http://100.64.0.0/10> # RFC > > 6598 shared address space (CGN) > > acl localnet src 169.254.0.0/16 <http://169.254.0.0/16> # RFC > > 3927 link-local (directly plugged) machines > > acl localnet src 172.16.0.0/12 <http://172.16.0.0/12> # RFC > > 1918 local private network (LAN) > > acl localnet src 192.168.0.0/16 <http://192.168.0.0/16> # RFC > > 1918 local private network (LAN) > > > > acl localnet src fc00::/7 # RFC 4193 local private network > > range > > acl localnet src fe80::/10 # RFC 4291 link-local (directly > > plugged) machines > > > > acl SSL_ports port 443 > > acl Safe_ports port 80 # http > > acl Safe_ports port 443 # https > > acl Safe_ports port 9191 # papercut > > http_access deny !Safe_ports > > http_access allow localhost manager > > http_access deny manager > > > > http_access allow localnet > > http_access allow localhost > > http_access deny all > > http_port 0.0.0.0:3128 <http://0.0.0.0:3128> > > http_port 0.0.0.0:3129 <http://0.0.0.0:3129> > > cache deny all > > coredump_dir /var/spool/squid > > refresh_pattern ^ftp: 1440 20% 10080 > > refresh_pattern ^gopher: 1440 0% 1440 > > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > > refresh_pattern . 0 20% 4320 > > debug_options rotate=1 ALL,2 > > negative_dns_ttl 0 seconds > > dns_timeout 5 seconds > > > > Thank you for any help that you can provide. > > > > Jason Marshall > > > > _______________________________________________ > > squid-users mailing list > > squid-users@xxxxxxxxxxxxxxxxxxxxx > > https://lists.squid-cache.org/listinfo/squid-users > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > https://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx https://lists.squid-cache.org/listinfo/squid-users
