[squid-users] Squid 3.x never_direct and DNS requests problem.

FUSTE Emmanuel emmanuel.fuste at thalesgroup.com
Mon Jan 23 14:58:07 UTC 2017 

Hello,

I'm in a context where I have a lot of Squid installation without direct 
internet access.
All queries are forwarded to an Internet connected peer.

Recently, I migrate my old 2.x Squid to 3.x and take responsibility for 
some other 3.x existing installations.
- my Debian based Squid 3.4.8 start doing DNS request for each requested 
domain
- Ubuntu 14.04 based Squid 3.3.8 behave the same
- Ubuntu 16.04 based Squid 3.5.12 behave the same
The internal DNS setup is completely private with it's own hierarchy an 
with no Internet link/relation.
Internet "like" request are banned on this infrastructure and could 
raise alarms.

On the Ubuntu installations, the problem was worked around with a local 
nsd daemon responsible to answer "nxdomain" to all requests.

All was carefully checked and nothing in my configuration (acl etc ...) 
explain why Squid insist to do DNS requests for requests forwarded to 
the peer(s).

I was able to reproduce the "bug" with all squid versions up to 3.5.23 
with this minimalist config test file:
----------------------------
http_access allow all

http_port 3128
cache_peer 10.xx.xx.xx parent 8000 0 default no-query no-digest 
login=login:password
never_direct allow all

cache_mem 256 MB
maximum_object_size_in_memory 16384 KB
cache_dir aufs /var/spool/squid3 100000 32 256
maximum_object_size 400 MB
access_log stdio:/var/log/squid/access.log squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

quick_abort_pct 55
read_ahead_gap 128 KB
hosts_file none
coredump_dir /var/spool/squid3

#bug #4575
url_rewrite_extras XXX
store_id_extras XXX
------------------------------------

Since the switch from 3.5.12 to 3.5.19/23, I am able to use a simpler 
work around (I switched directly from 3.5.12 to 3.5.19 so I don't know 
when the behavior changed):
Instead of installing a fake local DNS server and using
dns_nameservers 127.0.0.1
I could use
dns_nameservers none
Squid warn about non usable DNS and proceed normally. Before (tested 
with 3.5.12 and lower) Squid hang.

So, I am missing something ? Is it a know problem ?
With the work around, things work but I could not logs things based on 
Internal DNS for the client side, and this is something that was working 
in the old 2.x versions.
Should I open a bug report ?

Thank you,
Emmanuel.

More information about the squid-users mailing list