[squid-users] Squid not failing over to secondary DNS host

Geoffrey geoffmaha at gmail.com
Thu Oct 12 05:44:27 UTC 2017 

Thanks for your reply Amos.

I just realised I left out some info in the original email that was
pertinent. :)


>How are you determining that exactly?
> squid logs? DNS logs? firewall counters? packet traces?

Quite simply by trial and error and monitoring the results of taking
the 2 DNS/DCs offline/online, and using the cachemgr report.

EG. here is the report after I loaded one page and then took the
primary DNS offline, then continued to browse to two more pages. The
latter two pages did not load and the cachemgr report seems to verify
that squid is not using the secondary dns server at all (primary dns
server having 27 queries to 9 replies and the secondary getting none).


root at websafetyv51:~# squidclient mgr:idns
HTTP/1.1 200 OK
Server: squid/3.5.23
Mime-Version: 1.0
Date: Thu, 12 Oct 2017 05:30:12 GMT
Content-Type: text/plain;charset=utf-8
Expires: Thu, 12 Oct 2017 05:30:12 GMT
Last-Modified: Thu, 12 Oct 2017 05:30:12 GMT
X-Cache: MISS from websafetyv51.localdom.local
X-Cache-Lookup: MISS from websafetyv51.localdom.local:3128
Via: 1.1 websafetyv51.localdom.local (squid/3.5.23)
Connection: close

Internal DNS Statistics:

The Queue:
                       DELAY SINCE
  ID   SIZE SENDS FIRST SEND LAST SEND M FQDN
------ ---- ----- ---------- --------- - ----

DNS jumbo-grams: not working

Nameservers:
IP ADDRESS                                     # QUERIES # REPLIES Type
---------------------------------------------- --------- --------- --------
192.168.100.249                                      27         9 recurse
192.168.100.248                                       0         0 recurse

Rcode Matrix:
RCODE ATTEMPT1 ATTEMPT2 ATTEMPT3 PROBLEM
    0     1550        0        0 : Success
    1        0        0        0 : Packet Format Error
    2        0        0        0 : DNS Server Failure
    3        4        0        0 : Non-Existent Domain
    4        0        0        0 : Not Implemented
    5        0        0        0 : Query Refused
    6        0        0        0 : Name Exists when it should not
    7        0        0        0 : RR Set Exists when it should not
    8        0        0        0 : RR Set that should exist does not
    9        0        0        0 : Server Not Authoritative for zone
   10        0        0        0 : Name not contained in zone
   16        0        0        0 : Bad OPT Version or TSIG Signature Failure

Search list:
localdom.local


Squid version: Squid Object Cache: Version 3.5.23
Ubuntu server: "Ubuntu 16.04.3 LTS"

Cheers
Geoffrey



On 12 October 2017 at 15:53, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 12/10/17 15:04, Geoffrey wrote:
>>
>> Hello folks,
>>
>> I am finding that Squid will not use the secondary DNS if the first
>> one is taken offline. In this case the primary DNS is not able to
>> respond because I have taken it offline, and therefore the secondary
>> DNS should be queried by squid, but is not.
>>
>
> How are you determining that exactly?
>  squid logs? DNS logs? firewall counters? packet traces?
>
>
>> I have 2 Windows recursive DNS servers; 192.168.100.249 and
>> 192.168.100.248, that are statically specified in /etc/resolv.conf. I
>> am authenticating against AD using i) Kerberos and ii) NTLM.
>>
>> This looks like it is a Squid internal dns client response rather than
>> operating system. While 192.168.100.249 is offline, all other queries
>> done by command-line queries work OK which indicates the system is
>> using the secondary DNS server fineā€¦ just not Squid!
>>
>> What we want to happen of course is that if the primary
>> (192.168.100.249) is down or it cannot contact root DNS servers, then
>> it contacts the secondary nameserver specified on the LAN (as per the
>> configuration in resolv.conf) and resolves the name.
>>
>> *Squid is SUCCESSFULLY reading resolv.conf as proved in cache.log after
>> reload
>> *Setting dns resolvers directly in the squid config file with
>> 'dns_nameservers' does not resolve the issue as the symptom is
>> identical
>> *modified squid dns timeouts to a low value (less than 10 secs) for
>> testing but made no difference
>>
>> Many thanks for any ideas you may have.
>
>
>
> What does the cachemgr "idns" report say?
>
>
> command line:
>   squidclient mgr:idns
>
> or URL:
>   http://$(visible_hostname):3128/squid-internal-mgr/idns
>
>
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list