[squid-users] access blocking using DNS -> "NO Address records in response to '....'

Amos Jeffries squid3 at treenet.co.nz
Wed Jan 3 13:49:39 UTC 2018

On 04/01/18 02:01, Paul Neuwirth wrote:
> On Thu, 4 Jan 2018 01:24:57 +1300
> Amos Jeffries <squid3 at treenet.co.nz> wrote:
>> On 03/01/18 20:34, Paul Neuwirth wrote:
>>> On Wed, 3 Jan 2018 08:30:36 +0100
>>> Paul Neuwirth wrote:
>>>> Hello list,
>>>> named is configured to block (resulting in NXDOMAIN) some domains.
>>>> Using squid I have following problem:
>>>> Browser requests such a blocked URL  and named is not delivering an
>>>> error, request never times out...
>>>> How can I make squid deliver an error in this case.
>> ...
>>> Sorry, just a minute after sending I found out, named is not
>>> delivering NXDOMAIN, but nothing
>> Nod. That is the cause of the "NO address records" log entry.
>> The client appears to be disconnecting from Squid after ~10 seconds.
>> You can probably get the Squid "unable to resolve" error page to show
>> up by reducing dns_timeout to a value of 5-10 seconds
>> (<http://www.squid-cache.org/Doc/config/dns_timeout/>).
>> Amos
> thank you. But default is 60 seconds.. but the request never times out..

You missed the point. The access.log snippet presented said the 
connection got aborted after 10.140 seconds with 0 bytes delivered to 
the client - long before any Squid DNS lookups timeout.

Which implies strongly that the client is the one aborting the 
transaction. So to get that error page you wanted from Squid in that 
environment setup you would need to shorten dns_timeout to something 
that will make it produce an error page before the client disconnects.

OR, as you found anyway, changing the DNS systems behaviour to a faster 
response also changes the overall outcome ...

> but never mind.. I found a better solution, reconfigured bind using
> response policy zones to send NXDOMAIN.. this feature didn't exist at
> that time I did the previous config.

Nod, that is a bit better if you do it only for intentionally blocked 
domains. Otherwise it will now present lies about domains not existing 
when the truth is their no-IP state, which might muck up your future 
debugging of domain issues. So YMMV.

> have a nice year

Cheers, and same to you.


More information about the squid-users mailing list