Matus UHLAR - fantomas uhlar at fantomas.sk
Thu Sep 6 07:22:43 UTC 2018

On 06.09.18 02:40, Julian Perconti wrote:
>"I discovered" that if I use more than one *local* dns server/resolver, when
>I use squid HTTPS, there are some problems accesing to the web.

>I have a squid with TLS support in server "B"; the gateway and resolver of
>the server "B" is server "A" and the server "A" has bind installed and
>multiple or at least one (local) dns forwarders. (djbdns)

>If I remove the forwarders (local always, never publics one like in
>server "A", the problem disappears.

>In this scenario, the dns forwarders in server "A" is not being directly
>used by the clients nor squid (they are forwarders for bind in server "A"),
>e.g. browsing by server "B" (squid) an resolving domains via server "A" with

what do you mean forwarders? You need to send query to a DNS server that
makes the resolution.

It's OK when you have squid configured on server "B" and DNS on server "A"
and squid uses server "A" for resolution.

However, your repeated usage of word "forwarders" indicates there is
something broken in the configuration on server "A".

>So, the question: How can I use multiple DNS caching resolvers/server (local
>or remote) like bind/djbdns without the issue mentioned above?

do not use djbdns. ever.

simply configure bind on server "A", allow it to provide recursion for
server "B" and that's all. Forget forwarders.

>Is mandatory for squid to use only 1 dns/caching nameserver?

usually, people have multiple DNS servers configured to fail over in case
one of them fails.
in some cases, client can balance the load, or prefer server with faster

There should be no problem of this kind, unless one of your DNS servers is

