[squid-users] Inconsistent accessing of the cache, craigslist.org images, wacky stuff.

Thu Oct 29 05:18:32 UTC 2015

On 29/10/2015 3:02 p.m., Jester Purtteman wrote:
> Probably a good idea there, I have not used bind in a very, very long
> time, but I will give it a shot.
> 
> I am still having some issues, but at least now they're all within
> the bounds of consistent and "what-i-expect" behavior, I just need to
> think through how to outsmart a couple issues.  The big one now is
> that many addresses appears to change by the time it the system
> downloads a particularly large file (Windows updates, to be
> specific), so it ends up releasing it almost immediately (because of
> the header spoofing prevention I was talking about in this chain),

The Host header verification happens as the first step of message
processing before anything else. So it should not be the cause, but a
side effect of something else.

I think a worse problem is if the DNS TTL is shorter than a client
connections TCP connected time. Then requests arriving after the DNS TTL
expired would no longer match the initial dst-IP.

As a workaround you could try to reduce the client_idle_pconn_timeout
(2mins) then if that does not help the client_lifetime (24hrs).

It will probably require patching to get a full fix. I've started
thinking of solutions. Maybe remembering Host names used on the
connection, or closing it ASAP after the DNS TTL runs out.

Amos

> which is only frustrating because caching big updates would be a huge
> gain for us.  So far, out of 20 GB transferred, about 6-gb has been
> windows/apple updates, and that from several hosts.  I'll see if I
> can get BIND to grab that and cache that resolution a little longer,
> and hang on to it, but my bigger question is:  if I setup a parent
> proxy that ONLY grabs the big updates down on my big-fast-cheap
> connection, then set my little-slow-expensive-connection up to pull
> from that connection, would that have a higher chance of success?
> Since the proxy on the slow system is requesting the same object, I'm
> wondering if that may work out better.  Not sure that will have the
> desired effect, but I'm going to try it out, I'll let you know how
> that works out.
>> -----Original Message-----
>> From: squid-users On
>> Behalf Of Eliezer Croitoru
>>
>> Hey Jester,
>>
>> I know that installing bind would probably not be much of a trouble and I
>> recommend to use it instead of using dnsmasq.
>> It will do everything much better even if you are using it as a forwarder and
>> not a recursive DNS service.
>>
>> Eliezer
>>
>> On 28/10/2015 20:24, Jester Purtteman wrote:
>>> So, I just installed dnsmasq on two of my servers, pointed my clients
>> toward that address, and so far it is working a whoel lot better.  My hit rate is
>> up in the 10% range, and that is with a nearly empty cache, so that may be
>> the trick.  I only made the change about a short time ago.  More importantly,
>> that error in the log has gone away and I am getting consistent caching
>> behavior, so that is huge.
>>>
>>> Thank you!