[squid-users] Squid 3.x never_direct and DNS requests problem.
FUSTE Emmanuel
emmanuel.fuste at thalesgroup.com
Mon Jan 23 14:58:07 UTC 2017
Hello,
I'm in a context where I have a lot of Squid installation without direct
internet access.
All queries are forwarded to an Internet connected peer.
Recently, I migrate my old 2.x Squid to 3.x and take responsibility for
some other 3.x existing installations.
- my Debian based Squid 3.4.8 start doing DNS request for each requested
domain
- Ubuntu 14.04 based Squid 3.3.8 behave the same
- Ubuntu 16.04 based Squid 3.5.12 behave the same
The internal DNS setup is completely private with it's own hierarchy an
with no Internet link/relation.
Internet "like" request are banned on this infrastructure and could
raise alarms.
On the Ubuntu installations, the problem was worked around with a local
nsd daemon responsible to answer "nxdomain" to all requests.
All was carefully checked and nothing in my configuration (acl etc ...)
explain why Squid insist to do DNS requests for requests forwarded to
the peer(s).
I was able to reproduce the "bug" with all squid versions up to 3.5.23
with this minimalist config test file:
----------------------------
http_access allow all
http_port 3128
cache_peer 10.xx.xx.xx parent 8000 0 default no-query no-digest
login=login:password
never_direct allow all
cache_mem 256 MB
maximum_object_size_in_memory 16384 KB
cache_dir aufs /var/spool/squid3 100000 32 256
maximum_object_size 400 MB
access_log stdio:/var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
quick_abort_pct 55
read_ahead_gap 128 KB
hosts_file none
coredump_dir /var/spool/squid3
#bug #4575
url_rewrite_extras XXX
store_id_extras XXX
------------------------------------
Since the switch from 3.5.12 to 3.5.19/23, I am able to use a simpler
work around (I switched directly from 3.5.12 to 3.5.19 so I don't know
when the behavior changed):
Instead of installing a fake local DNS server and using
dns_nameservers 127.0.0.1
I could use
dns_nameservers none
Squid warn about non usable DNS and proceed normally. Before (tested
with 3.5.12 and lower) Squid hang.
So, I am missing something ? Is it a know problem ?
With the work around, things work but I could not logs things based on
Internal DNS for the client side, and this is something that was working
in the old 2.x versions.
Should I open a bug report ?
Thank you,
Emmanuel.
More information about the squid-users
mailing list