[squid-users] access blocking using DNS -> "NO Address records in response to '....'
Amos Jeffries
squid3 at treenet.co.nz
Wed Jan 3 13:49:39 UTC 2018
On 04/01/18 02:01, Paul Neuwirth wrote:
> On Thu, 4 Jan 2018 01:24:57 +1300
> Amos Jeffries <squid3 at treenet.co.nz> wrote:
>
>> On 03/01/18 20:34, Paul Neuwirth wrote:
>>> On Wed, 3 Jan 2018 08:30:36 +0100
>>> Paul Neuwirth wrote:
>>>
>>>> Hello list,
>>>>
>>>> named is configured to block (resulting in NXDOMAIN) some domains.
>>>> Using squid I have following problem:
>>>> Browser requests such a blocked URL and named is not delivering an
>>>> error, request never times out...
>>>> How can I make squid deliver an error in this case.
>>>>
>>
>> ...
>>>
>>> Sorry, just a minute after sending I found out, named is not
>>> delivering NXDOMAIN, but nothing
>>
>> Nod. That is the cause of the "NO address records" log entry.
>>
>> The client appears to be disconnecting from Squid after ~10 seconds.
>> You can probably get the Squid "unable to resolve" error page to show
>> up by reducing dns_timeout to a value of 5-10 seconds
>> (<http://www.squid-cache.org/Doc/config/dns_timeout/>).
>>
>> Amos
>
> thank you. But default is 60 seconds.. but the request never times out..
You missed the point. The access.log snippet presented said the
connection got aborted after 10.140 seconds with 0 bytes delivered to
the client - long before any Squid DNS lookups timeout.
Which implies strongly that the client is the one aborting the
transaction. So to get that error page you wanted from Squid in that
environment setup you would need to shorten dns_timeout to something
that will make it produce an error page before the client disconnects.
OR, as you found anyway, changing the DNS systems behaviour to a faster
response also changes the overall outcome ...
>
> but never mind.. I found a better solution, reconfigured bind using
> response policy zones to send NXDOMAIN.. this feature didn't exist at
> that time I did the previous config.
Nod, that is a bit better if you do it only for intentionally blocked
domains. Otherwise it will now present lies about domains not existing
when the truth is their no-IP state, which might muck up your future
debugging of domain issues. So YMMV.
>
> have a nice year
>
Cheers, and same to you.
Amos
More information about the squid-users
mailing list