Re: [squid-users] Squid 3.1.12 - Parent Proxy and DNS queries
Amos Jeffries wrote: ... anything resolving to 127.0.0.1 on this host is not necessarily resolving to 127.0.0.1 on any other host (ie the parent proxy) NP: having a DNS server resolve 127.0.0.1 for anything public is very nasty. Hi Amos, Thank you for your help. Meanwhile i did some more testing and found something strange. The test system cannot resolve any internet domains itself so its nameserver uses a forwarder. If i silently drop the DNS request packets through the packet filter, everything works fine. There is no delay on any requests. But, if i just remove the forwarder in DNS, so that every request for external domains result in a NXDOMAIN DNS reply, a request takes about 90 seconds until it's finally processed. The point i don't understand is, why Squid forwards the request without any DNS reply but seems to do some timeout handling if NXDOMAIN is replied? I also checked if there is any communcation between local squid and the parent proxy but there isn't any in the latter test case. Greetings, Matthias
Re: [squid-users] Squid 3.1.12 - Parent Proxy and DNS queries
Silamael wrote: Amos Jeffries wrote: ... anything resolving to 127.0.0.1 on this host is not necessarily resolving to 127.0.0.1 on any other host (ie the parent proxy) NP: having a DNS server resolve 127.0.0.1 for anything public is very nasty. Hi Amos, Thank you for your help. Meanwhile i did some more testing and found something strange. The test system cannot resolve any internet domains itself so its nameserver uses a forwarder. If i silently drop the DNS request packets through the packet filter, everything works fine. There is no delay on any requests. But, if i just remove the forwarder in DNS, so that every request for external domains result in a NXDOMAIN DNS reply, a request takes about 90 seconds until it's finally processed. The point i don't understand is, why Squid forwards the request without any DNS reply but seems to do some timeout handling if NXDOMAIN is replied? I also checked if there is any communcation between local squid and the parent proxy but there isn't any in the latter test case. Greetings, Matthias That seems very strange. Very strange. Squid using internal DNS resolver sends out UDP packets and waits for a reply positive or negative. Using that. The NXDOMAIN results make sense if we assume they come back with some TTL so short Squid needs to run through the DNS timeouts on every request. The silent drop case is a head scratcher of a puzzle. That is the one that should be getting very long timeouts while Squid waits for a reply that will never arrive. Anyway, getting rid of the dst ACL and making sure the peer is configured with an IP address should prevent any DNS lookups. IIRC your config already has the log_fqdn setting turned off. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
Re: [squid-users] Squid 3.1.12 - Parent Proxy and DNS queries
Amos Jeffries wrote: That seems very strange. Very strange. Squid using internal DNS resolver sends out UDP packets and waits for a reply positive or negative. Using that. The NXDOMAIN results make sense if we assume they come back with some TTL so short Squid needs to run through the DNS timeouts on every request. The silent drop case is a head scratcher of a puzzle. That is the one that should be getting very long timeouts while Squid waits for a reply that will never arrive. Anyway, getting rid of the dst ACL and making sure the peer is configured with an IP address should prevent any DNS lookups. IIRC your config already has the log_fqdn setting turned off. Amos Hello Amos, My last assumption was wrong. It seems that there is some optimization in the kernel so that a silent drop of packets is handled the same as a drop with ICMP packet. Therefore the named replied a lot faster than usual with SERVFAIL. Nevertheless, we're going to remove the dst-ACL which is not needed in this case. Thank you for your help! -- Matthias
Re: [squid-users] Squid 3.1.12 - Parent Proxy and DNS queries
mån 2009-09-21 klockan 10:49 +0200 skrev Silamael: The point i don't understand is, why Squid forwards the request without any DNS reply but seems to do some timeout handling if NXDOMAIN is replied? Probably you get a retransmission to another DNS server that answers when you block traffic to the one who responds with NXDOMAIN. When Squid gets NXDOMAIN back it starts using the domain search path, which involves additional DNS queries trying to search for the requested host. Regards Henrik
Re: [squid-users] Squid 3.1.12 - Parent Proxy and DNS queries
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Silamael wrote: Amos Jeffries wrote: This is usually a configuration problem. Please provide your squid.conf file contents (minus empty and comment lines) Amos No one has some idea what's wrong with our configuration? - --Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkq2AsMACgkQGgHcOSur6dQTZgCgn/O8WK5nXbbtmD4/HORnqFea p/MAnj8V2eIJ+nsWgo3uOrlQp7VvKdva =3UQx -END PGP SIGNATURE-
Re: [squid-users] Squid 3.1.12 - Parent Proxy and DNS queries
Silamael wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Silamael wrote: Amos Jeffries wrote: This is usually a configuration problem. Please provide your squid.conf file contents (minus empty and comment lines) Amos No one has some idea what's wrong with our configuration? Amos Jeffries wrote: This is usually a configuration problem. Please provide your squid.conf file contents (minus empty and comment lines) Amos Hello Amos, Here is our configuration. Thank you for your help. -- Matthias Sorry, got a bit busy. Here is a quick audit of your config... # # WARNING: Do not edit this file, it has been automatically generated. # # Prepends append_domain .domain.de unlinkd_program /usr/local/libexec/unlinkd ipcache_high 95 icp_port 0 ipcache_size 1024 http_port 127.0.0.1:8000 cache_dir ufs /var/squid/cache/cache-8000 100MB 8 16 debug_options ALL,1 server_persistent_connections on cache_swap_high 95 log_ip_on_direct off maximum_object_size 2 KB minimum_direct_hops 4 udp_incoming_address 127.0.0.1 pid_filename /var/squid/logs/squid-8000.pid ftp_user sq...@domain.de forwarded_for off cache_access_log /var/squid/logs/access-8000.log The above is obsolete since 2.6. Use access_log directive instead. visible_hostname domaind193.domain.de client_persistent_connections on cache_swap_low 90 logfile_rotate 0 ipcache_low 90 cache_effective_user _squid cache_log /var/squid/logs/cache-8000.log cache_effective_group _squid hosts_file none refresh_pattern . 0 20% 14400 cache_mem 8 MB cache_store_log none hierarchy_stoplist cgi-bin ? error_directory /usr/local/share/squid/errors/de Sure about that? 3.1 handles error languages nicely so the _visitors_ can read the message. The above specifies that 100% of your visitors must read German. acl manager proto cache_object acl localhost src 127.0.0.1/32 acl localdomain srcdomain domain.de acl localdst dstdomain .domain.de acl localhost-dst dst 127.0.0.1/32 'dst' ACL requires DNS lookups. This will be the cause of your problems. You require it to be checked before permitting anyone access. # user defined ACLs always_direct deny all refresh_pattern .domain.de 0 1% 0 refresh_pattern www.domain.de 0 1% 0 cache_peer 10.254.0.17 parent 0 default no-query always_direct allow localdst This will never happen. You already specified 'always_direct deny all'. never_direct allow all This is redundant with 'always_direct deny all' # Authentication # User options # Append acl Dangerous_ports port 7 9 19 acl CONNECT method CONNECT http_access deny Dangerous_ports http_access deny manager !localhost acl SSL_ports port 443 563 881 http_access deny CONNECT !SSL_ports http_access deny localhost-dst Above test requires DNS lookups. AND seems to have no purpose always_direct/never_direct settings force all requests to be passed to the parent proxy. anything resolving to 127.0.0.1 on this host is not necessarily resolving to 127.0.0.1 on any other host (ie the parent proxy) NP: having a DNS server resolve 127.0.0.1 for anything public is very nasty. Amos -- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
Re: [squid-users] Squid 3.1.12 - Parent Proxy and DNS queries
sön 2009-09-20 klockan 23:26 +1200 skrev Amos Jeffries: never_direct allow all This is redundant with 'always_direct deny all' No it's not. It would have been redundant if there was an always_direct allow all, but not on deny. The default for both always_direct and never_direct is both deny. If always_direct says allow then the request will be forwarded direct by Squid. If not and never_direct says allow then Squid will forward the request via a peer. If both is in the default deny condition then Squid will decide automatically based on the request type and peer availability, hierarchy settings etc. Regards Henrik
Re: [squid-users] Squid 3.1.12 - Parent Proxy and DNS queries
Amos Jeffries wrote: This is usually a configuration problem. Please provide your squid.conf file contents (minus empty and comment lines) Amos Hello Amos, Here is our configuration. Thank you for your help. -- Matthias # # WARNING: Do not edit this file, it has been automatically generated. # # Prepends append_domain .domain.de unlinkd_program /usr/local/libexec/unlinkd ipcache_high 95 icp_port 0 ipcache_size 1024 http_port 127.0.0.1:8000 cache_dir ufs /var/squid/cache/cache-8000 100MB 8 16 debug_options ALL,1 server_persistent_connections on cache_swap_high 95 log_ip_on_direct off maximum_object_size 2 KB minimum_direct_hops 4 udp_incoming_address 127.0.0.1 pid_filename /var/squid/logs/squid-8000.pid ftp_user sq...@domain.de forwarded_for off cache_access_log /var/squid/logs/access-8000.log visible_hostname domaind193.domain.de client_persistent_connections on cache_swap_low 90 logfile_rotate 0 ipcache_low 90 cache_effective_user _squid cache_log /var/squid/logs/cache-8000.log cache_effective_group _squid hosts_file none refresh_pattern . 0 20% 14400 cache_mem 8 MB cache_store_log none hierarchy_stoplist cgi-bin ? error_directory /usr/local/share/squid/errors/de acl manager proto cache_object acl localhost src 127.0.0.1/32 acl localdomain srcdomain domain.de acl localdst dstdomain .domain.de acl localhost-dst dst 127.0.0.1/32 # user defined ACLs always_direct deny all refresh_pattern .domain.de 0 1% 0 refresh_pattern www.domain.de 0 1% 0 cache_peer 10.254.0.17 parent 0 default no-query always_direct allow localdst never_direct allow all # Authentication # User options # Append acl Dangerous_ports port 7 9 19 acl CONNECT method CONNECT http_access deny Dangerous_ports http_access deny manager !localhost acl SSL_ports port 443 563 881 http_access deny CONNECT !SSL_ports http_access deny localhost-dst http_access allow all
[squid-users] Squid 3.1.12 - Parent Proxy and DNS queries
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello everyone! We're running a Squid version 3.1.12 with a cache peer configured. Furthermore Squid is configured to forward every request directly to the cache peer. Nevertheless Squid is doing a DNS query for every requests received. At this point only internal hostnames can be resolved so resolving any internet hostname will fail. This causes Squid to wait 2 minutes (default timeout for DNS requests) before the request is finally forwarded to the parent proxy. Is this a bug in Squid or some change in the default behaviour since 2.6? The same configuration works as intended in 2.6. Thank you for any advice! - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqxAiMACgkQGgHcOSur6dTTTwCbB6QK/gNqDzSzZo/UzwArr1RO pkwAnj/82cc+rsarGnR+MG1Od0iFuPx/ =R5me -END PGP SIGNATURE-
Re: [squid-users] Squid 3.1.12 - Parent Proxy and DNS queries
On Wed, 16 Sep 2009 17:20:05 +0200, Silamael silam...@coronamundi.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello everyone! We're running a Squid version 3.1.12 with a cache peer configured. Furthermore Squid is configured to forward every request directly to the cache peer. Nevertheless Squid is doing a DNS query for every requests received. At this point only internal hostnames can be resolved so resolving any internet hostname will fail. This causes Squid to wait 2 minutes (default timeout for DNS requests) before the request is finally forwarded to the parent proxy. Is this a bug in Squid or some change in the default behaviour since 2.6? The same configuration works as intended in 2.6. Thank you for any advice! This is usually a configuration problem. Please provide your squid.conf file contents (minus empty and comment lines) Amos
Re: [squid-users] Squid 3.1.12 - Parent Proxy and DNS queries
On Wed, 16 Sep 2009 17:20:05 +0200, Silamael silam...@coronamundi.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello everyone! We're running a Squid version 3.1.12 with a cache peer configured. Furthermore Squid is configured to forward every request directly to the cache peer. Nevertheless Squid is doing a DNS query for every requests received. At this point only internal hostnames can be resolved so resolving any internet hostname will fail. This causes Squid to wait 2 minutes (default timeout for DNS requests) before the request is finally forwarded to the parent proxy. Is this a bug in Squid or some change in the default behaviour since 2.6? The same configuration works as intended in 2.6. Thank you for any advice! You have a config problem. Please provide your squid.conf (without empty lines and comment lines). Amos