Am 03.02.2014 12:06, schrieb Amon Ott: > Am 03.02.2014 11:28, schrieb Amos Jeffries: >> On 3/02/2014 10:33 p.m., Amon Ott wrote: >>> Am 30.01.2014 13:25, schrieb Amon Ott: >>>> Attached is a cache.log from a test system with the above debug settings >>>> when accessing www.m-privacy.de, www.rsbac.org and www.google.de. Please >>>> note that in this test network, external DNS names can be resolved. If >>>> needed, I can also rearrange it to fail for external DNS. >>>> >>>> Also attached is a tcpdump -n "port 53 and host 192.168.200.106" on the >>>> LAN, starting when requesting www.rsbac.org. Subsequent reloads do not >>>> send new DNS requests, so the ipcache seems to work for these positive >>>> results. >>> >>> Just wanted to tell that version 3.4.3 shows the same behaviour. >> >> Okay one fairly easy test occurs to me. Squid DNS port used for outbound >> queries is static for the duration Squid runs. So you can check that >> Squid DNS port against the tcpdump source port used by the Squid mahcine >> in those lookups. > > Just checked: the DNS source port is bound by squid3, at least lsof says so.
Alright. I have worked through the log and the 3.4.3 sources with debug_options "ALL,4" and I have found the problem. In function FwdState::dispatch() in src/FwdState.cc:1235 the netdb measuring function netdbPingSite() is called for the URL host unconditionally, even if that host must never be connected to directly. The function netdbPingSite() at src/icmp/net_db.cc:941 uses ipcache_nbgethostbyname() to lookup the host's IP from the ipcache, these are the DNS accesses we see. As a workaround, I have built with configure option --disable-icmp to disable target host pinging completely. We have either no uplink proxy at all or must always use the uplink. The DNS lookups are gone now! AFAICS, the decision whether the host may be accessed directly has been done in peerCheckNeverDirectDone() at src/peer_select.cc:189 before FwdState::dispatch() gets active. So that info only needs to be passed into the request struct and used as condition for the netdbPingSite() call. Amon.