Re: DNS lookup on every request?

I have two approaches for this problem:

1. First one with one Squid-box

Internet ------ Firewall ------- Squid-Box --------- Firewall ---- internal
Network
                                 External DNS-Server internal
DNS-Server

Set the Squid-Box to resolve all DNS with the internal DNS-Server and
config the internal DNS-Server to use the external DNS-Server as a
forwarder for all unknown Domains.

2. Second with Two Squid-Boxes and more secure

Internet --- Firewall --- Squid-Box-Extern --- Firewall ---
Squid-Box-Intern --- Firewall --- internal Network
                          External DNS-Server
internal DNS-Server

Config the Squid-Box-Extern to use the External DNS-Server and put the
Squid-Box-Intern into /etc/hosts (First look into files, then DNS). Condfig
Squid-Box-Intern to use internal DNS-Server and put Squid-Box-Extern into
/etc/hosts (First look into files, then DNS). Squid-Box-Extern is the one
and only parent of Squid-Box-Intern. Start Squid-Box-Intern with option -D
(disable DNS-Tests) and use the never_direct feature of Squid 2.x

Best regards,

Stephan Sachweh

|--------+------------------------------------>
| | "rsnyder+squid"@toontown.e|
| | rial.nj.us (Bob Snyder) |
| | |
| | 09.04.99 21:36 |
| | |
|--------+------------------------------------>
>-----------------------------------------------------------------------|
  | |
  | To: squid-users@ircache.net |
  | cc: (bcc: Stephan Sachweh/Dortmund/ExperTeam/DE) |
  | Subject: DNS lookup on every request? |
>-----------------------------------------------------------------------|

I'm trying to set up a proxy that can deal with a split DNS system well...
Essentially, I want all requests for foo.com (and bar.foo.com, and so on)
to
be forwarded on to a parent cache without doing a DNS lookup to validate
it,
since my proxy can't resolve internal foo.com addresses, but the proxy I'm
forwarding to can.

I have what I thought should work using never_direct and cache_peer_access
acl lists, but the web requests are still failing because of the DNS
lookup.
It looks like inside_firewall is what I want, but that's a 1.x-ism. :-)

Am I doing this right? If this is the right approach, I'll sanitize my
config and send the relevant sections in to the list. If not, could someone
send me what the appropriate approach is? Thanks....

Bob
Received on Mon Apr 12 1999 - 02:50:48 MDT