RE: [squid-users] Why do I have "idnsCheckQueue" timeouts ?

From: BENDAYAN J DsigTcs <Jacky.Bendayan@dont-contact.us>
Date: Tue, 27 Mar 2001 15:36:11 +0200

Hi again,

Well, I found my problem and, as I guessed, it was not squid.conf related :
it appears that /etc/HOSTNAME did not contain "localhost.localdomain" on
both Linux instances although the hostname was set (obviously, Linux does
not guarantee that, when set in some place, the hostname is set in all
relevant places - there should'nt be so many places, but that's how it
is...).

I cannot explain how the IP based ACL's for "INTRANET*" work when there is
no DNS (perhaps because the URLs' links of Intranet web pages are "hard" IP
adresses), but all is well now.

Thanks anyway

-----Message d'origine-----
De: Henrik Nordstrom [mailto:hno@hem.passagen.se]
Date: lundi 26 mars 2001 19:24
À: BENDAYAN J DsigTcs
Cc: Squid users
Objet: Re: [squid-users] Why do I have "idnsCheckQueue" timeouts ?

How can you use IP based ACL's for "INTRANET*", if there is no DNS?

If you have a private DNS without access to Internet DNS data then make
sure you also have private DNS root servers, and that all your DNS
servers are configured to use your root servers rather than the official
ones in their DNS cache primer files...

Most people use the dstdomain ACL type for matching intranet services.
This completely avoids the need to ask DNS to find out if the site is a
intranet site or not..

--
Henrik Nordstrom
Squid hacker
BENDAYAN J DsigTcs wrote:
> 
> Thanks for the reply.
> 
> Actually, the question was twofold :
> 
> 1/ I cannot explain why the two squid instances do not behave identically
> (one timeouts on idnsCheckQueue and not the other) when all configuration
> files (squid qnd system) are the same. I checked everything by diff'ing
> them.
> 
> 2/ I have effectively used a sequence
> "acl INTRANET1 dst 192.0.0.0/255.0.0.0"
> "acl INTRANET2 dst 194.0.0.0/255.0.0.0"
> "always_direct allow INTRANET1"
> "always_direct allow INTRANET2"
> "never_direct allow all"
> in squid.conf because I think that, coupled with "cache_peer 192.16.252.10
> parent 3129 3130 default proxy-only no-netdb-exchange" will do the trick I
> need : ie directly route all INTRANET1/2 requests to the servers, route
all
> Internet requests to the peer squid.
> 
> Your suggestions on how to achieve this more efficiently are welcome and
> thanks again.
> 
> -----Message d'origine-----
> De: Henrik Nordstrom [mailto:hno@hem.passagen.se]
> Date: lundi 26 mars 2001 16:47
> À: BENDAYAN J DsigTcs
> Cc: 'squid-users@squid-cache.org'
> Objet: Re: [squid-users] Why do I have "idnsCheckQueue" timeouts ?
> 
> Something in your squid.conf causes Squid to try to make DNS lookups.
> 
> Possible sources:
> 
> a) http_access using dst ACL type
> b) Improper forwarding setup for a DNS-less child cache
>    never_direct allow all
> 
> --
> Henrik Nordstrom
> Squid hacker
> 
> BENDAYAN J DsigTcs wrote:
> 
> > I cannot explain why the future "production" system gives
"idnsCheckQueue"
> > timeouts (the exact message is "idnsCheckQueue : ID xx: giving up after
21
> > tries and y.z seconds" whereas the "test" one doesn't.
> >
> > The only effect of the timeouts is to introduce a delay in serving the
> > requests and it happens only the first time I provide a URL to a "new"
> > domain.
> >
> > We do not use a DNS server on these 2 instances although named runs on
> both.
> > The requests to the Internet are automatically proxied to another squid
> > instance that is behind our firewall and this instance is responsible
for
> > name resolution.
> *************************************************************************
> 
> Ce message et toutes les pièces jointes (ci-après le "message") sont
> confidentiels et établis à l'intention exclusive de ses destinataires.
> Toute utilisation ou diffusion non autorisée est interdite.
> Tout message électronique est susceptible d'altération.
> La SOCIETE GENERALE et ses filiales déclinent toute responsabilité au
titre de ce message s'il a été altéré, déformé ou falsifié.
> 
>                                 ********
> 
> This message and any attachments (the "message") are confidential and
> intended solely for the addressees.
> Any unauthorised use or dissemination is prohibited.
> E-mails are susceptible to alteration.
> Neither SOCIETE GENERALE nor any of its subsidiaries or affiliates shall
be liable for the message if altered, changed or falsified.
> 
> *************************************************************************
*************************************************************************
Ce message et toutes les pièces jointes (ci-après le "message") sont
confidentiels et établis à l'intention exclusive de ses destinataires.
Toute utilisation ou diffusion non autorisée est interdite. 
Tout message électronique est susceptible d'altération. 
La SOCIETE GENERALE et ses filiales déclinent toute responsabilité au titre de ce message s'il a été altéré, déformé ou falsifié.
				********
This message and any attachments (the "message") are confidential and
intended solely for the addressees.
Any unauthorised use or dissemination is prohibited. 
E-mails are susceptible to alteration.   
Neither SOCIETE GENERALE nor any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified. 
*************************************************************************
Received on Tue Mar 27 2001 - 06:39:26 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:59 MST