I found the answer after sniffing the traffic. Squid was using the
internal interface to make DNS request. Even though I told it to use
DNS servers found on the outside interface, it still made the request
with source IP from the internal interface (10.1.1.15). Since I am
using IPF, I set up a NAT for out going traffic from the 10 network to
NAT to the external interface. Everything is working fine now.
It seems strange that Squid would use the internal interface even
though the IP address of one of the DNS servers was on the same subnet
as the external interface. When not using Squid, the box using the
normal routing table to make it's decisions. Is there a configuration I
missed?
>>>>
Squid 2.5.STABLE1-20021105 loaded on a dual homed FreeBSD 4.7 box set
up
as a "secondary" proxy to the internet. Clients are configured for
proxy through the appropriate browser interface for 10.1.1.15:3128 (NOT
transparent). External interface (internet side) IP 9.9.9.254/24 and
internal interface (corporate side) IP 10.1.1.15/16 (IP's changed to
protect the innocent).
(Configuration of DNS is done with both resolv.conf and squid.conf-
dns_nameservers):
If I configure the box with only external DNS servers (9.9.9.1 and
11.11.11.1: we own both subnets), the squid box doesn't work... I
cannot
get an internal workstation to connect to any internet websites (http).
If I give the box some internal DNS servers (10.1.1.2 and 10.1.1.3), it
works just fine. This works great until our primary internet connection
goes down (and thus the internal DNS servers can't resolve names).
If I go to the console (or ssh) for the squid box, it can resolve DNS
names perfectly with dig/nslookup using only external DNS servers. I
can use lynx to go anywhere also. The external DNS is working if I am
'on' the squid box.
Squid compiled from source with these options:
./configure --prefix=/usr/local/squid --quiet --enable-dl-malloc
--enable-storeio=diskd,ufs --enable-removal-policies='heap,lru'
--enable-basic-auth-helpers
make
make install
(I may have used --enable-auth-modules=NCSA but I'm not sure from my
notes).
I checked the squid cache manager and it shows squid making DNS
requests but no replies for the 2 different external DNS servers.
Is there something I am missing? This cannot be a backup to the
internet if the primary connection has to be running to resolve DNS.
Any help at all would be appreciated.
Pete
P.S. Yes, I am running IPF but I am not getting any blocks on traffic.
I set up rules at the bottom of IPF (for each interface and direction)
to block like this:
block in quick proto tcp/udp/icmp from any to any (only one proto for
each line). I am not seeing any blocks on any interfaces for traffic
when I'm monitoring/testing the DNS settings. Also, if IPF was causing
a problem, how is it I can use the CLI and lynx to use DNS but Squid
cannot?
Received on Tue Apr 22 2003 - 08:28:33 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:15:11 MST