Re: [squid-users] Unwanted DNS queries

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Tue, 24 Sep 2013 15:31:07 +0300

Hey there,

you can try to define a dst domain regex that will verify the
destination domain.

I am trying to understand how can you use a proxy and no DNS??
in a case it's a simple forward proxy the request is being requested by
the user and then tries to do a dns lookup.
once you do see the request details in the debug_options you can see
when it is happening and then understand the reason for that.
what a reconf to the service does? is it affecting anything at all?
you do have dstdomain acls which can be the source for some of the
trouble but it's not 100% until tested more.
can you describe the network environment in more details?
it can help understand the way things are..
The fastest way to deny DNS queries is to lower the way they are being
handled.
let say 1ms of servfail response can help lots of stuff in a case you
know they are not needed..
But if they are indeed needed there will be an error that will describe
the nature and maybe the source of the problem.
using a small local non recursive DNS server might be the solution if
not already.

Regards,
Eliezer

On 09/24/2013 09:30 AM, T Ls wrote:
> Hi,
>
> today, some users complained about poor respons time of the webproxy.
> Searching for a possible reason, I found, that the proxy makes a DNS
> request (mostly AAAA but also A) for every http request. We are behind a
> firewall and resolving internet names is impossible, we have to use
> parent proxies to reach the internet and I thought, I configured squid
> that way (config at the end of the mail). When I saw the DNS queries, my
> first guess was a dst-ACL, but there are no dst-ACLs.
>
> I recorded some traffic at the proxy and looked inside with wireshark,
> for every http request the proxy queries both it's nameservers for the
> IP(v6) of the destination host and after these queries failed the http
> request ist forwarded to the parend proxy, the content ist fetched from
> web and delivered to the client.
>
> Last week, I made some changes to the logformat, but switching back to
> the original format did not stop the DNS queries.
>
> Where is the error in my config, what causes the DNS queries?
>
> Thanks in advance
> Thomas
>
>
>
>
> ------------------------
> squid.conf:
> ^^^^^^^^^^^
> include /mnt/squid3-shared-settings/*.conf
>
> visible_hostname proxy.my.domain.org
>
> hierarchy_stoplist cgi-bin ?
>
> cache_peer parent-ip1 parent 80 7 no-query no-digest
> cache_peer parent-ip2 parent 80 7 no-query no-digest
> cache_peer proxy.domain.org parent 9999 7 no-query no-digest
>
> cache_peer_access proxy.domain.org allow MYDOMAINS
> cache_peer_access parent-ip-1 deny MYDOMAINS
> cache_peer_access parent-ip-2 deny MYDOMAINS
>
> ### MEMORY CACHE OPTIONS ...
> ### Disk-Cache Optionen ...
>
>
> ------------------------------------------------
> access.conf:
> ^^^^^^^^^^^^
>
> acl localhost src 127.0.0.1/32
> acl Safe_ports port "...SafePorts.txt"
> acl SSL_ports port 443 563 8443 9443
> acl CONNECT method CONNECT
>
> acl MYNET src ip-range1
> acl MYNET src ip-range2
> acl MYNET ...
>
> acl MY-LOCAL-DOMAIN dstdomain .my.domain.org
>
> acl badURLs dstdomain "...badURLs.txt"
> acl goodTLDs dstdomain "...goodTLDs.txt"
> acl adminPCs src "...adminPCs.txt"
> acl labPcs src "...labor-pcs.txt"
>
>
> acl MYDOMAINS dstdomain .domain.org
> acl MYDOMAINS dstdomain .domain.net
> acl MYDOMAINS dstdomain .domain.eu
>
>
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access deny labPcs
> http_access allow adminPCs
> http_access deny badURLs
> http_access deny !goodTLDs
>
> http_access allow MYNET
> http_access deny all
>
> htcp_access deny all
> htcp_clr_access deny all
>
> ----------------------------------------------
> common-server.conf:
> ^^^^^^^^^^^^^^^^^^^
>
> http_port 8080
> error_directory /usr/share/squid/errors/de
> log_icp_queries on
> cache_effective_user squid
> cache_effective_group nogroup
> cache_mgr me_at_my.domain.org
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
>
> -----------------------------------------------------------
> logging.conf:
> ^^^^^^^^^^^^^
>
>
> logformat myformat %tl %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<A %mt
> cache_access_log /var/log/squid/access.log myformat
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log
> pid_filename /var/log/squid/squid.pid
> debug_options ALL,1
>
> ------------------------------------------------------------
> request-forward.conf:
> ^^^^^^^^^^^^^^^^^^^^^
>
>
> always_direct allow MY-LOCAL-DOMAIN
>
> never_direct deny MY-LOCAL-DOMAIN
> never_direct allow all
>
Received on Tue Sep 24 2013 - 12:31:19 MDT

This archive was generated by hypermail 2.2.0 : Tue Sep 24 2013 - 12:00:04 MDT