Re: Squid hangs waiting for AAAA record lookups that time-out from Amos Jeffries on 2011-04-11 (squid-dev)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 11 Apr 2011 23:22:34 +1200

On 11/04/11 21:29, Fabian Hugelshofer wrote:
> Hi Squid developpers,
>
> Using Squid 3.1.9 with the internal resolver and IPv6 support enabled I
> stumbled across a problem:
>
> Squid sends AAAA DNS queries probably while checking the ACLs. There are
> broken DNS servers that do not reply to AAAA queries. If this happens,
> then Squid hangs for quite some time while waiting for a reply without
> asking for an A record.
>
> In our setup, there is a local DNS server that sends SERVFAIL after 30s
> without a reply. In this case Squid hangs for 90s. Without the SERVFAIL,
> Squid hangs for 3*dns_retransmit_interval + dns_timeout (45s with
> default values). Using a parent proxy does not change this behaviour.
>
> After waiting for a reply, Squid sends an A query that is answered
> immediately and then everything works fine until the AAAA queries are
> sent again after negative_dns_ttl.
>
> There are is a bug report in Debian that is probably related:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604566
>
> Do you see a way and a need to improve this behaviour for sites with
> broken DNS servers? Fixing the remote DNS servers, disabling IPv6
> support or reducing the DNS timeouts help, but might not be feasible
> solutions in every case.
>
> There was a discussion about parallel AAAA/A queries last year. Are
> there any plans in implementing this (especially for ACLs)?
> Thread:
> http://www.mail-archive.com/squid-dev@squid-cache.org/msg12801.html
>
> A test URL is e.g. https://ibol18.ibb.ubs.com. The same problem persists
> in 3.2.0.5. DNS or HTTP traces can be provided if requested.
>
> Best regards,
>
> Fabian Hugelshofer
>
> PS: Please include my email address in replies as I am not member of the
> list.

Thanks for the reminder Fabian,

We have a good idea of what need to be done to implement parallel
lookups. Unfortunately none of us currently have the time to do the
alterations.

Life and other commitments appear to have taken away Henrik who was
going to do it earlier. It remains way down on my todo list after a long
list of other bugs.

Meanwhile this is helping to highlight the broken sites and aid in their
fixes. Fixing the global DNS connectivity is the highest priority. The
"ipocalypse" is already hitting networks on this side of the world even
though we have several weeks left before formally reaching the end of
IPv4 availability.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.12
   Beta testers wanted for 3.2.0.6

Received on Mon Apr 11 2011 - 11:22:41 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 12 2011 - 12:00:05 MDT