Re: DNS lookup on every request?

From: Snyder, Bob <>
Date: Tue, 20 Apr 1999 15:36:49 -0400

Henrik Nordstrom wrote:
>> be forwarded on to a parent cache without doing a DNS lookup to
>> validate it,
>> I have what I thought should work using never_direct and
>> cache_peer_access acl lists, but the web requests are still
>> failing because of the DNS lookup.
>> It looks like inside_firewall is what I want, but that's a 1.x-ism. :-)
>never_direct does the same as inside_firwall, except that it does not
>make things not matching never_direct go direct (always_direct are used
>for this purpose).
>> Am I doing this right?
>You probably have an ACL in your http_access lines which causes the DNS
>lookups, you your declaration of never_direct is not working.
>> If this is the right approach
>Yes, using never_direct is the right approach to forward requests which
>can't be resolved locally.

OK, I'm still having problems. I also upgraded to Squid 2.2.STABLE1. Here's
the relavent sections of my config file, with names changed to protect the
less innocent:

cache_peer parent 8080 7 no-query no-digest no-netdb-exchange

acl internal src
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access allow internal
http_access deny all

acl dstdom_regex -i [^:]*://[^:/]*example\.com[:/].*
cache_peer_access allow
cache_peer_access deny all
never_direct allow
never_direct deny all

The system is dual-homed, one interface on, the other on the
Internet side. is a internal (non-Squid) proxy that can speak to
internal runs a split-DNS, where internal systems
are not visible to external DNS. Squid is pointed at external DNS.

In access.log, I get:

924636501.872 48 TCP_MISS/503 1141 GET - DIRECT/ -

And the error page tells me "Host not found."

I've also tried acl dstdomain, and that fails the
same way. Will a dstdomain match any subordinate domain?


Received on Tue Apr 20 1999 - 13:25:23 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:45:53 MST