Re: DNS lookup on every request? from Snyder, Bob on 1999-04-20 (squid-users)

From: Snyder, Bob <RSnyder@dont-contact.us>
Date: Tue, 20 Apr 1999 15:36:49 -0400

Henrik Nordstrom wrote:
>> be forwarded on to a parent cache without doing a DNS lookup to
>> validate it,
>
>> I have what I thought should work using never_direct and
>> cache_peer_access acl lists, but the web requests are still
>> failing because of the DNS lookup.
>> It looks like inside_firewall is what I want, but that's a 1.x-ism. :-)
>
>never_direct does the same as inside_firwall, except that it does not
>make things not matching never_direct go direct (always_direct are used
>for this purpose).
>
>> Am I doing this right?
>
>You probably have an ACL in your http_access lines which causes the DNS
>lookups, you your declaration of never_direct is not working.
>
>> If this is the right approach
>
>Yes, using never_direct is the right approach to forward requests which
>can't be resolved locally.

OK, I'm still having problems. I also upgraded to Squid 2.2.STABLE1. Here's
the relavent sections of my config file, with names changed to protect the
less innocent:

cache_peer 10.1.1.11 parent 8080 7 no-query no-digest no-netdb-exchange

acl internal src 10.1.1.0/255.255.255.0
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access allow internal
http_access deny all

acl example.com dstdom_regex -i [^:]*://[^:/]*example\.com[:/].*
cache_peer_access 10.1.1.11 allow example.com
cache_peer_access 10.1.1.11 deny all
never_direct allow example.com
never_direct deny all

The system is dual-homed, one interface on 10.1.1.124, the other on the
Internet side. 10.1.1.11 is a internal (non-Squid) proxy that can speak to
internal example.com. example.com runs a split-DNS, where internal systems
are not visible to external DNS. Squid is pointed at external DNS.

In access.log, I get:

924636501.872 48 10.1.1.120 TCP_MISS/503 1141 GET
http://foo.example.com/ - DIRECT/foo.example.com -

And the error page tells me "Host not found."

I've also tried acl example.com dstdomain example.com, and that fails the
same way. Will a dstdomain match any subordinate domain?

Thoughts?

Bob
Received on Tue Apr 20 1999 - 13:25:23 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:45:53 MST