Re: squid and dns behind firewall

On Fri, Aug 06, 1999 at 08:04:52AM +0200, Jürgen Sandner wrote:
> Henrik Nordstrom wrote:
> > > acl local-domain dstdom_regex -i baypol
> > > acl local-ip dst 90.0.0.0/255.0.0.0
> >
> > dst type ACLs requres DNS access. You nee to set up your access rules to
> > not use a dst type ACL if you do not want to have DNS queried.
>
> Thank you for answering.
> But there is still a problem: How can I set up an environment, where it depends
> on the
> destination, if squid should use the firewall, without using dst type ACL?
> The only way I can think of at the moment, is to use "cache_peer_domain", but
> will this really help me? I'm afraid it will do a DNS query, too.
>
> In my opinion, I must tell squid something like:
> Hey, look at the hostname-part in the URL.
> If it starts with "90" go direct.
Have you tried: acl "local-ip dstdom_regex ^90\."?

> If there is a hostname in it, ending with "baypol", do a DNS query and go
> direct.
I would use "acl local-domain dstdomain baypol"
instead of "dstdom_regex -i baypol" here
or maybe "dstdomain \.baypol$"

> In any other case, don't care about name resolution, because you won't see the
> name anyway, it's behind the firewall. So use the firewall.
always direct allow direct1
always direct allow direct2

> My problem is, that we have a completely internal DNS, with our own root server.
> We can't access Internet DNS, for us the only existing top-level domain is our
> "baypol".
> And we have internal web-servers, which we want to use, and there are also a few
> (thousand) servers out there in the internet, which might be interesting too.
IMHO this is a completly f*cked up DNS/IP setup. :-)
Whoever chose 90 (instead of 10, see RFC 1918) for your internal network and
invented the baypol toplevel domain should be punished with 3 weeks of
administrating an NT network. I bet this will cause some more headaches in
future...

-- 
Dies ist Thilos Unix Signature! Viel Spass damit.