Re: squid and dns behind firewall

J|rgen Sandner wrote:

> Thank you for answering.
> But there is still a problem: How can I set up an environment, where it depends
> on the
> destination, if squid should use the firewall, without using dst type ACL?
> The only way I can think of at the moment, is to use "cache_peer_domain", but
> will this really help me? I'm afraid it will do a DNS query, too.

cache_peer_domain will help by exluding your internal domains from the
peer (!domain), so will using dstdomain or dstdom_regex type ACLs in
always_direct.

If you use a ACL type which requires to use DNS to get the data you are
matching (as in the destination IP address) then Squid will query DNS.
If it can get all it needs from the request (i.e. URL) then it won't
query DNS.

--
Henrik Nordstrom
> 
> In my opinion, I must tell squid something like:
> Hey, look at the hostname-part in the URL.
> If it starts with "90" go direct.
> If there is a hostname in it, ending with "baypol", do a DNS query and go
> direct.
> In any other case, don't care about name resolution, because you won't see the
> name anyway,  it's behind the firewall. So use the firewall.
> 
> My problem is, that we have a completely internal DNS, with our own root server.
> 
> We can't access Internet DNS, for us the only existing top-level domain is our
> "baypol".
> And we have internal web-servers, which we want to use, and there are also a few
> (thousand) servers out there in the internet, which might be interesting too.
> :-)
> 
> Juergen Sandner