Re: [squid-users] dnsserver ignoring -s

From: UIA Security Team <security@dont-contact.us>
Date: Fri, 27 Jun 2003 13:42:59 -0700

Hi Henrik,

Thanks for your comments we did try this. We need to use dnsserver because
it pays attention to /etc/hosts, and the internal resolver does not.

To us it seems like either something super obvious that we are missing, or
a bug. Here is a capture of the problem in action (with the juicy bits
changed).

[user@host]# host www.domain.com xxx.xxx.xxx.1
Using domain server xxx.xxx.xxx.1:
www.domain.com is a nickname for domain.com
domain.com has address xxx.xxx.xxx.218
domain.com mail is handled (pri=10) by mailserver1.provider.com
domain.com mail is handled (pri=20) by mailserver2.provider.com
[user@host]# host www.domain.com xxx.xxx.xxx.129
Using domain server xxx.xxx.xxx.129:
www.domain.com is a nickname for domain.com
domain.com has address xxx.xxx.xxx.218
domain.com mail is handled (pri=20) by mailserver2.provider.com
domain.com mail is handled (pri=10) by mailserver1.provider.com
[user@host]# /usr/squid/libexec/dnsserver -s xxx.xxx.xxx.1 -s xxx.xxx.xxx.129
www.domain.com
$fail DNS Domain 'www.domain.com' is invalid: Host not found (authoritative).
^C
[user@host]#

Tcpdump reveals that the servers in resolv.conf are being queried.

Our config:

logfile_rotate 5
dns_nameservers xxx.xxx.xxx.1 xxx.xxx.xxx.1
http_port xxx8
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl DENYPAGE urlpath_regex mykplan
no_cache deny DENYPAGE
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl CONNECT method CONNECT
acl allowed_hosts src xxx.xxx.xxx.224/255.255.255.224
xxx.xxx.xxx.48/255.255.255.240 127.0.0.1/255.255.255.255
xxx.xxx.xxx.0/255.255.255.0
http_access allow manager localhost
http_access deny manager all
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access allow all
icp_access allow allowed_hosts
icp_access deny all
cache_mgr support@provider.com
httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
visible_hostname host.provider.com

Our OS:

FreeBSD host.provider.com 4.5-RELEASE FreeBSD 4.5-RELEASE #1: Wed May 14
07:38:39 PDT 2003 user@host:/usr/src/sys/compile/TKERN i386

Any other thoughts? Are we doing something dumb?

Thanks again,

--Liam

At 09:04 PM 6/27/2003 +0200, Henrik Nordstrom wrote:
>fre 2003-06-27 klockan 17.44 skrev UIA Security Team:
> > Hi all,
> >
> > We're having a problem getting the dnsserver processes to pay attention to
> > the -s flags. We set dns_namservers in the squid.conf, and I see the
> > dnsserver processes being spawned with the -s parameters correctly, but
> > they are ignoring the passed nameservers and are using the ones out of
> > resolv.conf.
> >
> > We are using Squid 2.5.STABLE3 on FreeBSD 4.5.
>
>Don't use dnsserver, instead use the default internal DNS resolver.
>
>To be precise: Do not compile squid with --disable-internal-dns.
>
>Regards
>Henrik
>
>--
>Donations welcome if you consider my Free Squid support helpful.
>https://www.paypal.com/xclick/business=hno%40squid-cache.org
>
>Please consult the Squid FAQ and other available documentation before
>asking Squid questions, and use the squid-users mailing-list when no
>answer can be found. Private support questions is only answered
>for a fee or as part of a commercial Squid support contract.
>
>If you need commercial Squid support or cost effective Squid and
>firewall appliances please refer to MARA Systems AB, Sweden
>http://www.marasystems.com/, info@marasystems.com
Received on Fri Jun 27 2003 - 14:43:11 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:40 MST