Amos Jeffries wrote:
> That seems very strange. Very strange.
>
> Squid using internal DNS resolver sends out UDP packets and waits for a
> reply positive or negative. Using that.
>
> The NXDOMAIN results make sense if we assume they come back with some
> TTL so short Squid needs to run through the DNS timeouts on every request.
>
> The silent drop case is a head scratcher of a puzzle. That is the one
> that should be getting very long timeouts while Squid waits for a reply
> that will never arrive.
>
>
> Anyway, getting rid of the "dst" ACL and making sure the peer is
> configured with an IP address should prevent any DNS lookups.
> IIRC your config already has the log_fqdn setting turned off.
>
> Amos
Hello Amos,
My last assumption was wrong. It seems that there is some "optimization"
in the kernel so that a silent drop of packets is handled the same as a
drop with ICMP packet. Therefore the named replied a lot faster than
usual with SERVFAIL.
Nevertheless, we're going to remove the dst-ACL which is not needed in
this case.
Thank you for your help!
-- Matthias
Received on Mon Sep 21 2009 - 13:11:09 MDT
This archive was generated by hypermail 2.2.0 : Mon Sep 21 2009 - 12:00:02 MDT