Re: [squid-users] Re: DNS & Squid tree with parent - child from Amos Jeffries on 2012-04-20 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 21 Apr 2012 01:17:21 +1200

On 21/04/2012 12:47 a.m., anita wrote:
> Hi Amos,
>
> I intend to use Squid for a satellite based communication network.
> A child squid on one end will talk to the parent squid on the other end.
>
> My understanding was that for every http request that does not have IP but
> names instead, the child squid will do a dns lookup if it is a miss in its
> cache before sending it to the parent. As the dns lookup will be expensive,
> and will cause considerable delay (plus inherent delay due to satellite
> networks), I had planned to accumulate some of the DNS look ups from the
> parent over time and push it over to the child in the background. This way
> the child squid will not have to do a dns lookup but it will be present in
> its ipcache itself.
>
> But when I tried it out in a small setup, it looked to me that the child
> squid does not seem to do any lookups for the requested URL (it does only
> for the PARENT) if the object is not found in its cache. Instead it simply
> forwards it to the parent and the parent squid does the look up.
> Can you please confirm on this if my understanding is correct? Thanks.
>
>

That test result is correct.

The cache is indexed by textual-URL and the TCP connection to the parent
proxy is setup explicitly by cache_peer. If you have cache_peer setup
with IP address or the peers configured FQDN in your child proxies
/etc/hosts file there is no DNS lookup needed for HTTP relaying.

Which leaves only Host: / same-origin validation if you are intercepting
traffic.
Or dst* ACLs being checked without the relevant domain or IP details
being in the URL.

NP: pulling the DNS from parent to child will not help much. Squid obeys
the DNS TTL values and the records need to be in the child before the
first request makes use of them or DNS lookup will happen anyway.

If you or anyone wants to play around with this... Squid built with
--disable-internal-dns makes use of a helper query instead of DNS
packets. A default helper is bundled that uses the system resolver, but
you can write a custom one with whatever system you like to supply Squid
with DNS results.

Amos
Received on Fri Apr 20 2012 - 13:17:31 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 23 2012 - 12:00:04 MDT