[squid-users] Issue related to using Squid 3.1 or 3.29 and accessing a site that uses a recursive DNS record. (30 seconds to bring up site)

From: Duncan, Brian M. <brian.duncan_at_kattenlaw.com>
Date: Tue, 9 Apr 2013 04:27:16 +0000

Testing 3.1, and 3.29 on CentOS 6.4 64 bit.

Found an issue that I do not know how to resolve and any searches I made of the archive for the mailing list just turned up people saying to disable caching on domains.   Which this has nothing to do with. What I am trying to do below works fine on my Squid 2.6 servers.

Webapps.kattenlaw.com is the hostname I am trying to connect to on my 3.1 or 3.29 Squid proxies.

When you look this record up through dig or nslookup the namserver has to contact dns1.kattenlaw.com or dns2.kattenlaw.com to return the IP.

My Squid 2.6 servers can lookup webapps.kattenlaw.com in 1 second and open the website.

Squid 3.1 or 3.29 takes like 30 seconds just to resolve the name then bring up the page.

I turned on debug and these are the key items from the 3.29 cache.log after trying to access webapps.kattenlaw.com:

2013/04/08 23:43:13.564 kid1| Address.cc(409) LookupHostIP: Given Non-IP 'webapps.kattenlaw.com': Name or service not known
2013/04/08 23:43:13.567 kid1| Address.cc(409) LookupHostIP: Given Non-IP 'webapps.kattenlaw.com': Name or service not known
2013/04/08 23:43:43.718 kid1| Address.cc(409) LookupHostIP: Given Non-IP 'webapps.kattenlaw.com': Name or service not known

This is when Squid finally figures out how to resolve it (30 seconds later), and this is the point it comes up in my browser:

2013/04/08 23:43:43.720 kid1| Address.cc(409) LookupHostIP: Given Non-IP 'webapps.kattenlaw.com': Name or service not known
2013/04/08 23:43:43.720 kid1| ipcache.cc(674) ipcache_nbgethostbyname: ipcache_nbgethostbyname: HIT for 'webapps.kattenlaw.com'
2013/04/08 23:43:43.720 kid1| FilledChecklist.cc(100) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0x7fff6985c100
2013/04/08 23:43:43.720 kid1| Checklist.cc(275) ~ACLChecklist: ACLChecklist::~ACLChecklist: destroyed 0x7fff6985c100
2013/04/08 23:43:43.721 kid1| peer_select.cc(293) peerSelectDnsPaths: Found sources for 'webapps.kattenlaw.com:443'
2013/04/08 23:43:43.721 kid1| peer_select.cc(294) peerSelectDnsPaths:   always_direct = 0
2013/04/08 23:43:43.721 kid1| peer_select.cc(295) peerSelectDnsPaths:    never_direct = 0
2013/04/08 23:43:43.721 kid1| peer_select.cc(299) peerSelectDnsPaths:          DIRECT = local=xx.xx.xx.xx remote= flags=1
2013/04/08 23:43:43.721 kid1| peer_select.cc(308) peerSelectDnsPaths:        timedout = 0
2013/04/08 23:43:43.721 kid1| tunnel.cc(746) tunnelPeerSelectComplete: paths=1, p[0]={local=xx.xx.xx.xx remote= flags=1}, serverDest[0]={local=xx.xx.xx.xx remote=63.
166.107.228:443 flags=1}

Using nslookup or dig from this same server the IP is returned right away, Is there anything I can tweak with Squid to get this working faster? 

This is me looking up this hostname from this same Squid 3.29 server using nslookup and dig.  They return the address right away:

nslookup webapps.kattenlaw.com

Non-authoritative answer:
Name:   webapps.kattenlaw.com

From Dig:

webapps.kattenlaw.com.  101     IN      A

webapps.kattenlaw.com.  1781    IN      NS      dns1.kattenlaw.com.
webapps.kattenlaw.com.  1781    IN      NS      dns2.kattenlaw.com. is the only name server in the resolve.conf for this box, and all other queries are fast and the page comes up right away.  It seems to only have this long 30 second pause when it is a recursive lookup like the above. I have tried populating the name server within the squid.conf instead of it pulling it out of resolve.conf, no difference.

Thanks for any help.


CIRCULAR 230 DISCLOSURE: Pursuant to Regulations Governing Practice Before the Internal Revenue
Service, any tax advice contained herein is not intended or written to be used and cannot be used
by a taxpayer for the purpose of avoiding tax penalties that may be imposed on the taxpayer.
This electronic mail message and any attached files contain information intended for the exclusive
use of the individual or entity to whom it is addressed and may contain information that is
proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you
are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or
distribution of this information may be subject to legal restriction or sanction. Please notify
the sender, by electronic mail or telephone, of any unintended recipients and delete the original
message without making any copies.
NOTIFICATION: Katten Muchin Rosenman LLP is an Illinois limited liability partnership that has
elected to be governed by the Illinois Uniform Partnership Act (1997).
Received on Tue Apr 09 2013 - 04:27:25 MDT

This archive was generated by hypermail 2.2.0 : Tue Apr 09 2013 - 12:00:04 MDT