Re: [squid-users] Re: SQUID in TPROXY - do not resolve

From: Amos Jeffries <>
Date: Mon, 28 Oct 2013 23:41:32 +1300

On 25/10/2013 2:44 a.m., Plamen wrote:
> Amos Jeffries-2 wrote
>> On 24/10/2013 6:44 a.m., Plamen wrote:
>>> Yes,
>>> this is one of the problems I'm also experiencing,
>>> the customer is using different DNS than the Squid, and he complains
>>> because
>>> he says - without your SQUID I can open xxxx web page, but with your
>>> it's not opening.
>> Ah. So the real problem is "Why is it not opening for Squid?"
>> The current releases of Squid *do* use the client provided destination
>> IP. The DNS resolution is only to determine whether the response is
>> cacheable and if alternative IPs may be tried as backup _if_ the client
>> given one is unable to connect by Squid.
> Hi Amos,
> thanks for the valuable feedback.
> Do I need to do something specific to get this behavior of Squid where it
> uses the dst provided IP, like some directive in config has to be enabled or
> it is default behavior?

This is default behaviour for squid-3.2 and later.

> In this scenario, what happens if the DNS servers configured in SQUID stop
> responding for some reason for some period of time (or they become
> unreachable), will the traffic continue to pass normally or the users will
> start getting errors and they will not be able to browse anymore?

Traffic will pass to the client dst IP. There may be some small lag on
the first request after DNS went out while Squid waits for the DNS
response. But some delays are only to be expected when things on the
network break.

> I will give you real life example that I'm trying to resolve.
> The ISP is having 2 Upstream providers.
> The SQUID is running in TPROXY mode, and the squidbox has an IP address from
> Upstream 1 and respectively uses this IP to contact DNS servers.
> When both upstream providers are working - everything is smooth in terms of
> HTTP traffic.
> When Upstream 1 goes down for some reason, for a period of time, the
> customers which are provisioned with IPs belonging to UPSTREAM 2 also get
> affected because the SQUID cannot do DNS lookups anymore.
> I'm trying to resolve this kind of issues.

This kind of issue is best fixed via other means.

For example; I use IPv6 private allocation fc00::/16 IP addressing for
all my network internal traffic including the links between Squid and
its DNS server. No matter which upstream is active (even with none)
these connections and lookups will continue working so long as my own
network remains stable.

Another way is to configure an explicit address in udp_outgoing_address
for Squid to use as its src IP on UDP packets (and thus DNS packets).
This does the same thing for Squid->DNS traffic, but does not protect
other internal-only traffic so I dont favour it as much as the IPv6 method.

Received on Mon Oct 28 2013 - 10:41:36 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 30 2013 - 12:00:06 MDT