Re: [squid-users] Unneeded DNS lookups for cache_peer selection

Am 03.02.2014 12:06, schrieb Amon Ott:
> Am 03.02.2014 11:28, schrieb Amos Jeffries:
>> On 3/02/2014 10:33 p.m., Amon Ott wrote:
>>> Am 30.01.2014 13:25, schrieb Amon Ott:
>>>> Attached is a cache.log from a test system with the above debug settings
>>>> when accessing www.m-privacy.de, www.rsbac.org and www.google.de. Please
>>>> note that in this test network, external DNS names can be resolved. If
>>>> needed, I can also rearrange it to fail for external DNS.
>>>>
>>>> Also attached is a tcpdump -n "port 53 and host 192.168.200.106" on the
>>>> LAN, starting when requesting www.rsbac.org. Subsequent reloads do not
>>>> send new DNS requests, so the ipcache seems to work for these positive
>>>> results.
>>>
>>> Just wanted to tell that version 3.4.3 shows the same behaviour.
>>
>> Okay one fairly easy test occurs to me. Squid DNS port used for outbound
>> queries is static for the duration Squid runs. So you can check that
>> Squid DNS port against the tcpdump source port used by the Squid mahcine
>> in those lookups.
>
> Just checked: the DNS source port is bound by squid3, at least lsof says so.

Alright. I have worked through the log and the 3.4.3 sources with
debug_options "ALL,4" and I have found the problem.

In function FwdState::dispatch() in src/FwdState.cc:1235 the netdb
measuring function netdbPingSite() is called for the URL host
unconditionally, even if that host must never be connected to directly.
The function netdbPingSite() at src/icmp/net_db.cc:941 uses
ipcache_nbgethostbyname() to lookup the host's IP from the ipcache,
these are the DNS accesses we see.

As a workaround, I have built with configure option --disable-icmp to
disable target host pinging completely. We have either no uplink proxy
at all or must always use the uplink. The DNS lookups are gone now!

AFAICS, the decision whether the host may be accessed directly has been
done in peerCheckNeverDirectDone() at src/peer_select.cc:189 before
FwdState::dispatch() gets active. So that info only needs to be passed
into the request struct and used as condition for the netdbPingSite() call.

Amon.
Received on Mon Feb 03 2014 - 15:01:50 MST