Project

General

Profile

Actions

Bug #719

closed

Squid doesn't use local DNS cache (and fails after WAN failover)

Added by Malte Stretz over 14 years ago. Updated about 12 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Squid
Target version:
-
Start date:
07/05/2010
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

We use Squid as a transparent proxy and have two PPPoE uplinks via two different ISPs. Those should failover automatically, but since 1.2.3 doesn't support this for PPPoE, I have to change login data and reconnect manually for now.

Anyway, switching between the ISPs also changes the upstream DNS servers. From ISP2 I'm not allowed to use the servers of ISP1. Unfortunately does Squid have an own resolver and reads /etc/resolv.conf once on startup. When the uplink switches to the other ISP, all accesses are blocked with the error that DNS resolution is forbidden.

I fixed this by adding the line
dns_nameservers 127.0.0.1;
to the Custom Options.

I think this option should be enabled per default (if the DNS Forwarder is enabled). This not only fixes the failover issue, but also the confusing which arises if you override hosts in the DNS Forwarder and everything but HTTP uses those entries.

I'll tried to whip up a patch for this.

Actions #1

Updated by Malte Stretz over 14 years ago

Stupid me just discovered the already present option "Use alternate DNS-servers for the proxy-server".

I still think this should default to 127.0.0.1 if the local DNS Forwarder is enabled as the current behavior is just too confusing. Maybe a <select> would work?

Actions #2

Updated by Luis Soltero almost 14 years ago

i agree that this is a good idea especially when running in a multi-wan environment where upstream proxies are used to implement faillover and/or load balancing. If the WAN interface is lost DNS lookups fail unless dns_nameservers 127.0.0.1 is set or "never_direct allow ..." is used to force all DNS lookups to be sent to the upstream proxy.

bottom line is that i believe its a good idea to make dns_nameservers 127.0.0.1 the default if the "User alternate DNS-servers for proxy-server" is blank and the DNS forwarder is enabled.

The following patch fixes implements this...

replace this around line 1410 at the end of function squid_validate_general

if(!empty($post['dns_nameservers'])) {
$altdns = explode(";", ($post['dns_nameservers']));
foreach ($altdns as $dnssrv) {
if (!is_ipaddr($dnssrv))
$input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field';
}}

with

if(!empty($settings['dns_nameservers'])) {
$altdns = explode(";", ($settings['dns_nameservers']));
$conf .= "dns_nameservers ";
foreach ($altdns as $dnssrv) {
$conf .= $dnssrv." ";
}
// $conf .= "\n"; //Kill blank line after DNS-Servers
} else if ( isset($config['dnsmasq']['enable']) ) {
// if use alternate dns servers is blank and the dns forwarded is on then we should use it instead of
// having squid go over the link for its lookups. Also, this helps with failover since the built in
// in squid lookups don't deal with failover.
$conf .= "dns_nameservers 127.0.0.1";
}
Actions #3

Updated by Chris Buechler about 12 years ago

  • Status changed from New to Resolved
  • Affected Version deleted (1.2.3)

current releases default to 127.0.0.1 in resolv.conf

Actions

Also available in: Atom PDF