Bug #719
closed
Squid doesn't use local DNS cache (and fails after WAN failover)
Added by Malte Stretz almost 14 years ago.
Updated over 11 years ago.
Description
We use Squid as a transparent proxy and have two PPPoE uplinks via two different ISPs. Those should failover automatically, but since 1.2.3 doesn't support this for PPPoE, I have to change login data and reconnect manually for now.
Anyway, switching between the ISPs also changes the upstream DNS servers. From ISP2 I'm not allowed to use the servers of ISP1. Unfortunately does Squid have an own resolver and reads /etc/resolv.conf once on startup. When the uplink switches to the other ISP, all accesses are blocked with the error that DNS resolution is forbidden.
I fixed this by adding the line
dns_nameservers 127.0.0.1;
to the Custom Options.
I think this option should be enabled per default (if the DNS Forwarder is enabled). This not only fixes the failover issue, but also the confusing which arises if you override hosts in the DNS Forwarder and everything but HTTP uses those entries.
I'll tried to whip up a patch for this.
Stupid me just discovered the already present option "Use alternate DNS-servers for the proxy-server".
I still think this should default to 127.0.0.1 if the local DNS Forwarder is enabled as the current behavior is just too confusing. Maybe a <select> would work?
i agree that this is a good idea especially when running in a multi-wan environment where upstream proxies are used to implement faillover and/or load balancing. If the WAN interface is lost DNS lookups fail unless dns_nameservers 127.0.0.1 is set or "never_direct allow ..." is used to force all DNS lookups to be sent to the upstream proxy.
bottom line is that i believe its a good idea to make dns_nameservers 127.0.0.1 the default if the "User alternate DNS-servers for proxy-server" is blank and the DNS forwarder is enabled.
The following patch fixes implements this...
replace this around line 1410 at the end of function squid_validate_general
if(!empty($post['dns_nameservers'])) {
$altdns = explode(";", ($post['dns_nameservers']));
foreach ($altdns as $dnssrv) {
if (!is_ipaddr($dnssrv))
$input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field';
}}
with
if(!empty($settings['dns_nameservers'])) {
$altdns = explode(";", ($settings['dns_nameservers']));
$conf .= "dns_nameservers ";
foreach ($altdns as $dnssrv) {
$conf .= $dnssrv." ";
}
// $conf .= "\n"; //Kill blank line after DNS-Servers
} else if ( isset($config['dnsmasq']['enable']) ) {
// if use alternate dns servers is blank and the dns forwarded is on then we should use it instead of
// having squid go over the link for its lookups. Also, this helps with failover since the built in
// in squid lookups don't deal with failover.
$conf .= "dns_nameservers 127.0.0.1";
}
- Status changed from New to Resolved
- Affected Version deleted (
1.2.3)
current releases default to 127.0.0.1 in resolv.conf
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by