Thanks for your comments we did try this. We need to use dnsserver because it pays attention to /etc/hosts, and the internal resolver does not.
To us it seems like either something super obvious that we are missing, or a bug. Here is a capture of the problem in action (with the juicy bits changed).
[EMAIL PROTECTED] host www.domain.com xxx.xxx.xxx.1 Using domain server xxx.xxx.xxx.1: www.domain.com is a nickname for domain.com domain.com has address xxx.xxx.xxx.218 domain.com mail is handled (pri=10) by mailserver1.provider.com domain.com mail is handled (pri=20) by mailserver2.provider.com [EMAIL PROTECTED] host www.domain.com xxx.xxx.xxx.129 Using domain server xxx.xxx.xxx.129: www.domain.com is a nickname for domain.com domain.com has address xxx.xxx.xxx.218 domain.com mail is handled (pri=20) by mailserver2.provider.com domain.com mail is handled (pri=10) by mailserver1.provider.com [EMAIL PROTECTED] /usr/squid/libexec/dnsserver -s xxx.xxx.xxx.1 -s xxx.xxx.xxx.129 www.domain.com $fail DNS Domain 'www.domain.com' is invalid: Host not found (authoritative). ^C [EMAIL PROTECTED]
Tcpdump reveals that the servers in resolv.conf are being queried.
Our config:
logfile_rotate 5
dns_nameservers xxx.xxx.xxx.1 xxx.xxx.xxx.1
http_port xxx8
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl DENYPAGE urlpath_regex mykplan
no_cache deny DENYPAGE
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl CONNECT method CONNECT
acl allowed_hosts src xxx.xxx.xxx.224/255.255.255.224 xxx.xxx.xxx.48/255.255.255.240 127.0.0.1/255.255.255.255 xxx.xxx.xxx.0/255.255.255.0
http_access allow manager localhost
http_access deny manager all
http_access deny CONNECT !SSL_ports
http_access deny all
icp_access allow all
icp_access allow allowed_hosts
icp_access deny all
cache_mgr [EMAIL PROTECTED]
httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
visible_hostname host.provider.com
Our OS:
FreeBSD host.provider.com 4.5-RELEASE FreeBSD 4.5-RELEASE #1: Wed May 14 07:38:39 PDT 2003 [EMAIL PROTECTED]:/usr/src/sys/compile/TKERN i386
Any other thoughts? Are we doing something dumb?
Thanks again,
--Liam
At 09:04 PM 6/27/2003 +0200, Henrik Nordstrom wrote:
fre 2003-06-27 klockan 17.44 skrev UIA Security Team: > Hi all, > > We're having a problem getting the dnsserver processes to pay attention to > the -s flags. We set dns_namservers in the squid.conf, and I see the > dnsserver processes being spawned with the -s parameters correctly, but > they are ignoring the passed nameservers and are using the ones out of > resolv.conf. > > We are using Squid 2.5.STABLE3 on FreeBSD 4.5.
Don't use dnsserver, instead use the default internal DNS resolver.
To be precise: Do not compile squid with --disable-internal-dns.
Regards Henrik
-- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org
Please consult the Squid FAQ and other available documentation before asking Squid questions, and use the squid-users mailing-list when no answer can be found. Private support questions is only answered for a fee or as part of a commercial Squid support contract.
If you need commercial Squid support or cost effective Squid and firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, [EMAIL PROTECTED]
