howard chen wrote:
Hello,
I notice some of our client is typing an additional dot at the end of
the domain, which make the squid ACL failed, e.g.
acl dstdomain_index dstdomain .example.com
So if client is using, e.g. http://www.example.com./, then ACL blocked
the client from accessing.
But in real sites this should be allowed? e.g. www.facebook.com./
Yes. The trailing . is a placeholder that instructs DNS lookup mechanisms to
terminate there and not try to lookup the phrase as a host or subdomain.
For example, where I work I can just type www into my browser to get our main
page because it has nla.gov.au configured as a search domain.
Which, IIRC, means that the lookup of www fails, so it then does a lookup on
www.nla.gov.au, then www.gov.au, then www.au, then and only then it reports
back to the OS that it was unable to resolve the host. At least, I think
that's how it works.
Sometimes these are essential where the search domains are implicit, like DNS
records. If I forget the . then I end up with errors in the logs referring to
hostname.nla.gov.au.nla.gov.au.nla.gov.au.nla.gov.au.nla.gov.au... etc
Basically then the trailing dot is acceptable for a FQDN. Your link to facebook
worked fine for me, and I would assume that you get these attempts because people are
using to ending a type phrase with a full stop <ENTER> sequence.
Howard
--
Daniel Rose
National Library of Australia
