Netgate 3100 URL unknown

michael_samer

@stephenw10 : Hi Steve
I've included the squdi conf in the TAC ticket. The login is just unusual for the LDPA style which is about 80 characters long, but not so much special.
When you chained squids are working: does the lowest box have an internet DNS resolver (or some way to resolve inet DNSes) or (like we) only local addresses? My first ticket about this case was about the SRV call and the 503 reply from our uplink proxy.
Afair I did a picture (TAC ticket) how the boxes are connected and what they "see".

michael_samer

@stephenw10 said in Netgate 3100 URL unknown:

Oh I see your reply on the ticket! Testing LDAP....

not sure if digiging into the LDAP helps at all: the problem only occurs on modern pfsense versions but not on older so the basic call must have changed, not the squid config.

In the tcp_dump we at first did one of your techs told us why we (our local DNS) answers the DNS call with NX_Domain so the initiation is running wrong. It was never answered or called after so I'm not sure if the failed DNS lookup is then forwarded to the proxy and answered there so no need to worry there.

stephenw10

Yeah I agree using LDAP auth instead of local seems unlikely.

My test box does currently have local DNS resolution. I'll try removing that.

I don't think this is an SRV issue though since the pkg servers have been using that for years. And that you still saw this issue in 22.05.1 which would have been using the same known working Squid version but with the new pkg system.

By far the most significant thing that changed is that the pkg servers used by the dynamic repo system require client certs to access them. To do that through a proxy obviously relies on the proxy correctly passing the cert from the client to the upstream server.

More recently the pkg binary switched from fetch to curl which added at least one known bug but should not be an issue when using local Squid.

Steve

michael_samer

@stephenw10 said in Netgate 3100 URL unknown:

Yeah I agree using LDAP auth instead of local seems unlikely.

My test box does currently have local DNS resolution. I'll try removing that.

I'd use a DNS entry (system-general) for 127.0.0.1 so "all" DNS requests are answered NX_DOMAIN, which is the same for Inet Addresses in our situation. While this might not be the problem, it's quite unusual and the DNS Patch needed (host overwrite) shows one of the LAN -to- LAN Firewalls compared to Internet Firewalls.

michael_samer

Hi Steve
have you done any further tests so far? Did you change the DNS accordingly?

stephenw10

I was able to review this again today. I replied on your ticket.

I think we need to see exactly how you were configuring DNS in 22.05 that worked.

Steve

michael_samer

@stephenw10 said in Netgate 3100 URL unknown:

I was able to review this again today. I replied on your ticket.

I think we need to see exactly how you were configuring DNS in 22.05 that worked.

Steve

Hi Steve
I already pasted the screenshot with the "Google DNS workaround" and here as text:

DNS Resolver:
Host Overrides
4 4.8.8.in-addr.arpa 4.4.8.8
8 8.8.8.in-addr.arpa 8.8.8.8
Domain Overrides
4.4.8.8.in-addr.arpa 127.0.0.1
8.8.8.8.in-addr.arpa 127.0.0.1

This was a workaround for anything above 22.01. In V21.x we had no workarounds needed to use our construct as we (want to) do now.

My advise: disable the DNS parent in your second box and you will experience the problem. Our workaround for 22.01+ Update checks is just one point to a solution: The new dynamic Repos do not use the Proxy to resolve their names.

Cheers
Michael

michael_samer

Hi Steve
my TAC Ticket vanished again (like 4month ago). Can you make it visible again?

Cheers
Michael

stephenw10

Hi Michael,
I think your new ticket was merged into the old one which should have opened it again.

I was able to get back to this today along with one of our developers. I think we have a handle on the issue. Or at least an issue that would prevent this working in your situation.

We will probably more questions for you tomorrow on the ticket.

Steve

michael_samer

@stephenw10 well the new ticket does not include any info/replies of the old call and the call was vanished a week when I opened a new ticket with the new information what we collected so far. I find it quite disturbing when replies/tickets "vanish" as the logical checks are no longer plausible or understandable. Anyway let's see what comes next.
Cheers
Michael

stephenw10

It should be on there I can see the replies internally.

I replied on the ticket. We finally replicated the issue and it looks to be how Squid is handling the SRV requests/records. Digging continues.

Steve