Squid + dnsBL problem

mcury

Hi, hope you guys can help me,

I have a PFsense 2.3.2-p1 running with the most recent Squid (not transparent, using customized a PAC file), Unbound, and Pfblocker Dnsbl.

1 DNSBL currently configured with 4 lists. yoyo adaway, cameleon and hp.
2 Unbound not using DHCP registration or Static DHCP (everything on default settings here).
3 Squid doing SSL and configured the system`s default DNS server, which is Unbound.

Problem:
Ive noticed that, when Squid is setup to use Unbound as its DNS server, and DNSBL is activated at the same time, I get strange error messages at my system logs general everytime DNSBL tries to block something, but it doenst block (the sites opens, and we the DNSBL log files show that there wanst a block).
This doesn`t happen when Squid is using a different DNS server.

Note that both packets are working like a charm, the problem only happens when using them together, and when squid is using Unbound DNS server.

This is the error Im getting in my System Logs: And it happens everytime DNSBL tries to block something, while Im using Squid and DNSBL

Error message: (I`m getting lots of those).
nginx: 2017/01/09 23:50:12 [error] 36111#100106: *240 open() "/usr/local/www/p" failed (2: No such file or directory), client: 172.16.200.1, server: , request: "GET /p?c1=9&c2=5989497&cs_xi=294c9024-da8d-4c8e-9850-d45b0599955f&rn=TIMESTAMP&r=http%3A%2F%2Fsync.tidaltv.com%2FGenericUserSync.ashx%3Fdpid%3D1161&cs_xs=2189 HTTP/1.1", host: "b.scorecardresearch.com", referrer: "http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?pc=13764/64720&geo=sa&co=br"

Obs: 172.16.200.1 is my DNSBL VIP IP.

Do you have an idea regarding what could be happening? This is a new setup, so, Im not sure if those packets are supposed to work together, I mean, Squid and DNSBL. I really would like to be using them together due to the squidclamav, category filtering with to Shallas list, and the DNS filtering with DNSBL.

Best regards,
Marcelo

doktornotor

Yeah, this just won't work. Trying to play redirect ping-pong with packets from localhost to localhost is no good. Set up different DNS servers for Squid, or wait for next pfBNG version which will have an option to use 0.0.0.0 instead of the local webserver.

mcury

Thanks  very much for the quick answer, I`ll be waiting for the next release

doktornotor

Actually I cannot reproduce this with "Bypass Proxy for Private Address Destination" checked on a transparent proxy. So, I'd say all you need is to fix your PAC to not proxy local networks, pretty much.

mcury

thanks a lot for your time and attention on this matter, once I`ve added the following below at the top of the pac file, everything went smoothly.

function FindProxyForURL(url, host) {
// If the requested website is hosted within the internal network, send direct.
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
        isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
        isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||
        isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
        return "DIRECT";

Best regards,
Marcelo

doktornotor

OK, thanks for verifying.