Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Squid + dnsBL problem

    Cache/Proxy
    2
    6
    1288
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mcury last edited by

      Hi, hope you guys can help me,

      I have a PFsense 2.3.2-p1 running with the most recent Squid (not transparent, using customized a PAC file), Unbound, and Pfblocker Dnsbl.

      1 DNSBL currently configured with 4 lists. yoyo adaway, cameleon and hp.
      2 Unbound not using DHCP registration or Static DHCP (everything on default settings here).
      3 Squid doing SSL and configured the system`s default DNS server, which is Unbound.

      Problem:
      Ive noticed that, when Squid is setup to use Unbound as its DNS server, and DNSBL is activated at the same time, I get strange error messages at my system logs general everytime DNSBL tries to block something, but it doenst block (the sites opens, and we the DNSBL log files show that there wanst a block).
      This doesn`t happen when Squid is using a different DNS server.

      Note that both packets are working like a charm, the problem only happens when using them together, and when squid is using Unbound DNS server.

      This is the error Im getting in my System Logs: And it happens everytime DNSBL tries to block something, while Im using Squid and DNSBL

      Error message: (I`m getting lots of those).
      nginx: 2017/01/09 23:50:12 [error] 36111#100106: *240 open() "/usr/local/www/p" failed (2: No such file or directory), client: 172.16.200.1, server: , request: "GET /p?c1=9&c2=5989497&cs_xi=294c9024-da8d-4c8e-9850-d45b0599955f&rn=TIMESTAMP&r=http%3A%2F%2Fsync.tidaltv.com%2FGenericUserSync.ashx%3Fdpid%3D1161&cs_xs=2189 HTTP/1.1", host: "b.scorecardresearch.com", referrer: "http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html?pc=13764/64720&geo=sa&co=br"

      Obs: 172.16.200.1 is my DNSBL VIP IP.

      Do you have an idea regarding what could be happening? This is a new setup, so, Im not sure if those packets are supposed to work together, I mean, Squid and DNSBL. I really would like to be using them together due to the squidclamav, category filtering with to Shallas list, and the DNS filtering with DNSBL.

      Best regards,
      Marcelo

      "If the world is against the truth, I'm against the world".
      Athanasius of Alexandria

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned last edited by

        Yeah, this just won't work. Trying to play redirect ping-pong with packets from localhost to localhost is no good. Set up different DNS servers for Squid, or wait for next pfBNG version which will have an option to use 0.0.0.0 instead of the local webserver.

        1 Reply Last reply Reply Quote 0
        • M
          mcury last edited by

          Thanks  very much for the quick answer, I`ll be waiting for the next release

          "If the world is against the truth, I'm against the world".
          Athanasius of Alexandria

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned last edited by

            Actually I cannot reproduce this with "Bypass Proxy for Private Address Destination" checked on a transparent proxy. So, I'd say all you need is to fix your PAC to not proxy local networks, pretty much.

            1 Reply Last reply Reply Quote 0
            • M
              mcury last edited by

              thanks a lot for your time and attention on this matter, once I`ve added the following below at the top of the pac file, everything went smoothly.

              function FindProxyForURL(url, host) {
              // If the requested website is hosted within the internal network, send direct.
                  if (isPlainHostName(host) ||
                      shExpMatch(host, "*.local") ||
                      isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
                      isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
                      isInNet(dnsResolve(host), "192.168.0.0",  "255.255.0.0") ||
                      isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
                      return "DIRECT";

              Best regards,
              Marcelo

              "If the world is against the truth, I'm against the world".
              Athanasius of Alexandria

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned last edited by

                OK, thanks for verifying.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post