Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Squid can't resolve domain names

    pfSense Packages
    3
    8
    25398
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sinergest last edited by

      Hello everybody,
      my name is Matteo, and this is my first topic.
      I'm using pfSense 1.2.3 with latest Squid package version.
      As in the subject, I'm experiencing DNS problems with Squid package.
      The problem is that I use an internal Windows Server 2008 DNS to resolve some demo domains, but it seems like Squid doesn't query it.
      If I try reaching one of the demos, I get this error:

      The requested URL could not be retrieved
      
      While trying to retrieve the URL: http://demo.demo.demo/
      
      The following error was encountered:
      
          Unable to determine IP address from host name for demo.demo.demo 
      
      The dnsserver returned:
      
          Name Error: The domain name does not exist. 
      
      This means that:
      
       The cache was not able to resolve the hostname presented in the URL. 
       Check if the address is correct. 
      
      

      It seems like this is a DNS cache problem, but it appeared only after last update. I tried setting```
      negative_dns_ttl 1 second;positive_dns_ttl 2 seconds

      Squid is configured to work in transparent mode, and it gives this problem only with the demo domains.
      Is this a known problem?
      Can someone please help me?
      1 Reply Last reply Reply Quote 0
      • D
        dondos last edited by

        Is you pfsense system configured to query your internal DNS? If it is, then you should configure squid to use 127.0.0.1 as DNS.
        Or, even better, you could edit the hosts file from dns forwarder section, adding your demo domains (or hosts).

        1 Reply Last reply Reply Quote 0
        • S
          sinergest last edited by

          I tried what you suggested, but it didn't work. I already tried setting Squid to query the same DNS the system has, but it didn't work, neither.
          Another strange thing is the Squid error message reports a wrong timezone, reporting GMT instead of GMT+1

          1 Reply Last reply Reply Quote 0
          • D
            dondos last edited by

            If you enter you demo adress in http://pfsense_ip/diag_dns.php do you get the right ip address?

            PS: Is your computer configured to use pfsense as DNS server?

            1 Reply Last reply Reply Quote 0
            • S
              sinergest last edited by

              @dondos:

              If you enter you demo adress in http://pfsense_ip/diag_dns.php do you get the right ip address?

              I tried this, and the answer is yes. I also tried traceroute, but it only worked with ICMP enabled. PfSense system IP is not an exception for the proxy, anyway.

              PS: Is your computer configured to use pfsense as DNS server?

              No, my computer has the same DNS as pfsense, I tried setting pfsense as the only DNS server, but no luck.
              In addition, IPs that bypass Squid resolve the demo addresses (which are not internal) correctly.

              1 Reply Last reply Reply Quote 0
              • D
                dondos last edited by

                Then the problem seems to be caused by squid. Does it read the configuration file correctly? Open cache.log from /var/squid/log/ and look for: Adding nameserver 127.0.0.1 from squid.conf.

                If not restart the squid service (or the whole system).

                1 Reply Last reply Reply Quote 0
                • M
                  mhab12 last edited by

                  Can you try browsing FROM the DNS server?  Perhaps it is not allowed on the Squid ACL and is therefore causing problems…

                  1 Reply Last reply Reply Quote 0
                  • S
                    sinergest last edited by

                    @dondos:

                    Then the problem seems to be caused by squid. Does it read the configuration file correctly? Open cache.log from /var/squid/log/ and look for: Adding nameserver 127.0.0.1 from squid.conf.

                    If not restart the squid service (or the whole system).

                    I set again the alternate DNS as 127.0.0.1, but I found many entries in the log file, similar to the one you said, at different times

                    2010/01/13 09:49:15| Adding domain grupposinergest.local from /etc/resolv.conf
                    2010/01/13 09:49:15| Adding nameserver 192.168.x.x from /etc/resolv.conf
                    2010/01/13 09:49:15| Adding nameserver 88.x.x.x from /etc/resolv.conf
                    2010/01/13 09:49:15| Adding nameserver 88.x.x.x from /etc/resolv.conf
                    ...
                    2010/01/13 09:49:16| DNS Socket created at 0.0.0.0, port 20715, FD 7
                    2010/01/13 09:49:16| Adding nameserver 127.0.0.1 from squid.conf
                    ...
                    2010/01/13 09:49:29| DNS Socket created at 0.0.0.0, port 43916, FD 12
                    2010/01/13 09:49:29| Adding nameserver 127.0.0.1 from squid.conf
                    ...
                    2010/01/13 09:50:09| DNS Socket created at 0.0.0.0, port 31716, FD 6
                    2010/01/13 09:50:09| Adding nameserver 127.0.0.1 from squid.conf
                    ...
                    
                    

                    The service is running properly, except for the problem we're struggling with.

                    @mhab12:

                    Can you try browsing FROM the DNS server?  Perhaps it is not allowed on the Squid ACL and is therefore causing problems…

                    I'm afraid I can't understand what you are saying.
                    Do you mean I should let the DNS server bypass the proxy? How can it interfere with the DNS resolution of Squid?

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy