Squid can't resolve domain names



  • Hello everybody,
    my name is Matteo, and this is my first topic.
    I'm using pfSense 1.2.3 with latest Squid package version.
    As in the subject, I'm experiencing DNS problems with Squid package.
    The problem is that I use an internal Windows Server 2008 DNS to resolve some demo domains, but it seems like Squid doesn't query it.
    If I try reaching one of the demos, I get this error:

    The requested URL could not be retrieved
    
    While trying to retrieve the URL: http://demo.demo.demo/
    
    The following error was encountered:
    
        Unable to determine IP address from host name for demo.demo.demo 
    
    The dnsserver returned:
    
        Name Error: The domain name does not exist. 
    
    This means that:
    
     The cache was not able to resolve the hostname presented in the URL. 
     Check if the address is correct. 
    
    

    It seems like this is a DNS cache problem, but it appeared only after last update. I tried setting```
    negative_dns_ttl 1 second;positive_dns_ttl 2 seconds

    Squid is configured to work in transparent mode, and it gives this problem only with the demo domains.
    Is this a known problem?
    Can someone please help me?


  • Is you pfsense system configured to query your internal DNS? If it is, then you should configure squid to use 127.0.0.1 as DNS.
    Or, even better, you could edit the hosts file from dns forwarder section, adding your demo domains (or hosts).



  • I tried what you suggested, but it didn't work. I already tried setting Squid to query the same DNS the system has, but it didn't work, neither.
    Another strange thing is the Squid error message reports a wrong timezone, reporting GMT instead of GMT+1



  • If you enter you demo adress in http://pfsense_ip/diag_dns.php do you get the right ip address?

    PS: Is your computer configured to use pfsense as DNS server?



  • @dondos:

    If you enter you demo adress in http://pfsense_ip/diag_dns.php do you get the right ip address?

    I tried this, and the answer is yes. I also tried traceroute, but it only worked with ICMP enabled. PfSense system IP is not an exception for the proxy, anyway.

    PS: Is your computer configured to use pfsense as DNS server?

    No, my computer has the same DNS as pfsense, I tried setting pfsense as the only DNS server, but no luck.
    In addition, IPs that bypass Squid resolve the demo addresses (which are not internal) correctly.



  • Then the problem seems to be caused by squid. Does it read the configuration file correctly? Open cache.log from /var/squid/log/ and look for: Adding nameserver 127.0.0.1 from squid.conf.

    If not restart the squid service (or the whole system).



  • Can you try browsing FROM the DNS server?  Perhaps it is not allowed on the Squid ACL and is therefore causing problems…



  • @dondos:

    Then the problem seems to be caused by squid. Does it read the configuration file correctly? Open cache.log from /var/squid/log/ and look for: Adding nameserver 127.0.0.1 from squid.conf.

    If not restart the squid service (or the whole system).

    I set again the alternate DNS as 127.0.0.1, but I found many entries in the log file, similar to the one you said, at different times

    2010/01/13 09:49:15| Adding domain grupposinergest.local from /etc/resolv.conf
    2010/01/13 09:49:15| Adding nameserver 192.168.x.x from /etc/resolv.conf
    2010/01/13 09:49:15| Adding nameserver 88.x.x.x from /etc/resolv.conf
    2010/01/13 09:49:15| Adding nameserver 88.x.x.x from /etc/resolv.conf
    ...
    2010/01/13 09:49:16| DNS Socket created at 0.0.0.0, port 20715, FD 7
    2010/01/13 09:49:16| Adding nameserver 127.0.0.1 from squid.conf
    ...
    2010/01/13 09:49:29| DNS Socket created at 0.0.0.0, port 43916, FD 12
    2010/01/13 09:49:29| Adding nameserver 127.0.0.1 from squid.conf
    ...
    2010/01/13 09:50:09| DNS Socket created at 0.0.0.0, port 31716, FD 6
    2010/01/13 09:50:09| Adding nameserver 127.0.0.1 from squid.conf
    ...
    
    

    The service is running properly, except for the problem we're struggling with.

    @mhab12:

    Can you try browsing FROM the DNS server?  Perhaps it is not allowed on the Squid ACL and is therefore causing problems…

    I'm afraid I can't understand what you are saying.
    Do you mean I should let the DNS server bypass the proxy? How can it interfere with the DNS resolution of Squid?


Log in to reply