DNS Querys and proxy (squid + dansguardian) responses – who’s reponsible for the query

dansguardiandomain-name-systemsquid

I'm having a trouble with squid (and dansguardian) in my network that slows web page browsing.

I'm focused now in the DNS queries – i think the DNS can share part of the blame. I've observing my machine with wireshark and the server with tcpdump.

I'm observing that, when i request a page, my machine tries to resolve the name and the squid server also does the same. Is this a normal behaviour ? Shouldn't my machine forward the request to the proxy and then the proxy server resolves the name and makes the request to that web page ?

My Firefox (if I make a mistake in the web page name) stays 30 seconds (i guess this has something to do with dns timeout) blocked (but really blocked) until the proxy server sends a default squid page of domain not found…or until the DNS resolves the query..

My question is only if my machine and my proxy server really have both to make the DNS query or it should only be the proxy server…

Thank you.

Best Answer

In general, yes, your local browser will try to resolve the hostname in DNS before sending the request to the proxy. With Firefox this is configurable using the network.proxy.socks_remote_dns setting. To modify this setting:

Enter about:config in the location bar.
Enter network.proxy.socks_remote_dns in the search field.
Double-click on the network.proxy.socks_remote_dns item to change it from false (the default) to true.

With this enabled, Firefox should pass requests to the proxy without performing DNS resolution locally.

NB: I don't know for certain if this applies only to socks proxies or not.

Related Solutions

Linux – How to Force Dig to Resolve Without Using Cache

You can use the @ syntax to look up the domain from a particular server. If the DNS server is authoritative for that domain, the response will not be a cached result.

dig @ns1.example.com example.com

You can find the authoritative servers by asking for the NS records for a domain:

dig example.com NS

Ssl – How to disable Google SSL Search so that the DansGuardian web filter will work properly

I did a Google search for [ nosslsearch dansguardian | squid ] and found a bunch of solutions.

In a post on the DansGuardian support list, Karl Henselin suggests adding a rule to DansGuardian's urlregexplist file. This seems like a reasonable solution. I've improved that rule; it now seems to work on many Google domains (but not on others, such as www.google.co.uk). Here's the improved version:

# Disable Google SSL Search. Based on a post by Karl Henselin.
# See <http://serverfault.com/q/527228>.
"^https://www.google.[a-z]{2,6}(.*)"->"https://nosslsearch.google.com\1"

This rule works for me for blocking access to SSL Web search. It doesn't block access to <https://images.google.com>, but that website is now just a query form. Only <www.google.com> actually serves image results nowadays.

Does the rule work for you too? Please leave a comment.

Best Answer

Related Solutions

Linux – How to Force Dig to Resolve Without Using Cache

Ssl – How to disable Google SSL Search so that the DansGuardian web filter will work properly

Related Topic