access blocking using DNS -> "NO Address records in response to '....'

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

access blocking using DNS -> "NO Address records in response to '....'

Paul Neuwirth
Hello list,

named is configured to block (resulting in NXDOMAIN) some domains.
Using squid I have following problem:
Browser requests such a blocked URL  and named is not delivering an
error, request never times out...
How can I make squid deliver an error in this case.

From the logs i see:
2018-01-03T08:00:49.750777+01:00 alpha squid[24532]: ipcacheParse: No
Address records in response to 'www.googletagmanager.com'

in time of request.

If request is aborted:

2018-01-03T08:03:00.163354+01:00 alpha squid[24532]: 1514962860.163
10414 172.18.0.26 TCP_MISS_ABORTED/000 0 GET
http://www.googletagmanager.com/ - HIER_NONE/- -

Thank you for help. If you need any further information, i may deliver.

Thank you

Paul

OS: OpenSUSE Leap 42.2

# zypper if squid
Information for package squid:
------------------------------
Repository     : opensuse_updates              
Name           : squid                          
Version        : 3.5.21-5.3.1                  
Arch           : x86_64                        
Vendor         : openSUSE                      
Installed Size : 10.0 MiB                      
Installed      : Yes                            
Status         : up-to-date                    
Source package : squid-3.5.21-5.3.1.src
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: access blocking using DNS -> "NO Address records in response to '....'

Paul Neuwirth
On Wed, 3 Jan 2018 08:30:36 +0100
Paul Neuwirth <[hidden email]> wrote:

> Hello list,
>
> named is configured to block (resulting in NXDOMAIN) some domains.
> Using squid I have following problem:
> Browser requests such a blocked URL  and named is not delivering an
> error, request never times out...
> How can I make squid deliver an error in this case.
>
> From the logs i see:
> 2018-01-03T08:00:49.750777+01:00 alpha squid[24532]: ipcacheParse: No
> Address records in response to 'www.googletagmanager.com'
>
> in time of request.
>
> If request is aborted:
>
> 2018-01-03T08:03:00.163354+01:00 alpha squid[24532]: 1514962860.163
> 10414 172.18.0.26 TCP_MISS_ABORTED/000 0 GET
> http://www.googletagmanager.com/ - HIER_NONE/- -
>
> Thank you for help. If you need any further information, i may
> deliver.
>
> Thank you
>
> Paul
>
> OS: OpenSUSE Leap 42.2
>
> # zypper if squid
> Information for package squid:
> ------------------------------
> Repository     : opensuse_updates              
> Name           : squid                          
> Version        : 3.5.21-5.3.1                  
> Arch           : x86_64                        
> Vendor         : openSUSE                      
> Installed Size : 10.0 MiB                      
> Installed      : Yes                            
> Status         : up-to-date                    
> Source package : squid-3.5.21-5.3.1.src

Sorry, just a minute after sending I found out, named is not delivering
NXDOMAIN, but nothing
# dig www-googletagmanager.l.google.com

; <<>> DiG 9.10.4-P5 <<>> www-googletagmanager.l.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50108
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www-googletagmanager.l.google.com. IN A

;; AUTHORITY SECTION:
www-googletagmanager.l.google.com. 21600 IN SOA ns1.domain.com.
hostmaster.domain.com. 1 10800 3600 86400 21600

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 03 08:33:08 CET 2018
;; MSG SIZE  rcvd: 120



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: access blocking using DNS -> "NO Address records in response to '....'

Amos Jeffries
Administrator
On 03/01/18 20:34, Paul Neuwirth wrote:

> On Wed, 3 Jan 2018 08:30:36 +0100
> Paul Neuwirth wrote:
>
>> Hello list,
>>
>> named is configured to block (resulting in NXDOMAIN) some domains.
>> Using squid I have following problem:
>> Browser requests such a blocked URL  and named is not delivering an
>> error, request never times out...
>> How can I make squid deliver an error in this case.
>>

...
>
> Sorry, just a minute after sending I found out, named is not delivering
> NXDOMAIN, but nothing

Nod. That is the cause of the "NO address records" log entry.

The client appears to be disconnecting from Squid after ~10 seconds. You
can probably get the Squid "unable to resolve" error page to show up by
reducing dns_timeout to a value of 5-10 seconds
(<http://www.squid-cache.org/Doc/config/dns_timeout/>).

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: access blocking using DNS -> "NO Address records in response to '....'

Paul Neuwirth
On Thu, 4 Jan 2018 01:24:57 +1300
Amos Jeffries <[hidden email]> wrote:

> On 03/01/18 20:34, Paul Neuwirth wrote:
> > On Wed, 3 Jan 2018 08:30:36 +0100
> > Paul Neuwirth wrote:
> >  
> >> Hello list,
> >>
> >> named is configured to block (resulting in NXDOMAIN) some domains.
> >> Using squid I have following problem:
> >> Browser requests such a blocked URL  and named is not delivering an
> >> error, request never times out...
> >> How can I make squid deliver an error in this case.
> >>  
>
> ...
> >
> > Sorry, just a minute after sending I found out, named is not
> > delivering NXDOMAIN, but nothing  
>
> Nod. That is the cause of the "NO address records" log entry.
>
> The client appears to be disconnecting from Squid after ~10 seconds.
> You can probably get the Squid "unable to resolve" error page to show
> up by reducing dns_timeout to a value of 5-10 seconds
> (<http://www.squid-cache.org/Doc/config/dns_timeout/>).
>
> Amos

thank you. But default is 60 seconds.. but the request never times out..

but never mind.. I found a better solution, reconfigured bind using
response policy zones to send NXDOMAIN.. this feature didn't exist at
that time I did the previous config.

have a nice year

Paul
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: access blocking using DNS -> "NO Address records in response to '....'

Amos Jeffries
Administrator
On 04/01/18 02:01, Paul Neuwirth wrote:

> On Thu, 4 Jan 2018 01:24:57 +1300
> Amos Jeffries <[hidden email]> wrote:
>
>> On 03/01/18 20:34, Paul Neuwirth wrote:
>>> On Wed, 3 Jan 2018 08:30:36 +0100
>>> Paul Neuwirth wrote:
>>>    
>>>> Hello list,
>>>>
>>>> named is configured to block (resulting in NXDOMAIN) some domains.
>>>> Using squid I have following problem:
>>>> Browser requests such a blocked URL  and named is not delivering an
>>>> error, request never times out...
>>>> How can I make squid deliver an error in this case.
>>>>  
>>
>> ...
>>>
>>> Sorry, just a minute after sending I found out, named is not
>>> delivering NXDOMAIN, but nothing
>>
>> Nod. That is the cause of the "NO address records" log entry.
>>
>> The client appears to be disconnecting from Squid after ~10 seconds.
>> You can probably get the Squid "unable to resolve" error page to show
>> up by reducing dns_timeout to a value of 5-10 seconds
>> (<http://www.squid-cache.org/Doc/config/dns_timeout/>).
>>
>> Amos
>
> thank you. But default is 60 seconds.. but the request never times out..

You missed the point. The access.log snippet presented said the
connection got aborted after 10.140 seconds with 0 bytes delivered to
the client - long before any Squid DNS lookups timeout.

Which implies strongly that the client is the one aborting the
transaction. So to get that error page you wanted from Squid in that
environment setup you would need to shorten dns_timeout to something
that will make it produce an error page before the client disconnects.

OR, as you found anyway, changing the DNS systems behaviour to a faster
response also changes the overall outcome ...

>
> but never mind.. I found a better solution, reconfigured bind using
> response policy zones to send NXDOMAIN.. this feature didn't exist at
> that time I did the previous config.

Nod, that is a bit better if you do it only for intentionally blocked
domains. Otherwise it will now present lies about domains not existing
when the truth is their no-IP state, which might muck up your future
debugging of domain issues. So YMMV.

>
> have a nice year
>

Cheers, and same to you.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users