howard chen wrote:
> Hello,
>
> I notice some of our client is typing an additional dot at the end of
> the domain, which make the squid ACL failed, e.g.
>
> acl dstdomain_index dstdomain .example.com
>
>
> So if client is using, e.g. http://www.example.com./, then ACL blocked
> the client from accessing.
>
> But in real sites this should be allowed? e.g. www.facebook.com./
>
Yes. The trailing . is a placeholder that instructs DNS lookup mechanisms to terminate there and not try to lookup the phrase as a host or subdomain.
For example, where I work I can just type www into my browser to get our main page because it has nla.gov.au configured as a search domain.
Which, IIRC, means that the lookup of www fails, so it then does a lookup on www.nla.gov.au, then www.gov.au, then www.au, then and only then it reports back to the OS that it was unable to resolve the host. At least, I think that's how it works.
Sometimes these are essential where the search domains are implicit, like DNS records. If I forget the . then I end up with errors in the logs referring to
hostname.nla.gov.au.nla.gov.au.nla.gov.au.nla.gov.au.nla.gov.au... etc
Basically then the trailing dot is acceptable for a FQDN. Your link to facebook worked fine for me, and I would assume that you get these attempts because people are using to ending a type phrase with a full stop <ENTER> sequence.
>
>
> Howard
-- Daniel Rose National Library of AustraliaReceived on Thu Jun 26 2008 - 03:37:34 MDT
This archive was generated by hypermail 2.2.0 : Thu Jun 26 2008 - 12:00:04 MDT