On 4/06/2012 8:36 a.m., Roman Gelfand wrote:
> I have setup squid server to function as both forward and reverse
> proxy. It appears that I am getting flooded with http requests with
> non existant urls. Consequently, this slows down my firewall as the
> dns server is slowing down the query response. Is there a way to
> prevent dns lookup if url doesn't match the pattern?
>
> Thanks in advance
Squid rejects requests with non-existant URLs as invalid HTTP syntax
during parsing. There is no DNS involved there.
I assume you mean the URL has a unregistered domain name and the
requests are coming in with a great many different domains?
Reverse-proxy requests should have 0 DNS usage. Forward-proxy should
only need DNS after accepting a request for relay. There are some
exceptions to that, but most networks will fit that generalization. It
is achieved by reverse-proxy using dstdomain ACLs, and forward-proxy
using src client IP or proxy_auth login credentials to determin traffic
acceptance. DNS is not involved in any of those ACL types.
This small alteration (adding localnet filter) to the basic
reverse-proxy config should stop those requests no DNS involved:
# reverse-proxy rules
acl localdomains dstdomain example.com
http_access allow localdomains
http_access deny !localnet
# ... other forward-proxy rules...
Also; If you have "dst" in the reverse-proxy allow rules, change it to
dstdomain and DNS load should vanish.
Amos
Received on Mon Jun 04 2012 - 11:42:46 MDT
This archive was generated by hypermail 2.2.0 : Tue Jun 05 2012 - 12:00:03 MDT