Squid proxy configuration based on DNS failure

Inside a private environment, access to the Internet may be via an Internet proxy. Your environment may be unable to handle DNS resolution of public domain names. If you need to configure another proxy, how can you ensure that the local network proxy responds to requests to the local network, but forwards requests to the Internet proxy?

Diagram of a local client trying to access the Internet or a local HTTP service

For example, in your local environment:

  • Inside local env, your DNS resolve *.local unknown domain
  • Any other request will fail (empty anwser or servfail DNS anwser)

The aim is to configure the Squid proxy to detect whether you're accessing a local or Internet web service based on DNS resolution.

squid : Optimising Web Delivery

Technicaly, I have setup a Docker-compose file with custom squid.conf:

version: '3'
services:
  squid:
    image: ubuntu/squid:5.2-22.04_beta
    restart: always
    volumes:
     - ./config/squid.conf:/etc/squid/squid.conf
    environment:
     - TZ=UTC
    ports:
     - "8080:8080"

The solution is to filter access to a request based on the destination IP of the URL. When the local proxy resolves the requested FQDN, DNS responds with either the IP found or with nothing. then the IP is a one. In this last case, it means that the FQDN is not part of the local network and the request must be forwarded to the Internet.

With Squid you cannot detect DNS failure with ACL. But you create an ACL based on a IP range. The idea is to do the opposite: if the request has a valid destination IPv4, then the request is filtered. Here IPv4 range: 0.0.0.0/0.0.0.0. If we have a DNS failure, squid cannot get the destination IP and no filter on destination IP is performed.

The important part are the last 5 lines of the file. We used always_direct and never_direct directive to define how request should use the cache_peer (internet proxy).

  • Always_direct remove direct access for every request, expect valid destination IP
  • Never_direct force direct access for valid destination IP