AW: Disabling recursion causes browser hangs on clients with auto proxy config
Frank Stanek
frank.stanek at est.fujitsu.com
Mon Jan 25 18:12:50 UTC 2010
Thank you for your reply.
> the browser apparently needs to resolve the IP before itdesides whether to
> use proxy or not. It may be a problem of the .pac file.
I have also suspected the pac file some time ago. We have tried
to use !(isResolvable(host)) to try and make the browser give up
faster, with mixed results. In general this made things a little
faster but we still saw between 2 and 12 tries before the browser
gave up trying to resolve. This was still very noticable on sites
with lots of external content.
> check the .pac content. If you use IP's in it, they are probably going to
> get resolved from given hostname.
I'm sorry but I don't quite understand what you mean. Could you
please elaborate this on the basis of this excerpt from our pac
file?
function FindProxyForURL(url, host)
{
var proxy1 = "PROXY 192.168.240.29:8080";
var proxy2 = "PROXY 172.16.1.30:8080";
if ( dnsDomainIs(host, ".intern")
|| shExpMatch(url, "*//localhost*")
|| shExpMatch(url, "*//127*")
|| isInNet(host, "192.168.1.0", "255.255.255.0")
// more lines with subnets
|| isPlainHostName(host)
)
{
return "DIRECT";
// Internal
}
else if ( shExpMatch (host, "int1.fujitsu.co.jp")
|| shExpMatch(host, "int2.fujitsu.co.jp")
// more lines with WAN domains
)
{
return proxy2;
// WAN
}
else
{
return proxy1;
// Internet
}
Basically what we do is return one proxy for WAN sites (depending on the
domain name), another proxy for normal internet traffic or DIRECT for local
sites.
Regards
Frank
----- Originalnachricht -----
Von: "Matus UHLAR - fantomas" <uhlar at fantomas.sk>
Gesendet: Mon, 25.1.2010 17:56
An: bind-users at lists.isc.org
Betreff: Re: Disabling recursion causes browser hangs on clients with auto proxy config
On 25.01.10 17:14, Frank Stanek wrote:
> we want to set up a DNS server (bind-9.4.3-P3) for the internal LAN only.
> However for security reasons we need to only allow a few trusted systems
> to resolve external host names (ie names we are not authoritative for):
> * Trusted systems can resolve names from our zones _and_ external names
> * All other systems can only resolve names from our zones
> However when we use a pac file or automatic proxy detection, the browsers
> continually try to resolve the URL, receive "refused (recursion not available)",
the browser apparently needs to resolve the IP before itdesides whether to
use proxy or not. It may be a problem of the .pac file.
> Is there something fundamentally flawed with this configuration, ie is there
> a better way to do this? We have tried using views but essentially we only
> put recursion no; in one view and recursion yes; in the other which comes
> down to the same thing. I have also inquired on the Firefox mailing list
> about why the browsers behave this way (try to resolve forever when they
> shouldn't need to) but have not received a reply yet.
check the .pac content. If you use IP's in it, they are probably going to
get resolved from given hostname.
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list