Squid, Slow DNS, UDP, and Juniper

01 Jul 2013

TLDR; Having problems with squid and slow DNS? Might be Juniper's firewall using some more advanced DNS features squid can't handle. Solution: run a local named as DNS caching server and have squid talk to it. Works great.

Ok! long version: Your test setup of squid works correctly and is fast. Then you put it into production (or maybe you move your laptop to the office), and it works... but very slowly. Pages sometimes load but only have a big pause of maybe 10 seconds. Sometimes they do not load. You've added Google's DNS servers in the config using dns_nameservers, but it does not help. Other command line tools such as dig, nslookup, and curl all seem to be fine.

By any chance are you behind a Juniper firewall or router? If you are then read this gem from their knowledge base: DNS reply packet is dropped thru the firewall. How is DNS traffic handled? I'm not expert in DNS, so I can't comment if this is reasonable or not. Regular DNS tools don't seem to have problems with it. Unfortunately, squid's internal DNS client is incomplete and can't handle Juniper's response. So it times out and tries again. Sometimes it gets lucky, and a response comes back. In other cases, it just gives up.

Squid is an old piece of code. It's original solution was to fork off a bunch of children to do name resolution. I'm sure that was pretty clever back in the day. It's kinda gross now, and to re-enable it you'll have to recompile squid. Anyways, at some point their decided to write their own asynchronous DNS client. Which is normally great, except when it's not. Like in this case.

I got around this by running a local named server just to resolve and cache queries. It and squid are best friends, and named can deal with anything Juniper throws at it. Enjoy!