[squid-users] peer-select.cc, cache_peer and dns queries

archer the-archer at 139.com
Fri Jan 9 22:19:10 UTC 2026

Previous message (by thread): [squid-users] Cache pfSense fix
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings from Beijing. When it comes to the location, you know our security concerns.
I managed to implement the following bluemaps:

* acl extranet dstdomain “domain list A”
* acl extranet_whitelist dstdomain “domain list B”
* cache_peer a.b.c.d parent …. name=NodeNG
* always_direct extranet_whitelist
* never_direct extranet
* ( NO IP based acl at all , except pre-defined localhost,localnet,acl etc)
It seems peer-selection is functional as expected.

I’ve dig into lots of history mails on DNS queries, cache_peers. Anyhow I observed peer-select.cc still conducting DNS lookups on an extranet domain , which is a purely domain-based ACL. e.g.

“ peer_select.cc(833) selectSomeParent: CONNECT www.example.com
… ...
peer_select.cc(460) resolveSelected: Find IP destination for: www.example.com:443' via a.b.c.d
… …
ipcacheParse: 1 answers for www.example.com
… …
ipcache.cc(532) addGood: www.example.com #1 q.w.e.r
ipcache.cc(576) ipcacheHandleReply: done with www.example.com
“
In other words, Squid conducts DNS lookups after peer-selection is finished. Anyhow, a parent proxy can typically handle DNS queries themselves, whether the child proxy do it or not.

DNS is not reliable, especially the way Squid uses (UDP 53). For the following concerns, ISP might manipulate DNS replies

+ redirect clients to faster local CDNs, which might help them to reduce expenses caused by traffic.
+ redirect clients to another connection pool during peak hours, for ISP-side load-balancing or Qos purposes.
+ block some sites with demand of authorized agencies
+ as a further step, for DPI, package analyse , site cataloge ( to assign different IP flags for the above 3 purposes) etc.
+ others

As a result, incorrect DNS replies cause remarkable issues, including No such domains, http 4xx, http 5xx, SSL handshake failures. It brings up DNS leak and privacy issues that a child cache conducts DNS queries.

So, what can I do to have extranet DNS handled by the parent proxy, while leaving the remainder to the child proxy, with a domain list ?

Thank you

—
Squid Cache: Version 5.7
Service Name: squid
Debian linux
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20260110/215e7640/attachment.htm>

Previous message (by thread): [squid-users] Cache pfSense fix
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-users mailing list