[squid-users] peer-select.cc, cache_peer and dns queries

Matus UHLAR - fantomas uhlar at fantomas.sk
Mon Jan 12 18:11:53 UTC 2026

Previous message (by thread): [squid-users] peer-select.cc, cache_peer and dns queries
Next message (by thread): [squid-users] peer-select.cc, cache_peer and dns queries
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 13.01.26 01:37, archer wrote:
>DST is not recommended by me, because it brings up DNS queries.

That's exactly what I have said.

>DST is an IP(s)-based ACL, which might have to resolve DNS FQDN to IP before it is able to determine whether the requested domain name matches the DST ACL .

I know. Can you post your squid.conf or should we continue guessing?

>>>> On 10.01.26 06:19, archer wrote:
>>>>> Greetings from Beijing. When it comes to the location, you know our security concerns.
>>>>> I managed to implement the following bluemaps:
>>>>>
>>>>> * 	acl extranet  			dstdomain “domain list A”
>>>>> *	acl extranet_whitelist  	dstdomain “domain list B”
>>>>
>>>>> So, what can I do to have extranet DNS handled by the parent proxy, 
>>>>> while leaving the remainder to the child proxy, with a domain list ?

>>>> On Jan 12, 2026, at 4:33 PM, Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
>>>> You can use "dstdomain -n" to disable DNS translation here.
>>>> I recommend doing that.
>>
>> On 13.01.26 01:18, archer wrote:
>>> In my config, it is “dstdomain -n” already.  Anyway it is not 
>>> functional, whether there is a “-n “ tag .
>>> I have dig official conf reference, and lots mail archives.  Believe me, 
>>> I would not make easy mistakes.
>>> Anyway I am not capable of reviewing squid source code, dunno whether it 
>>> is a designed logic or a bug.  If it is not expectable, I might have to 
>>> select another child proxy program.

>> On Jan 13, 2026, at 1:26 AM, Matus UHLAR - fantomas <uhlar at fantomas.sk> 
>> wrote: there may be different directive(s) that require DNS lookup, e.g.  
>> "dst" directives.
>>
>> but if your ISP intercepts and modifies DNS, I recommend using DNS server 
>> supporting DoH, DoT or supporting validation, if you are unable to switch 
>> ISPs or ask them not to do that.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.

Previous message (by thread): [squid-users] peer-select.cc, cache_peer and dns queries
Next message (by thread): [squid-users] peer-select.cc, cache_peer and dns queries
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-users mailing list