[squid-users] peer-select.cc, cache_peer and dns queries

[archer]

> I know. Can you post your squid.conf or should we continue guessing?


Sure thing. I separate the squid conf into small ones. Here is the one with cache_peer

“
Debian:/etc/squid/conf.d# cat 06-cachepeer.conf | grep -v '^\#'
nonhierarchical_direct 	off #default on
prefer_direct			off


acl extranet 			dstdomain	-n  "/etc/squid/bl_domain.lst"
acl extranet			dstdomain	-n  "/etc/squid/additional.lst"
acl extranet_whitelist	dstdomain	-n  "/etc/squid/wl_domain.lst"



always_direct		allow		extranet_whitelist
always_direct		deny		extranet
never_direct		allow		extranet
never_direct		deny		all

cache_peer 			192.168.8.235 	parent 1080 0 no-query  no-digest  no-netdb-exchange name=ProxyNG 
cache_peer_access	ProxyNG 	deny		extranet_whitelist 
cache_peer_access	ProxyNG		allow	extranet 
cache_peer_access	ProxyNG 	deny		!extranet

acl	ViaProxy	peername	ProxyNG   # for further research
 “

I also noticed cache peer selection via cache.log. the order or use of “always/never_direct” doesn’t have noticable influence over DNS lookups.

>>> but if your ISP intercepts and modifies DNS, I recommend using DNS server supporting DoH, DoT or supporting validation, if you are unable to switch ISPs or ask them not to do that.

Bro, you cannot ask cats not to eat fishes. You put a shell to cover it, cats know how to break it.




> On Jan 13, 2026, at 2:11 AM, Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
> 
> On 13.01.26 01:37, archer wrote:
>> DST is not recommended by me, because it brings up DNS queries.
> 
> That's exactly what I have said.
> 
>> DST is an IP(s)-based ACL, which might have to resolve DNS FQDN to IP before it is able to determine whether the requested domain name matches the DST ACL .
> 
> I know. Can you post your squid.conf or should we continue guessing?
> 
>>>>> On 10.01.26 06:19, archer wrote:
>>>>>> Greetings from Beijing. When it comes to the location, you know our security concerns.
>>>>>> I managed to implement the following bluemaps:
>>>>>> 
>>>>>> * 	acl extranet  			dstdomain “domain list A”
>>>>>> *	acl extranet_whitelist  	dstdomain “domain list B”
>>>>> 
>>>>>> So, what can I do to have extranet DNS handled by the parent proxy, while leaving the remainder to the child proxy, with a domain list ?
> 
>>>>> On Jan 12, 2026, at 4:33 PM, Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
>>>>> You can use "dstdomain -n" to disable DNS translation here.
>>>>> I recommend doing that.
>>> 
>>> On 13.01.26 01:18, archer wrote:
>>>> In my config, it is “dstdomain -n” already.  Anyway it is not functional, whether there is a “-n “ tag .
>>>> I have dig official conf reference, and lots mail archives.  Believe me, I would not make easy mistakes.
>>>> Anyway I am not capable of reviewing squid source code, dunno whether it is a designed logic or a bug.  If it is not expectable, I might have to select another child proxy program.
> 
>>> On Jan 13, 2026, at 1:26 AM, Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote: there may be different directive(s) that require DNS lookup, e.g.  "dst" directives.
>>> 
>>> but if your ISP intercepts and modifies DNS, I recommend using DNS server supporting DoH, DoT or supporting validation, if you are unable to switch ISPs or ask them not to do that.
> 
> -- 
> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> - Have you got anything without Spam in it?
> - Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users