[squid-users] peer-select.cc, cache_peer and dns queries

Alex Rousskov rousskov at measurement-factory.com
Thu Jan 15 16:28:11 UTC 2026

Previous message (by thread): [squid-users] peer-select.cc, cache_peer and dns queries
Next message (by thread): [squid-users] Squid integration with Netskope forward to proxy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2026-01-15 02:14, archer wrote:

> # {cache_peer ...  no_netdb_exchange } already set earlier
> netdb_filename none
> pinger_enable off
> Icp_port0 #seems to be default value

> And this issue persists. It seems that NO squid.conf could help with the 
> DNS leak issue.

Yes, your statement matches what I have stated in my previous response: 
AFAICT, there is no squid.conf option that would disable those DNS 
lookups in Squids built with `--enable-icmp` (which is also the default).

> Q1: So, does Squid netdb work on the IP level? 

Squid NetDB feature has several parts/algorithms/statistics that use 
various protocols. In this particular case, Squid prepares to "ping" 
(via ICMP) the site targeted by the CONNECT request. Since ICMP needs an 
IP address, Squid performs a DNS lookup first.

AFAICT, this particular DNS lookup is a Squid bug: Squid should not 
perform that lookup when "pinger_enable" is "off" because the result of 
that lookup cannot be used for its intended purpose -- pining the 
corresponding origin server.

I have not investigated whether Squid should ping origin servers when 
going through a cache_peer. If Squid should not, then there is a second 
bug here.

> In that way, squid has unclear ACLs that bring up invisible communications.

These unwanted DNS lookups have nothing to do with ACLs.

> Q2: Do I have to compile squid from the source code without benefit of 
> automatic community upgrade ?

Yes, if you want to disable ICMP, and your community has enabled that 
feature in the binaries they prepackage for you, then you have to build 
Squid with ICMP disabled (or find a community that will do it for you).

> This is really a less preferable option for most users.

Agreed. FWIW, we are slowly reducing Squid dependence on compile-time 
configuration options.

> Is there a higher version of squid that comes up with a powerful conf ?

I believe my statements apply to the latest Squid version.

>>>> FWIW, if I have access to a full debugging log collected while 
>>>> reproducing the problem, I may be able to tell you what causes DNS 
>>>> lookups in your specific environment. I discourage Squid admins from 
>>>> studying debugging logs because they are meant for Squid developers 
>>>> and can be very misleading.

> We can only confirm issues and observe callees from logs.

I strongly disagree that one "can only confirm issues from [debugging] 
logs". In most cases, including "unwanted DNS lookups" cases, admin can 
confirm issues without looking at debugging logs.

As for "observe callees", in my experience, compared to reporting a 
high-level problem and sharing debugging logs with a Squid developer who 
is capable of interpreting them, discussion of debugging logs by admins 
often leads to incorrect conclusions and is far less efficient. YMMV.

HTH,

Alex.

Previous message (by thread): [squid-users] peer-select.cc, cache_peer and dns queries
Next message (by thread): [squid-users] Squid integration with Netskope forward to proxy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-users mailing list