[squid-users] peer-select.cc, cache_peer and dns queries

Amos Jeffries squid3 at treenet.co.nz
Fri Jan 16 05:49:01 UTC 2026

Previous message (by thread): [squid-users] peer-select.cc, cache_peer and dns queries
Next message (by thread): [squid-users] peer-select.cc, cache_peer and dns queries
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 16/01/2026 05:28, Alex Rousskov wrote:
> On 2026-01-15 02:14, archer wrote:
> 
>> # {cache_peer ...  no_netdb_exchange } already set earlier
>> netdb_filename none
>> pinger_enable off
>> Icp_port0 #seems to be default value
> 
>> And this issue persists. It seems that NO squid.conf could help with 
>> the DNS leak issue.
> 
> Yes, your statement matches what I have stated in my previous response: 
> AFAICT, there is no squid.conf option that would disable those DNS 
> lookups in Squids built with `--enable-icmp` (which is also the default).
> 
> 
>> Q1: So, does Squid netdb work on the IP level? 
> 
> Squid NetDB feature has several parts/algorithms/statistics that use 
> various protocols. In this particular case, Squid prepares to 
> "ping" (via ICMP) the site targeted by the CONNECT request. Since ICMP 
> needs an IP address, Squid performs a DNS lookup first.
> 

Since NetDB is a database indexed by CIDR, Squid needs to know the IP of 
the origin server in order to lookup the details, even when going 
through a peer.

That said, see below...

> AFAICT, this particular DNS lookup is a Squid bug: Squid should not 
> perform that lookup when "pinger_enable" is "off" because the result of 
> that lookup cannot be used for its intended purpose -- pining the 
> corresponding origin server.
> 
> I have not investigated whether Squid should ping origin servers when 
> going through a cache_peer. If Squid should not, then there is a second 
> bug here.

The ping should not happen when "pinger_enabled off", but the 
"closest/fastest" selection algorithm(s) still needs IP address to 
lookup the available NetDB information.

The algorithm could be a bit smarter in noticing when all possible 
destinations (eg prohibited DIRECT and single peer) have already been 
selected and skipping useless attempts to find more alternatives. But 
that is not necessarily a bug per-se.

FWIW, the configured "netdb_filename none" only stops saving netdb data 
to disk between Squid restarts. It does not disable netdb features entirely.

Cheers
Amos

Previous message (by thread): [squid-users] peer-select.cc, cache_peer and dns queries
Next message (by thread): [squid-users] peer-select.cc, cache_peer and dns queries
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the squid-users mailing list