[squid-users] peer-select.cc, cache_peer and dns queries

[archer]

Many thanks. 

> I believe my statements apply to the latest Squid version.

Sir, there are many series of Squid , e.g., version 3.x ~7.x.. Will all be upgraded ?
   

> On Jan 16, 2026, at 12:28 AM, Alex Rousskov <rousskov at measurement-factory.com> wrote:
> 
> On 2026-01-15 02:14, archer wrote:
> 
>> # {cache_peer ...  no_netdb_exchange } already set earlier
>> netdb_filename none
>> pinger_enable off
>> Icp_port0 #seems to be default value
> 
>> And this issue persists. It seems that NO squid.conf could help with the DNS leak issue.
> 
> Yes, your statement matches what I have stated in my previous response: AFAICT, there is no squid.conf option that would disable those DNS lookups in Squids built with `--enable-icmp` (which is also the default).
> 
> 
>> Q1: So, does Squid netdb work on the IP level? 
> 
> Squid NetDB feature has several parts/algorithms/statistics that use various protocols. In this particular case, Squid prepares to "ping" (via ICMP) the site targeted by the CONNECT request. Since ICMP needs an IP address, Squid performs a DNS lookup first.
> 
> AFAICT, this particular DNS lookup is a Squid bug: Squid should not perform that lookup when "pinger_enable" is "off" because the result of that lookup cannot be used for its intended purpose -- pining the corresponding origin server.
> 
> I have not investigated whether Squid should ping origin servers when going through a cache_peer. If Squid should not, then there is a second bug here.
> 
> 
>> In that way, squid has unclear ACLs that bring up invisible communications.
> 
> These unwanted DNS lookups have nothing to do with ACLs.
> 
> 
>> Q2: Do I have to compile squid from the source code without benefit of automatic community upgrade ?
> 
> Yes, if you want to disable ICMP, and your community has enabled that feature in the binaries they prepackage for you, then you have to build Squid with ICMP disabled (or find a community that will do it for you).
> 
> 
>> This is really a less preferable option for most users.
> 
> Agreed. FWIW, we are slowly reducing Squid dependence on compile-time configuration options.
> 
> 
>> Is there a higher version of squid that comes up with a powerful conf ?
> 
> I believe my statements apply to the latest Squid version.
> 
> 
>>>>> FWIW, if I have access to a full debugging log collected while reproducing the problem, I may be able to tell you what causes DNS lookups in your specific environment. I discourage Squid admins from studying debugging logs because they are meant for Squid developers and can be very misleading.
> 
>> We can only confirm issues and observe callees from logs.
> 
> I strongly disagree that one "can only confirm issues from [debugging] logs". In most cases, including "unwanted DNS lookups" cases, admin can confirm issues without looking at debugging logs.
> 
> As for "observe callees", in my experience, compared to reporting a high-level problem and sharing debugging logs with a Squid developer who is capable of interpreting them, discussion of debugging logs by admins often leads to incorrect conclusions and is far less efficient. YMMV.
> 
> 
> HTH,
> 
> Alex.
>