Re: [squid-users] squid hardening - weird behaviour

devzero@web.de wrote:
>>> weird, i don`t see any listeing socket with squidclient - i would have expected 3128 and 34810 here !?
>> So did I. Mine shows them. Should have 0.0.0.0.0 (last .0 is port).
>> Maybe it is slightly different in 2.x than 3.0 in this regard.
>
> yes, seems so.
> i updated to latest release and now i see
>
> Active file descriptors:
> File Type Tout Nread * Nwrite * Remote Address Description
> ---- ------ ---- -------- -------- --------------------- ------------------------------
> 0 Log 0 0 0 stdin
> 1 Log 0 0 0 stdout
> 2 Log 0 0 0 stderr
> 3 Log 0 0 0 /usr/local/squid/var/logs/cache.log
> 6 Socket 0 603 353 .0 DNS Socket
> 7 File 0 0 8828 /usr/local/squid/var/logs/access.log
> 8 Pipe 0 0 0 unlinkd -> squid
> 9 File 0 0 2607 /usr/local/squid/var/logs/store.log
> 10 File 0 0 104 /usr/local/squid/var/cache/swap.state
> 11 Pipe 0 0 0 squid -> unlinkd
> 12 Socket 1440 70 0* 10.0.0.60.38093 Reading next request
> 13 Socket 0 0 0 .0 HTTP Socket
> 17 Socket 0 2667* 44096 10.0.0.10.2531 Waiting for next request
>
> vmhost:/usr/local/squid/bin # netstat -anp |grep squid
> tcp 0 0 10.0.0.60:3128 0.0.0.0:* LISTEN 8552/squid
> udp 0 0 0.0.0.0:34838 0.0.0.0:* 8552/squid
> unix 2 [ ] DGRAM 393925789 8552/squid
>
>
>> Anyway, despite the missing port numbers:
>> cache_object://... is squidclient getting the list itself
>> that leaves only DNS and HTTP listener TCP/UDP Sockets
>> and the two unlinkd pipes (listed as unix by netstat).
>>
>> So it does appear to be DNS.
>>
>> Squid will drop any packets received from NS not listed either in
>> dns_nameservers in squid.conf, or in resolv.conf as your local ones.
>
> so, let me repeat:
> squid is opening an extra upd socket for ICP,HTCP, syslog and DNS.
> udp_incoming_address and udp_outgoing_address are relevant config
> params for this.
>
> we can`t get rid of this port because we would break DNS for squid.
>

I got the bit about syslog being involved wrong. But the rest is correct.

> #udp_incoming_address is used for the ICP socket receiving packets
> # from other caches.
>
> So this is just half of the truth because it is relevant not only for ICP, but
> for DNS, too , correct ?
> should "we" fix this in the docs ? (unfortunately, i cannot give much input)
>

Thats OK. I've kicked the process off already in squid-dev. Its just a
meter of whether its a doc-only or deep code fix.

> btw - any reason why squid doesn`t use host resolver routines for DNS lookup ?
> (i.e. something like gethostbyname() etc, so this would also get cached by nscd ....)

Squid can't do that internally as it blocks the whole app on each lookup.
You can compile with --disable-internal-dns. That builds a fast external
helper that calls gethostbyname() for squid and passes the results back
without blocking other requests.

Amos
Received on Sat Oct 13 2007 - 00:26:57 MDT