Re: [squid-users] squid hardening - weird behaviour

From: <devzero@dont-contact.us>
Date: Sat, 13 Oct 2007 14:50:36 +0200

> * what again was the reason you absolutely, positively have to use the external helper?

the reason is my personal security policy/attitude:

on my router-box there should`n listen anything to the outside, i.e. listen to packets from an insecure lan - regardless of firewall settings which may apply or not.

if squid listens to the outside and can receive udp packets on that port, there may be a chance to exploit this if there is some bug within squid.

ok, maybe this is a little bit paranoid, but when it comes to network security, only a closed socket is a good socket - especially if it can be avoided.

regards
roland

>
> On Sat, Oct 13, 2007, devzero@web.de wrote:
> > > You can compile with --disable-internal-dns. That builds a fast external
> > > helper that calls gethostbyname() for squid and passes the results back
> > > without blocking other requests.
> >
> > fantastic ! i recompiled with that option and afterwards the open port is gone automatically
> > without touching the .conf and now being "replaced" by 5 dnshelper processes. i assume this
> > won`t probably perform as good as before, but that doesn`t matter for me.
>
> Just a few notes:
>
> * its slow compared to internal dns;
> * it may use your nsswitch config if you've got a hosts database in something other than
> DNS (people used to stick em in NIS, for example, which I believe is the kind of
> thing the dnshelper stuff is still around for;)
> * what again was the reason you absolutely, positively have to use the external helper?
> * finally, a DNS resolver like bind will cache just as well as using something like
> nscd with local get*host*() type calls.
>
>
>
> adrian
>
> --
> - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
> - $25/pm entry-level bandwidth-capped VPSes available in WA -
>

_______________________________________________________________________
Jetzt neu! Schützen Sie Ihren PC mit McAfee und WEB.DE. 3 Monate
kostenlos testen. http://www.pc-sicherheit.web.de/startseite/?mc=022220
Received on Sat Oct 13 2007 - 06:50:44 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Nov 01 2007 - 13:00:01 MDT