Re: [squid-users] SQUID in TPROXY - do not resolve

From: Amos Jeffries <>
Date: Thu, 24 Oct 2013 02:55:13 +1300

On 24/10/2013 1:47 a.m., Plamen wrote:
> Hi,
> how to disable squid resolving every request if it is running in TPROXY
> mode?

Why are you asking in particular?

If you are planning to use cache storage at all this is not a good
choice. The hidden underbelly of CVE-2009-0801 is malicious cache
corruption infecting your entire network. So any unvalidated request is
a non-cacheable response. The DNS is used to validate Host header.

> Technically squid doesn't need to do dns resolving in this mode of operation
> so probably there is a way to configure this.

Technically Squid *does* need to do this resolving if Squid is going to
do its job and locate the fastest possible source. The semi-random IP
choice made by the client his based on client capabilities and network
view which are all irrelevant on the proxy upstream connection. Beyond
that the DNS is used to validate the client is trustworthy enough to
cache their traffic and re-use for others.

Received on Wed Oct 23 2013 - 13:55:26 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 24 2013 - 12:00:07 MDT