Re: [squid-users] SQUID in TPROXY - do not resolve

From: Alex Rousskov <>
Date: Wed, 23 Oct 2013 12:48:58 -0600

On 10/23/2013 07:55 AM, Amos Jeffries wrote:
> On 24/10/2013 1:47 a.m., Plamen wrote:
>> how to disable squid resolving every request if it is running in TPROXY
>> mode?

> If you are planning to use cache storage at all this is not a good
> choice.

Agreed. However, it is possible to make caching work safely (but not
efficiently) by telling Squid to associate the cache entry with the
client-provided IP in addition to all the other things like the domain
name and the URL path. This would be an optional feature available to
transparent deployments where client DNS server(s) cannot be made
identical to Squid DNS server(s).

>> Technically squid doesn't need to do dns resolving in this mode of
>> operation so probably there is a way to configure this.
> Technically Squid *does* need to do this resolving if Squid is going to
> do its job and locate the fastest possible source.

AFAICT, the optional "fastest possible source" optimization may not be
very important in this particular case. Delivering a valid response to
the client is. In some cases, neither would be possible, but I suspect
there are deployments where Squid can reach the client-resolved origin
server even if it cannot resolve its name.

> The semi-random IP
> choice made by the client his based on client capabilities and network
> view which are all irrelevant on the proxy upstream connection. Beyond
> that the DNS is used to validate the client is trustworthy enough to
> cache their traffic and re-use for others.

I agree that cache safety is a major concern here. If the feature
discussed above is implemented, Squid cache will remain safe because
Squid will refuse to serve previously cached entries with name:IP
mapping different from that of the requesting client, right?

Store ID offers a partial solution here if Squid is configured to send
client-provided destination IP address to the Store ID helper.
Alternatively, Squid can add IP addresses to store keys internally when
this feature is enabled.

The other missing piece would be to disable DNS queries (and caching of
their results) in Squid in favor of the client-provided destination IP

It may be difficult to implement all of this neatly, but probably not


Received on Wed Oct 23 2013 - 18:49:22 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 24 2013 - 12:00:07 MDT