Re: [squid-users] Re: SQUID in TPROXY - do not resolve

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 30 Oct 2013 23:35:13 +1300

On 30/10/2013 8:28 p.m., Dr.x wrote:
> hi amos ,
>
> is there a method that let squid force its dns reply and ignore the client
> dns reply ???
>
> =====================================
> i mean if client x got 1.1.1.1
> and squid got 2.2.2.2
> i want client to go to 2.2.2.2 not to 1.1.1.1
> =============================

Which one is the real server?
   How do you know the client was wrong about where *they* were contacting?

* some clients base connections on details other than DNS A and AAAA
records.
* some services present special IP address contacts only to registered
clients (ie Google DNS). This may be Squid OR the client.

The only case where it turns out to actually be safe is when the DNS
lookup for Squid and client match. You can set client_dst_passthru
directive to 'off' for those cases.

Amos
Received on Wed Oct 30 2013 - 10:35:24 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 31 2013 - 12:00:08 MDT