Re: [squid-users] Re: SQUID in TPROXY - do not resolve

From: Amos Jeffries <>
Date: Thu, 31 Oct 2013 18:53:33 +1300

On 31/10/2013 7:52 a.m., Dr.x wrote:
> hi amos ,
> my request is ,
> i dont want to install squidguar don my machine , i want to use dns of squid
> except of that
> i mean i want to direct squid to norton dns , and in this case if the dns of
> clients and squid didnt match ,
> the website or the request of client must be blocked !
> iive tried :
> client_dst_passthru off
> host_verify_strict on
> but no luck , the client still can bypass the webfiltering !!!!
?? with host_verify_strict on any client who fails the verification gets
an error page. They are not permitted through by Squid. Not even to
receive HITs.

Are you certain these clients were using HTTP and not using some other
protocol such as SPDY, WebSockets, or CoAP? or somehow bypassing the
interception itself?

> i mean it is supposed that client visit the destination ip result from
> squid dns resovling , not the ip result from its resolving !!
> but uptill now , althoug i put the two directives above, the client still
> visit the ip resulted from its dns resolving !

"client_dst_passthru off" only means that Squid is *allowed* to use
other IPs if it needs to, it does not have to (and what happens when the
site only has 1 IP anyway?). To improve transparency and reliability of
any assumptions the client application is making Squid uses it anyway
after verification.

Note that for verify to succeed Squid MUST have resolved that IP as one
of the hosts legitimate IPs - so it was probably going to be used by
Squid and called "DIRECT" anyway. The only difference between
ORIGINAL_DST and DIRECT when verify succeeds is the risk of
client-server application level systems breaking (none when ORIGINAL_DST
is used, some small risk when DIRECT is used).

Received on Thu Oct 31 2013 - 05:54:05 MDT

This archive was generated by hypermail 2.2.0 : Thu Oct 31 2013 - 12:00:08 MDT