On 2026-01-15 02:14, archer wrote:
# {cache_peer ... no_netdb_exchange } already set earlier
netdb_filename none
pinger_enable off
Icp_port0 #seems to be default value
And this issue persists. It seems that NO squid.conf could help with the
DNS leak issue.
Yes, your statement matches what I have stated in my previous response:
AFAICT, there is no squid.conf option that would disable those DNS
lookups in Squids built with `--enable-icmp` (which is also the default).
Q1: So, does Squid netdb work on the IP level?
Squid NetDB feature has several parts/algorithms/statistics that use
various protocols. In this particular case, Squid prepares to "ping"
(via ICMP) the site targeted by the CONNECT request. Since ICMP needs an
IP address, Squid performs a DNS lookup first.
AFAICT, this particular DNS lookup is a Squid bug: Squid should not
perform that lookup when "pinger_enable" is "off" because the result of
that lookup cannot be used for its intended purpose -- pining the
corresponding origin server.
I have not investigated whether Squid should ping origin servers when
going through a cache_peer. If Squid should not, then there is a second
bug here.
In that way, squid has unclear ACLs that bring up invisible communications.
These unwanted DNS lookups have nothing to do with ACLs.
Q2: Do I have to compile squid from the source code without benefit of
automatic community upgrade ?
Yes, if you want to disable ICMP, and your community has enabled that
feature in the binaries they prepackage for you, then you have to build
Squid with ICMP disabled (or find a community that will do it for you).
This is really a less preferable option for most users.
Agreed. FWIW, we are slowly reducing Squid dependence on compile-time
configuration options.
Is there a higher version of squid that comes up with a powerful conf ?
I believe my statements apply to the latest Squid version.
FWIW, if I have access to a full debugging log collected while
reproducing the problem, I may be able to tell you what causes DNS
lookups in your specific environment. I discourage Squid admins from
studying debugging logs because they are meant for Squid developers
and can be very misleading.
We can only confirm issues and observe callees from logs.
I strongly disagree that one "can only confirm issues from [debugging]
logs". In most cases, including "unwanted DNS lookups" cases, admin can
confirm issues without looking at debugging logs.
As for "observe callees", in my experience, compared to reporting a
high-level problem and sharing debugging logs with a Squid developer who
is capable of interpreting them, discussion of debugging logs by admins
often leads to incorrect conclusions and is far less efficient. YMMV.
HTH,
Alex.
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users
