Many thanks. > I believe my statements apply to the latest Squid version.
Sir, there are many series of Squid , e.g., version 3.x ~7.x.. Will all be upgraded ? > On Jan 16, 2026, at 12:28 AM, Alex Rousskov > <[email protected]> wrote: > > On 2026-01-15 02:14, archer wrote: > >> # {cache_peer ... no_netdb_exchange } already set earlier >> netdb_filename none >> pinger_enable off >> Icp_port0 #seems to be default value > >> And this issue persists. It seems that NO squid.conf could help with the DNS >> leak issue. > > Yes, your statement matches what I have stated in my previous response: > AFAICT, there is no squid.conf option that would disable those DNS lookups in > Squids built with `--enable-icmp` (which is also the default). > > >> Q1: So, does Squid netdb work on the IP level? > > Squid NetDB feature has several parts/algorithms/statistics that use various > protocols. In this particular case, Squid prepares to "ping" (via ICMP) the > site targeted by the CONNECT request. Since ICMP needs an IP address, Squid > performs a DNS lookup first. > > AFAICT, this particular DNS lookup is a Squid bug: Squid should not perform > that lookup when "pinger_enable" is "off" because the result of that lookup > cannot be used for its intended purpose -- pining the corresponding origin > server. > > I have not investigated whether Squid should ping origin servers when going > through a cache_peer. If Squid should not, then there is a second bug here. > > >> In that way, squid has unclear ACLs that bring up invisible communications. > > These unwanted DNS lookups have nothing to do with ACLs. > > >> Q2: Do I have to compile squid from the source code without benefit of >> automatic community upgrade ? > > Yes, if you want to disable ICMP, and your community has enabled that feature > in the binaries they prepackage for you, then you have to build Squid with > ICMP disabled (or find a community that will do it for you). > > >> This is really a less preferable option for most users. > > Agreed. FWIW, we are slowly reducing Squid dependence on compile-time > configuration options. > > >> Is there a higher version of squid that comes up with a powerful conf ? > > I believe my statements apply to the latest Squid version. > > >>>>> FWIW, if I have access to a full debugging log collected while >>>>> reproducing the problem, I may be able to tell you what causes DNS >>>>> lookups in your specific environment. I discourage Squid admins from >>>>> studying debugging logs because they are meant for Squid developers and >>>>> can be very misleading. > >> We can only confirm issues and observe callees from logs. > > I strongly disagree that one "can only confirm issues from [debugging] logs". > In most cases, including "unwanted DNS lookups" cases, admin can confirm > issues without looking at debugging logs. > > As for "observe callees", in my experience, compared to reporting a > high-level problem and sharing debugging logs with a Squid developer who is > capable of interpreting them, discussion of debugging logs by admins often > leads to incorrect conclusions and is far less efficient. YMMV. > > > HTH, > > Alex. > _______________________________________________ squid-users mailing list [email protected] https://lists.squid-cache.org/listinfo/squid-users
