[squid-dev] Removing DNS lookups in intercept mode by using client dest IP address

Amos Jeffries squid3 at treenet.co.nz
Thu May 21 13:35:29 UTC 2015 

On 22/05/2015 12:00 a.m., johndunne wrote:
> Hi,
> 
> I'm running squid 3.5.4 on a network which caches http and https traffic via
> a tproxy redirect on a linux box. The setup runs perfectly, except that a
> slight lag is introduced owing to the squid service making DNS lookups for
> many of the requests it receives via http and https.
> 
> Now, I'm considering patching squid such that it auto adds the destination
> IP address of the client connection to its own dns cache, for the hostname
> that appears in the http header of that connection. I think this is safe
> since the connection is redirected via tproxy i.e. I know that the client
> machine got that IP address for the hostname in the HTTP/HTTPS request.

No, no you dont. On the contrary we do know from testing the
host_verify_strict feature that many, many clients lie.

The amount of traffic where URL and Host header contained entirely
different domain names (or even ports) was quite a surprise.

> 
> Assuming my logic here isn't flawed, does anyone know if this is sensible
> and if any such work has already been done?
> 

No, the DNS lookup being done is to protect against CVE-2009-0801.

That CVE is about a client browser running a malicious script provided
by a web server somewhere, which makes HTTP requests but lies when
sending the Host: header. This is trivial for an attacker to do and if
trusted would result in cache corruption affecting all clients on the
network.

Essentially if the Host header value does not match the URL or resolve
to the IP being contacted then it can't be trusted for use as a cache
key that other clients might fetch.

You could get around the DNS lookup if you really have to by patching
Squid to always mark the hostVerify as done with a failed result. But
none of the traffic would then be able to cache, so its not a very
useful thing to do.


You can probably better reduce latency by ensuring that the clients and
Squid are using the same DNS resolvers. And that they those resolvers
respond fast. That will allow Squid to verify success more often than
not and caching will raise the HIT ratio on intercepted traffic.

Amos

More information about the squid-dev mailing list