[squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

Amos Jeffries squid3 at treenet.co.nz
Wed Nov 25 00:19:43 UTC 2015

On 25/11/2015 12:20 p.m., Dan Charlesworth wrote:
> Thanks for the perspective on this, folks.
> Going back to the technical stuff—and this isn’t really a squid thing—but is there any way I can minimise this using my DNS server? 
> Can I force my local DNS to only ever return 1 address from the pool on a hostname I’m having trouble with?

That depends on your resolver, but I doubt it.

The DNS setup I mentioned in my last email to this thread is all I'm
aware of that gets even close to a fix.

Note that you may have to intercept clients port 53 traffic (both UDP
and TCP) to the resolver. That has implications with DNSSEC but should
still work as long as you do not alter the DNS responses, the resolver
is just there to ensure the same result goes to both querying parties.


More information about the squid-users mailing list