[squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9
dan at getbusi.com
Wed Nov 25 01:11:29 UTC 2015
They’re probably matching about 40% of the time on twitter.com, though 😒
> On 25 Nov 2015, at 11:40 AM, Dan Charlesworth <dan at getbusi.com> wrote:
> Alright, thanks for the hint.
> My proxy and clients definitely have the same DNS server (I removed the secondary and tertiary ones to make totally sure) but the results definitely aren’t matching 99% of the time. Probably more like 90%.
> Perhaps it’s 'cause my clients are caching records locally or something? It does seem to improve as the day progresses, after joining the intercepted wifi network in the morning.
> Super annoying though trying to post a comment on GitHub or something and it just hangs.
>> On 25 Nov 2015, at 11:19 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>> On 25/11/2015 12:20 p.m., Dan Charlesworth wrote:
>>> Thanks for the perspective on this, folks.
>>> Going back to the technical stuff—and this isn’t really a squid thing—but is there any way I can minimise this using my DNS server?
>>> Can I force my local DNS to only ever return 1 address from the pool on a hostname I’m having trouble with?
>> That depends on your resolver, but I doubt it.
>> The DNS setup I mentioned in my last email to this thread is all I'm
>> aware of that gets even close to a fix.
>> Note that you may have to intercept clients port 53 traffic (both UDP
>> and TCP) to the resolver. That has implications with DNSSEC but should
>> still work as long as you do not alter the DNS responses, the resolver
>> is just there to ensure the same result goes to both querying parties.
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
More information about the squid-users