[squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 22 09:58:33 UTC 2015

On 21/10/2015 4:53 p.m., Dan Charlesworth wrote:
> I’m getting these very frequently for api.github.com and github.com
> I’m using the same DNS servers as my intercepting squid 3.5.10 proxy and they only return the one IP when I do an nslookup as well …
> Any updates from your end, Roel?

I just did a quick test of api.github.com and what I'm seeing is only
one IP at a time being delivered. BUT that IP is showing signs of being
geo-DNS based result and also has a 60 second TTL.

So ... when using the Google "free" DNS service it changes IP number
almost every second. Based on which of the Google servers you happen to
be working through with that particular request.

You can watch it cycling if you like:
 watch dig A api.github.com @

You could run a local bind server and redirect UDP port 53 requests from
clients to it so they stop using etc and start using a DNS like
its supposed to work.


More information about the squid-users mailing list