[squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

[Dan Charlesworth]

It looks like there’s certain hosts that are designed to load balance (or something) between a few IPs, regardless of geography.

For example pbs.twimg.com resolves to wildcard.twimg.com which returns two different IPs each time, from a pool of 5–6, at random. Basically rolling the dice whether the client and the proxy are going to get the same IPs at the same time.

What is one to do about that?

> On 22 Oct 2015, at 10:00 PM, Yuri Voinov <yvoinov at gmail.com> wrote:
> 
> 
> 
> 22.10.15 15:58, Amos Jeffries пишет:
>> On 21/10/2015 4:53 p.m., Dan Charlesworth wrote:
>>> I’m getting these very frequently for api.github.com and github.com
>>> 
>>> I’m using the same DNS servers as my intercepting squid 3.5.10 proxy and they only return the one IP when I do an nslookup as well …
>>> 
>>> Any updates from your end, Roel?
>> 
>> I just did a quick test of api.github.com and what I'm seeing is only
>> one IP at a time being delivered. BUT that IP is showing signs of being
>> geo-DNS based result and also has a 60 second TTL.
>> 
>> So ... when using the Google "free" DNS service it changes IP number
>> almost every second. Based on which of the Google servers you happen to
>> be working through with that particular request.
>> 
>> You can watch it cycling if you like:
>>  watch dig A api.github.com @8.8.8.8
>> 
>> 
>> You could run a local bind server and redirect UDP port 53 requests from
> ... or Unbound. ;) I use it.
>> clients to it so they stop using 8.8.8.8 etc and start using a DNS like
>> its supposed to work.
>> 
>> Amos
>> 
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users