[squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

Amos Jeffries squid3 at treenet.co.nz
Thu Oct 29 04:46:28 UTC 2015

On 29/10/2015 1:16 p.m., Dan Charlesworth wrote:
> It looks like there’s certain hosts that are designed to load balance (or something) between a few IPs, regardless of geography.
> For example pbs.twimg.com resolves to wildcard.twimg.com which returns two different IPs each time, from a pool of 5–6, at random. Basically rolling the dice whether the client and the proxy are going to get the same IPs at the same time.
> What is one to do about that?

The same thing. Ensuring that the proxy and the clients are using the
same DNS server.

The reasoning goes like so:
* some client does a DNS fetch causing the result to be cached in *that*
* then the proxy repeats the query and gets the DNS cached result.
* those results should match 99% of the time even if the domain DNS is
playing tricks.

This falls down with the Google DNS because "" is not one server
but an entire farm of servers spread aroudn the globe. The two
consecutive queries done often go to different physical servers.

You can of course configure to be an upstream resolver for your
local DNS server if you think that is a good idea. The key think is
having the same local-end DNS cache being used by the clients and Squid.

NP: these problems do not exist for forward proxies. Only for traffic
hijacking interceptor proxies.


More information about the squid-users mailing list