[squid-users] Recommended squid settings when using IPS-based domain blocking

Jason Marshall jason.marshall at gmail.com
Wed Mar 6 14:48:56 UTC 2024 

Good morning,

We have been using squid (version squid-5.5-6.el9_3.5) under RHEL9 as a
simple pass-through proxy without issue for the past month or so. Recently
our security team implemented an IPS product that intercepts domain names
known to be associated with malware and ransomware command and control.
Once this was in place, we started having issues with the behavior of squid.

Through some troubleshooting, it appears that what is happening is that
that when a user's machine make a request through squid for one of these
bad domains, the request is dropped by the IPS, squid waits for the DNS
timeout, and then all requests made to squid after that result
in NONE_NONE/500 errors, and it never seems to recover until we do a
restart or reload of the service.

Initially the dns_timeout was set for 30 seconds. I reduced this, thinking
that perhaps requests were building up or something along those lines. I
set it to 5 seconds, but that just got us to a failure state faster.

I also found the negative_dns_ttl setting and thought it might be having an
effect, but setting this to 0 seconds resulted in no change to the behavior.

Are there any configuration tips that anyone can provide that might work
better with dropped/intercepted DNS requests? My current configuration is
included here:

acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network
(LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space
(CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly
plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network
(LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network
(LAN)

acl localnet src fc00::/7               # RFC 4193 local private network
range
acl localnet src fe80::/10              # RFC 4291 link-local (directly
plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl Safe_ports port 9191        # papercut
http_access deny !Safe_ports
http_access allow localhost manager
http_access deny manager

http_access allow localnet
http_access allow localhost
http_access deny all
http_port 0.0.0.0:3128
http_port 0.0.0.0:3129
cache deny all
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
debug_options rotate=1 ALL,2
negative_dns_ttl 0 seconds
dns_timeout 5 seconds

Thank you for any help that you can provide.

Jason Marshall
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20240306/a67484ce/attachment.htm>

More information about the squid-users mailing list