<div dir="ltr">Also here is an example showing the issues when pushing to S3 as well as the same error with some google url's.<div><br></div><div><div>2016/10/17 18:33:32 kid1| SECURITY ALERT: Host header forgery detected on local=<a href="http://209.85.144.113:443">209.85.144.113:443</a> remote=x.x.x.x:62402 FD 49 flags=33 (local IP does not match any domain IP)<br></div><div>2016/10/17 18:33:32 kid1| SECURITY ALERT: on URL: <a href="http://tools.google.com:443">tools.google.com:443</a></div><div>2016/10/17 18:34:04 kid1| SECURITY ALERT: Host header forgery detected on local=<a href="http://209.85.144.113:443">209.85.144.113:443</a> remote=x.x.x.x:62405 FD 110 flags=33 (local IP does not match any domain IP)</div><div>2016/10/17 18:34:04 kid1| SECURITY ALERT: on URL: <a href="http://tools.google.com:443">tools.google.com:443</a></div><div>2016/10/17 18:34:45 kid1| SECURITY ALERT: Host header forgery detected on local=<a href="http://209.85.144.113:443">209.85.144.113:443</a> remote=x.x.x.x:62409 FD 56 flags=33 (local IP does not match any domain IP)</div><div>2016/10/17 18:34:45 kid1| SECURITY ALERT: on URL: <a href="http://tools.google.com:443">tools.google.com:443</a></div><div>2016/10/17 18:35:16 kid1| SECURITY ALERT: Host header forgery detected on local=<a href="http://209.85.144.113:443">209.85.144.113:443</a> remote=x.x.x.x:62412 FD 65 flags=33 (local IP does not match any domain IP)</div><div>2016/10/17 18:35:16 kid1| SECURITY ALERT: on URL: <a href="http://tools.google.com:443">tools.google.com:443</a></div><div>2016/10/17 18:57:11 kid1| SECURITY ALERT: Host header forgery detected on local=<a href="http://172.217.17.78:443">172.217.17.78:443</a> remote=x.x.x.x:52958 FD 66 flags=33 (local IP does not match any domain IP)<br></div><div>2016/10/17 18:57:11 kid1| SECURITY ALERT: on URL: <a href="http://alt2-safebrowsing.google.com:443">alt2-safebrowsing.google.com:443</a></div><div>2016/10/17 18:58:00 kid1| SECURITY ALERT: Host header forgery detected on local=<a href="http://172.217.17.78:443">172.217.17.78:443</a> remote=x.x.x.x:52965 FD 42 flags=33 (local IP does not match any domain IP)</div><div>2016/10/17 18:58:00 kid1| SECURITY ALERT: on URL: <a href="http://alt2-safebrowsing.google.com:443">alt2-safebrowsing.google.com:443</a></div></div><div><br></div><div><br></div><div><br></div><div>Also please note my dig response time :</div><div>
<p class="gmail-p1"><span class="gmail-s1">;; Query time: 1 msec</span></p><p class="gmail-p1"><span class="gmail-s1"><br></span></p><p class="gmail-p1"><span class="gmail-s1">And from my DNS server itself :</span></p><p class="gmail-p1"><span class="gmail-s1">
</span></p><p class="gmail-p1"><span class="gmail-s1">;; Query time: 2 msec</span></p><p class="gmail-p1"><span class="gmail-s1"><br></span></p><p class="gmail-p1">My bind server is setup as a simple forwarder which always returns repsonses in about 1-2 msec </p><p class="gmail-p1">So again , things that are big , big files, timely requests to query some API , they all appear to have host header forgery problems that squid shows and then drops if the request takes longer to process than the TTL of the DNS entry associated with the traffic</p><p class="gmail-p1">I have many examples and if i dont use squid everything works fine, with squid it breaks , thats my simple point is squid is seeing an issue the app and client themselves dont and thats OK but with no way to "disable " or "workaround" the errors for lets say S3 on AWS</p><p class="gmail-p1">how do i keep using squid?</p></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 18, 2016 at 2:10 PM, John Wright <span dir="ltr"><<a href="mailto:unixdeaf@gmail.com" target="_blank">unixdeaf@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">In response to it not being a false positive , maybe its not specifically the TTL but in this other article on the mailing lists someone else had the same issue<div><br></div><div><br></div><div>Here is the response Amos gave, this is a known issue and apparently there is no way to "ignore host header forgery issues" or bypass them in the squid config.</div><div>My understanding is that , maybe the short TTL is ok, but it is small enough to where when a cloud based client is connecting to server a server b to amazon S3 etc it can take a few seconds </div><div>Thus that 5 second TTL (which again is often 2-3 seconds) is small enough to hurt.</div><div><br></div><div>Specifically some of these people (aws , google) in some dns situations they are doing things that squid has been known to identify as host header forgery just becuse it doesnt understand whats happening.</div><div>Also if im doing an S3 call pulling or pushing a big file which is very common in cloud environments it can take 10-20 seconds for the request to process , and if TTL expires mid stream , squid is for some reason flagging as forgery and it hangs until it either returns to the same ip in </div><div>DNS by chance or until the connection is dropped.</div><div><br></div><div><a href="http://lists.squid-cache.org/pipermail/squid-users/2016-August/012261.html" target="_blank">http://lists.squid-cache.org/<wbr>pipermail/squid-users/2016-<wbr>August/012261.html</a><br></div><div>Here is the note from Amos</div><div><pre style="white-space:pre-wrap;color:rgb(0,0,0)">>><i> The cases where Squid still gets it wrong are where the popular CDN
</i>>><i> service(s) in question are performing DNS actions indistinguishable to
</i>>><i> those malware attacks. If Squid can't tell the difference between an
</i>>><i> attack and normal DNS behaviour the only code change possible is to
</i>>><i> disable the check (see above about the risk level).
</i>>></pre></div></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On Tue, Oct 18, 2016 at 2:01 PM, <span dir="ltr"><<a href="mailto:garryd@comnet.uz" target="_blank">garryd@comnet.uz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 2016-10-18 22:42, John Wright wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi<br>
<br>
Replying to the list<br>
<br>
Yes i get that error on many different sites same exact error about<br>
host headers.<br>
Also if you watch the TTL on the amazonaws url i provided it changes<br>
from 3 to 5 to 10 seconds to 60 to 10 back and forth.<br>
If you go online to an dns lookup site like kloth i see via kloth 5<br>
seconds TTL<br>
<br>
i get a different TTL value at different times, it appears they dont<br>
have a set TTL but they change it often and it varies.<br>
Right now it appears to be a ttl of 60 seconds as you found but<br>
earlier and over the weekend it has shown 5 seconds and even AWS<br>
support verified it can vary as low as 5 seconds.<br>
That being said , when it is changing every 3-5 seconds which comes<br>
and goes , squid gives the header forgery errors as shown before.<br>
</blockquote>
<br></span>
The time interval between client's and Squid's name lookup is measured in milliseconds. So, in most cases, the would not be false positives in environments where same cashing DNS server is used.<br>
<br>
That specific issue you encounter except alert messages and Squid's inability to cache HTTP responses for "forged" HTTP requests?<div class="m_3667481338315891753HOEnZb"><div class="m_3667481338315891753h5"><br>
______________________________<wbr>_________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.<wbr>org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/l<wbr>istinfo/squid-users</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div></div></div><span class="">-- <br><div class="m_3667481338315891753gmail_signature" data-smartmail="gmail_signature">Thank you for your time,<br><br>John Wright<br><br></div>
</span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Thank you for your time,<br><br>John Wright<br><br></div>
</div>