<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#464646" bgcolor="#FFFFFF">
<font face="monospace">Hi Alex <br>
<br>
Thanks<br>
<br>
The information provided is very useful.<br>
Although ICAP is not used, the log configuration is active.<br>
Let's validate the first leads you've given us<br>
</font><br>
regards<br>
<br>
<div class="moz-cite-prefix">Le 18/03/2025 à 15:07, Alex Rousskov a
écrit :<br>
</div>
<blockquote type="cite"
cite="mid:f37bf2d2-502b-4253-a1a2-93202e2b1482@measurement-factory.com">On
2025-03-18 06:25, David Touzeau wrote:
<br>
<blockquote type="cite">
<br>
We note that Squid performs a client DNS PTR query each time
client sends query.
<br>
<br>
We have taken care to ensure that
<br>
<br>
* that the log model does not use machine names
<br>
* No acls concerning workstation hostnames are added.
<br>
</blockquote>
<br>
FWIW, the phrase "workstation hostnames" is a red flag for me,
especially when the other bullet uses "machine names" terminology.
In my experience, it is easy to overlook a logformat %code or ACL
that requires Squid to do a reverse DNS lookup.
<br>
<br>
N.B. In modern Squids (including your v6.3), default ICAP
logformat triggers reverse DNS lookups if icap_log is enabled.
<br>
<br>
<br>
<blockquote type="cite">We use kerberos authentication with Squid:
is negotiate_kerberos_auth/process plugin is able to perform PTR
requests?
<br>
</blockquote>
<br>
I am not a Kerberos expert, but I believe that plugin can trigger
DNS requests at startup (at least). I do not know whether it can
trigger DNS requests at runtime. You should be able to check that
theory by disabling authentication for a test client/transaction.
<br>
<br>
<br>
<blockquote type="cite">Is there another option that denies squid
to perform such requests?
<br>
</blockquote>
<br>
I do not think so. You have to figure out what triggers those
queries and adjust the corresponding configuration accordingly. I
can offer a free private review of your cache.log file collected
while reproducing the problem using as few transactions as
possible and enabling full debugging (e.g., setting debug_options
to ALL,9). More hints are available at
<a class="moz-txt-link-freetext" href="https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction">https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction</a><br>
<br>
If you would like to proceed with the above analysis, please email
me a link to the corresponding compressed cache.log.
<br>
<br>
<br>
HTH,
<br>
<br>
Alex.
<br>
<br>
_______________________________________________
<br>
squid-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.squid-cache.org/listinfo/squid-users">https://lists.squid-cache.org/listinfo/squid-users</a>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
David Touzeau - Artica Tech France
Development team, level 3 support
----------------------------------
P: +33 6 58 44 69 46
www: <a class="moz-txt-link-freetext" href="https://wiki.articatech.com">https://wiki.articatech.com</a>
www: <a class="moz-txt-link-freetext" href="http://articatech.net">http://articatech.net</a> </pre>
</body>
</html>