[squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

Dan Charlesworth dan at getbusi.com
Wed Nov 25 00:40:37 UTC 2015


Alright, thanks for the hint.

My proxy and clients definitely have the same DNS server (I removed the secondary and tertiary ones to make totally sure) but the results definitely aren’t matching 99% of the time. Probably more like 90%.

Perhaps it’s 'cause my clients are caching records locally or something? It does seem to improve as the day progresses, after joining the intercepted wifi network in the morning.

Super annoying though trying to post a comment on GitHub or something and it just hangs.

> On 25 Nov 2015, at 11:19 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> 
> On 25/11/2015 12:20 p.m., Dan Charlesworth wrote:
>> Thanks for the perspective on this, folks.
>> 
>> Going back to the technical stuff—and this isn’t really a squid thing—but is there any way I can minimise this using my DNS server? 
>> 
>> Can I force my local DNS to only ever return 1 address from the pool on a hostname I’m having trouble with?
> 
> That depends on your resolver, but I doubt it.
> 
> The DNS setup I mentioned in my last email to this thread is all I'm
> aware of that gets even close to a fix.
> 
> Note that you may have to intercept clients port 53 traffic (both UDP
> and TCP) to the resolver. That has implications with DNSSEC but should
> still work as long as you do not alter the DNS responses, the resolver
> is just there to ensure the same result goes to both querying parties.
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list