[squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9
Dan Charlesworth
dan at getbusi.com
Wed Nov 25 01:11:29 UTC 2015
They’re probably matching about 40% of the time on twitter.com, though 😒
> On 25 Nov 2015, at 11:40 AM, Dan Charlesworth <dan at getbusi.com> wrote:
>
> Alright, thanks for the hint.
>
> My proxy and clients definitely have the same DNS server (I removed the secondary and tertiary ones to make totally sure) but the results definitely aren’t matching 99% of the time. Probably more like 90%.
>
> Perhaps it’s 'cause my clients are caching records locally or something? It does seem to improve as the day progresses, after joining the intercepted wifi network in the morning.
>
> Super annoying though trying to post a comment on GitHub or something and it just hangs.
>
>> On 25 Nov 2015, at 11:19 AM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>>
>> On 25/11/2015 12:20 p.m., Dan Charlesworth wrote:
>>> Thanks for the perspective on this, folks.
>>>
>>> Going back to the technical stuff—and this isn’t really a squid thing—but is there any way I can minimise this using my DNS server?
>>>
>>> Can I force my local DNS to only ever return 1 address from the pool on a hostname I’m having trouble with?
>>
>> That depends on your resolver, but I doubt it.
>>
>> The DNS setup I mentioned in my last email to this thread is all I'm
>> aware of that gets even close to a fix.
>>
>> Note that you may have to intercept clients port 53 traffic (both UDP
>> and TCP) to the resolver. That has implications with DNSSEC but should
>> still work as long as you do not alter the DNS responses, the resolver
>> is just there to ensure the same result goes to both querying parties.
>>
>> Amos
>>
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list