[squid-users] Host header forgery detected after upgrade from 3.5.8 to 3.5.9

Dan Charlesworth dan at getbusi.com
Thu Oct 22 10:06:04 UTC 2015


Ah-ha. Thanks for digging into that a bit Amos.

In my case 8.8.8.8 is the tertiary server, so I’m surprised it’s being used at all. Could be a local DNS server is forwarding to it, though.

I’ll remove that from the equation tomorrow and see how it fares.

Cheers

> On 22 Oct 2015, at 8:58 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> 
> On 21/10/2015 4:53 p.m., Dan Charlesworth wrote:
>> I’m getting these very frequently for api.github.com and github.com
>> 
>> I’m using the same DNS servers as my intercepting squid 3.5.10 proxy and they only return the one IP when I do an nslookup as well …
>> 
>> Any updates from your end, Roel?
> 
> 
> I just did a quick test of api.github.com and what I'm seeing is only
> one IP at a time being delivered. BUT that IP is showing signs of being
> geo-DNS based result and also has a 60 second TTL.
> 
> So ... when using the Google "free" DNS service it changes IP number
> almost every second. Based on which of the Google servers you happen to
> be working through with that particular request.
> 
> You can watch it cycling if you like:
> watch dig A api.github.com @8.8.8.8
> 
> 
> You could run a local bind server and redirect UDP port 53 requests from
> clients to it so they stop using 8.8.8.8 etc and start using a DNS like
> its supposed to work.
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list