[squid-users] Host header forgery detected on domain: mobile.pipe.aria.microsoft.com

Eliezer Croitoru ngtech1ltd at gmail.com
Wed Jan 6 19:49:57 UTC 2021 

I'm testing SSL BUMP in 5.0.4 and it's working pretty well despite some
hiccups.

I am trying to think about the right solution for the next issue:
SECURITY ALERT: Host header forgery detected on conn18767
local=52.114.32.24:443 remote=192.168.189.52:65107 FD 15 flags=33 (local IP
does not match any domain IP)
                                                   current master
transaction: master12927

The main issue is that the DNS service changes address every 10 ~ seconds.
An example:
### DRILL START
# drill mobile.pipe.aria.microsoft.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 23399
;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; mobile.pipe.aria.microsoft.com.      IN      A

;; ANSWER SECTION:
mobile.pipe.aria.microsoft.com. 3066    IN      CNAME
mobile.events.data.trafficmanager.net.
mobile.events.data.trafficmanager.net.  43      IN      CNAME
skypedataprdcolcus06.cloudapp.net.
skypedataprdcolcus06.cloudapp.net.      1       IN      A
52.114.128.69

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 3 msec
;; SERVER: 192.168.200.1
;; WHEN: Wed Jan  6 20:22:28 2021
;; MSG SIZE  rcvd: 159
### DRILL END

### DRILL START
# drill mobile.pipe.aria.microsoft.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 15462
;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; mobile.pipe.aria.microsoft.com.      IN      A

;; ANSWER SECTION:
mobile.pipe.aria.microsoft.com. 3065    IN      CNAME
mobile.events.data.trafficmanager.net.
mobile.events.data.trafficmanager.net.  42      IN      CNAME
skypedataprdcolcus06.cloudapp.net.
skypedataprdcolcus06.cloudapp.net.      0       IN      A
52.114.128.69

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 23 msec
;; SERVER: 192.168.200.1
;; WHEN: Wed Jan  6 20:22:29 2021
;; MSG SIZE  rcvd: 159
[root at px1 bin]# drill mobile.pipe.aria.microsoft.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 31545
;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; mobile.pipe.aria.microsoft.com.      IN      A

;; ANSWER SECTION:
mobile.pipe.aria.microsoft.com. 2993    IN      CNAME
mobile.events.data.trafficmanager.net.
mobile.events.data.trafficmanager.net.  22      IN      CNAME
skypedataprdcoleus14.cloudapp.net.
skypedataprdcoleus14.cloudapp.net.      4       IN      A       52.170.57.27

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 13 msec
;; SERVER: 192.168.200.1
;; WHEN: Wed Jan  6 20:22:30 2021
;; MSG SIZE  rcvd: 159
### DRILL END

All of the hosts use the same DNS service in the LAN however for some reason
both squid and the client are resolving different addresses
in a period of  10  Seconds.

The solution I am thinking is to force a minimum of 60 seconds caching using
dnsmasq or another caching service.
* https://unix.stackexchange.com/a/287908

Can we teach (theoretically) squid a way to look at these short TTLs as
something to decide by an ACL?

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
Zoom: Coming soon

More information about the squid-users mailing list