[squid-users] Recommended squid settings when using IPS-based domain blocking
brendan kearney
bpk678 at gmail.com
Wed Mar 6 16:16:23 UTC 2024
tell the team that is running the IPS to change their policy from DROP
to something else, so you are not a captive audience to the timeout.
By sending a RST, they can cause Squid to close the connection and
fail faster. if they are intercepting the DNS request, have them
leverage an RPZ and send a NXDOMAIN response. there are probably
other options to consider, too, and a conversation about how to handle
these scenarios should have been had before they moved to a Prevent
posture.
in short they made decisions in a vacuum and didnt include all
impacted teams (up or downsteam) that their actions affected. this,
as a policy problem, should be addressed with leadership.
HTH
brendan
On Wed, Mar 6, 2024 at 9:58 AM Alex Rousskov
<rousskov at measurement-factory.com> wrote:
>
> On 2024-03-06 09:48, Jason Marshall wrote:
>
> > We have been using squid (version squid-5.5-6.el9_3.5) under RHEL9 as a
> > simple pass-through proxy without issue for the past month or so.
> > Recently our security team implemented an IPS product that intercepts
> > domain names known to be associated with malware and ransomware command
> > and control. Once this was in place, we started having issues with the
> > behavior of squid.
> >
> > Through some troubleshooting, it appears that what is happening is that
> > that when a user's machine make a request through squid for one of these
> > bad domains, the request is dropped by the IPS, squid waits for the DNS
> > timeout, and then all requests made to squid after that result
> > in NONE_NONE/500 errors, and it never seems to recover until we do a
> > restart or reload of the service.
>
>
> DNS errors, including DNS query timeouts, are common, and Squid is
> supposed to handle them well. Assuming the DNS server is operational,
> what you describe sounds like a Squid bug. Lots of bugs were fixed since
> Squid v5.5, but I do not recall any single bug that would have such a
> drastic outcome.
>
> Squid v5 is not supported by the Squid Project. I recommend upgrading to
> the latest Squid v6 and retesting.
>
>
> HTH,
>
> Alex.
>
>
> > Initially the dns_timeout was set for 30 seconds. I reduced this,
> > thinking that perhaps requests were building up or something along those
> > lines. I set it to 5 seconds, but that just got us to a failure state
> > faster.
> >
> > I also found the negative_dns_ttl setting and thought it might be having
> > an effect, but setting this to 0 seconds resulted in no change to the
> > behavior.
> >
> > Are there any configuration tips that anyone can provide that might work
> > better with dropped/intercepted DNS requests? My current configuration
> > is included here:
> >
> > acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
> > acl localnet src 10.0.0.0/8 <http://10.0.0.0/8> # RFC 1918
> > local private network (LAN)
> > acl localnet src 100.64.0.0/10 <http://100.64.0.0/10> # RFC
> > 6598 shared address space (CGN)
> > acl localnet src 169.254.0.0/16 <http://169.254.0.0/16> # RFC
> > 3927 link-local (directly plugged) machines
> > acl localnet src 172.16.0.0/12 <http://172.16.0.0/12> # RFC
> > 1918 local private network (LAN)
> > acl localnet src 192.168.0.0/16 <http://192.168.0.0/16> # RFC
> > 1918 local private network (LAN)
> >
> > acl localnet src fc00::/7 # RFC 4193 local private network
> > range
> > acl localnet src fe80::/10 # RFC 4291 link-local (directly
> > plugged) machines
> >
> > acl SSL_ports port 443
> > acl Safe_ports port 80 # http
> > acl Safe_ports port 443 # https
> > acl Safe_ports port 9191 # papercut
> > http_access deny !Safe_ports
> > http_access allow localhost manager
> > http_access deny manager
> >
> > http_access allow localnet
> > http_access allow localhost
> > http_access deny all
> > http_port 0.0.0.0:3128 <http://0.0.0.0:3128>
> > http_port 0.0.0.0:3129 <http://0.0.0.0:3129>
> > cache deny all
> > coredump_dir /var/spool/squid
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> > refresh_pattern . 0 20% 4320
> > debug_options rotate=1 ALL,2
> > negative_dns_ttl 0 seconds
> > dns_timeout 5 seconds
> >
> > Thank you for any help that you can provide.
> >
> > Jason Marshall
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > https://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list