[squid-users] squid 6.3: client internal ip address PTR DNS query
Alex Rousskov
rousskov at measurement-factory.com
Tue Mar 18 14:07:56 UTC 2025
On 2025-03-18 06:25, David Touzeau wrote:
>
> We note that Squid performs a client DNS PTR query each time client
> sends query.
>
> We have taken care to ensure that
>
> * that the log model does not use machine names
> * No acls concerning workstation hostnames are added.
FWIW, the phrase "workstation hostnames" is a red flag for me,
especially when the other bullet uses "machine names" terminology. In my
experience, it is easy to overlook a logformat %code or ACL that
requires Squid to do a reverse DNS lookup.
N.B. In modern Squids (including your v6.3), default ICAP logformat
triggers reverse DNS lookups if icap_log is enabled.
> We use kerberos authentication with Squid: is
> negotiate_kerberos_auth/process plugin is able to perform PTR requests?
I am not a Kerberos expert, but I believe that plugin can trigger DNS
requests at startup (at least). I do not know whether it can trigger DNS
requests at runtime. You should be able to check that theory by
disabling authentication for a test client/transaction.
> Is there another option that denies squid to perform such requests?
I do not think so. You have to figure out what triggers those queries
and adjust the corresponding configuration accordingly. I can offer a
free private review of your cache.log file collected while reproducing
the problem using as few transactions as possible and enabling full
debugging (e.g., setting debug_options to ALL,9). More hints are
available at
https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction
If you would like to proceed with the above analysis, please email me a
link to the corresponding compressed cache.log.
HTH,
Alex.
More information about the squid-users
mailing list