[squid-users] squid 6.3: client internal ip address PTR DNS query

David Touzeau david at articatech.com
Tue Mar 18 18:41:12 UTC 2025 

Hi Alex

Thanks

The information provided is very useful.
Although ICAP is not used, the log configuration is active.
Let's validate the first leads you've given us

regards

Le 18/03/2025 à 15:07, Alex Rousskov a écrit :
> On 2025-03-18 06:25, David Touzeau wrote:
>>
>> We note that Squid performs a client DNS PTR query each time client 
>> sends query.
>>
>> We have taken care to ensure that
>>
>>   * that the log model does not use machine names
>>   * No acls concerning workstation hostnames are added.
>
> FWIW, the phrase "workstation hostnames" is a red flag for me, 
> especially when the other bullet uses "machine names" terminology. In 
> my experience, it is easy to overlook a logformat %code or ACL that 
> requires Squid to do a reverse DNS lookup.
>
> N.B. In modern Squids (including your v6.3), default ICAP logformat 
> triggers reverse DNS lookups if icap_log is enabled.
>
>
>> We use kerberos authentication with Squid: is 
>> negotiate_kerberos_auth/process plugin is able to perform PTR requests?
>
> I am not a Kerberos expert, but I believe that plugin can trigger DNS 
> requests at startup (at least). I do not know whether it can trigger 
> DNS requests at runtime. You should be able to check that theory by 
> disabling authentication for a test client/transaction.
>
>
>> Is there another option that denies squid to perform such requests?
>
> I do not think so. You have to figure out what triggers those queries 
> and adjust the corresponding configuration accordingly. I can offer a 
> free private review of your cache.log file collected while reproducing 
> the problem using as few transactions as possible and enabling full 
> debugging (e.g., setting debug_options to ALL,9). More hints are 
> available at 
> https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction
>
> If you would like to proceed with the above analysis, please email me 
> a link to the corresponding compressed cache.log.
>
>
> HTH,
>
> Alex.
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users

-- 
David Touzeau - Artica Tech France
Development team, level 3 support
----------------------------------
P: +33 6 58 44 69 46
www:https://wiki.articatech.com
www:http://articatech.net 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250318/d30d145b/attachment.htm>

More information about the squid-users mailing list