[squid-users] peer-select.cc, cache_peer and dns queries

Fri, 09 Jan 2026 14:19:30 -0800 

Greetings from Beijing. When it comes to the location, you know our security 
concerns.
I managed to implement the following bluemaps:

*       acl extranet                    dstdomain “domain list A”
*       acl extranet_whitelist          dstdomain “domain list B”
*       cache_peer      a.b.c.d parent …. name=NodeNG
*       always_direct           extranet_whitelist
*       never_direct            extranet
*       ( NO IP based acl at all , except pre-defined localhost,localnet,acl 
etc)
It seems peer-selection is functional as expected.


I’ve dig into lots of history mails on DNS queries, cache_peers. Anyhow I 
observed peer-select.cc still conducting DNS lookups on an extranet domain , 
which is a purely domain-based ACL. e.g.

“       peer_select.cc(833) selectSomeParent: CONNECT www.example.com
        … ...
        peer_select.cc(460) resolveSelected: Find IP destination for: 
www.example.com:443' via a.b.c.d
        … …
        ipcacheParse: 1 answers for www.example.com
        … …
         ipcache.cc(532) addGood: www.example.com #1 q.w.e.r
        ipcache.cc(576) ipcacheHandleReply: done with www.example.com 
“
In other words, Squid conducts DNS lookups after peer-selection is finished. 
Anyhow, a parent proxy can typically handle DNS queries themselves, whether the 
child proxy do it or not. 

DNS is not reliable, especially the way Squid uses (UDP 53). For the following 
concerns, ISP might manipulate DNS replies

+ redirect clients to faster local CDNs, which might help them to reduce 
expenses caused by traffic.
+ redirect clients to another connection pool during peak hours, for ISP-side 
load-balancing or Qos purposes. 
+ block some sites with demand of authorized agencies
+ as a further step, for DPI, package analyse ,  site cataloge ( to assign 
different IP flags for the above 3 purposes) etc.
+ others

As a result, incorrect DNS replies cause remarkable issues, including No such 
domains, http 4xx, http 5xx, SSL handshake failures. It brings up DNS leak and 
privacy issues that a child cache conducts DNS queries.

So, what can I do to have extranet DNS handled by the parent proxy, while 
leaving the remainder to the child proxy, with a domain list ? 

Thank you

—
Squid Cache: Version 5.7
Service Name: squid
Debian linux
_______________________________________________
squid-users mailing list
[email protected]
https://lists.squid-cache.org/listinfo/squid-users

Reply via email to