> I know. Can you post your squid.conf or should we continue guessing?
Sure thing. I separate the squid conf into small ones. Here is the one with cache_peer “ Debian:/etc/squid/conf.d# cat 06-cachepeer.conf | grep -v '^\#' nonhierarchical_direct off #default on prefer_direct off acl extranet dstdomain -n "/etc/squid/bl_domain.lst" acl extranet dstdomain -n "/etc/squid/additional.lst" acl extranet_whitelist dstdomain -n "/etc/squid/wl_domain.lst" always_direct allow extranet_whitelist always_direct deny extranet never_direct allow extranet never_direct deny all cache_peer 192.168.8.235 parent 1080 0 no-query no-digest no-netdb-exchange name=ProxyNG cache_peer_access ProxyNG deny extranet_whitelist cache_peer_access ProxyNG allow extranet cache_peer_access ProxyNG deny !extranet acl ViaProxy peername ProxyNG # for further research “ I also noticed cache peer selection via cache.log. the order or use of “always/never_direct” doesn’t have noticable influence over DNS lookups. >>> but if your ISP intercepts and modifies DNS, I recommend using DNS server >>> supporting DoH, DoT or supporting validation, if you are unable to switch >>> ISPs or ask them not to do that. Bro, you cannot ask cats not to eat fishes. You put a shell to cover it, cats know how to break it. > On Jan 13, 2026, at 2:11 AM, Matus UHLAR - fantomas <[email protected]> wrote: > > On 13.01.26 01:37, archer wrote: >> DST is not recommended by me, because it brings up DNS queries. > > That's exactly what I have said. > >> DST is an IP(s)-based ACL, which might have to resolve DNS FQDN to IP before >> it is able to determine whether the requested domain name matches the DST >> ACL . > > I know. Can you post your squid.conf or should we continue guessing? > >>>>> On 10.01.26 06:19, archer wrote: >>>>>> Greetings from Beijing. When it comes to the location, you know our >>>>>> security concerns. >>>>>> I managed to implement the following bluemaps: >>>>>> >>>>>> * acl extranet dstdomain “domain list A” >>>>>> * acl extranet_whitelist dstdomain “domain list B” >>>>> >>>>>> So, what can I do to have extranet DNS handled by the parent proxy, >>>>>> while leaving the remainder to the child proxy, with a domain list ? > >>>>> On Jan 12, 2026, at 4:33 PM, Matus UHLAR - fantomas <[email protected]> >>>>> wrote: >>>>> You can use "dstdomain -n" to disable DNS translation here. >>>>> I recommend doing that. >>> >>> On 13.01.26 01:18, archer wrote: >>>> In my config, it is “dstdomain -n” already. Anyway it is not functional, >>>> whether there is a “-n “ tag . >>>> I have dig official conf reference, and lots mail archives. Believe me, I >>>> would not make easy mistakes. >>>> Anyway I am not capable of reviewing squid source code, dunno whether it >>>> is a designed logic or a bug. If it is not expectable, I might have to >>>> select another child proxy program. > >>> On Jan 13, 2026, at 1:26 AM, Matus UHLAR - fantomas <[email protected]> >>> wrote: there may be different directive(s) that require DNS lookup, e.g. >>> "dst" directives. >>> >>> but if your ISP intercepts and modifies DNS, I recommend using DNS server >>> supporting DoH, DoT or supporting validation, if you are unable to switch >>> ISPs or ask them not to do that. > > -- > Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > - Have you got anything without Spam in it? > - Well, there's Spam egg sausage and Spam, that's not got much Spam in it. > _______________________________________________ > squid-users mailing list > [email protected] > https://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list [email protected] https://lists.squid-cache.org/listinfo/squid-users
