On 24/10/2013 1:47 a.m., Plamen wrote:
Hi,
how to disable squid resolving every request if it is running in TPROXY
mode?
Why are you asking in particular?
If you are planning to use cache storage at all this is not a good
choice. The hidden underbelly of CVE-2009-0801 is malicious cache
corruption infecting your entire network. So any unvalidated request is
a non-cacheable response. The DNS is used to validate Host header.
Technically squid doesn't need to do dns resolving in this mode of operation
so probably there is a way to configure this.
Technically Squid *does* need to do this resolving if Squid is going to
do its job and locate the fastest possible source. The semi-random IP
choice made by the client his based on client capabilities and network
view which are all irrelevant on the proxy upstream connection. Beyond
that the DNS is used to validate the client is trustworthy enough to
cache their traffic and re-use for others.
Amos
