On Wed, 6 Apr 2005, Martin Koniczek wrote:
but if i'd use ICP/HTCP as well, on other addresses/interfaces, i'd run into trouble?
Only if this Squid needs to send ICP queries to other caches and using the same address as used when making DNS queries is not acceptable.
looks as if by default it's not easy to protect squid's nameresolving system from spoofed packets, even if you run a dedicated nameserver to serve squid.
You could look into hardening the Squid DNS client from spoofing. There is a lot that can be improved in this regard:
- Query ID - Use of TCP
Note: If you run a caching nameserver locally on 127.0.0.1 then you will be as protected from spoofing as the implementation of the caching name server, which is usually quite good. By using 127.0.0.1 you protect Squid from spoofing as noone outside of the box can send you packets with a source of 127.0.0.1, and noone locally on the box can send you packets with a source port of the DNS server..
Regards Henrik
