hi, we want to block access to urls containing private ips like http://172.20.1.50 local-lan -> "internet-squid" -> firewall -> squid-dmz we want or have to block access on "internet-squid". this squid will then forward all the queries to proxy "squid-dmz", which is connected to the internet. only squid-dmz can or should do dns-lookups. our acl rools on "internet-squid": file dst_privateip # class A, 10.0.0.0/8 # class B, 172.16.0.0/12 # class C, 192.168.0.0/16 10.0.0.0/255.0.0.0 172.16.0.0/255.240.0.0 192.168.0.0/255.255.0.0 squid.conf acl dst_privateip dst "dst_privateip" http_access deny all dst_privateip problem is, that "internet-squid" will do dns-lookups with "dst". our internal dns-server don't know any addresses from the internet. so there are way to many queries. how can we prevent access those urls? which is the best way to write the acl? url_regex? is there any chance to have a dst acl without dnslookups? markus