> * what again was the reason you absolutely, positively have to use the external helper? the reason is my personal security policy/attitude: on my router-box there should`n listen anything to the outside, i.e. listen to packets from an insecure lan - regardless of firewall settings which may apply or not. if squid listens to the outside and can receive udp packets on that port, there may be a chance to exploit this if there is some bug within squid. ok, maybe this is a little bit paranoid, but when it comes to network security, only a closed socket is a good socket - especially if it can be avoided. regards roland > > On Sat, Oct 13, 2007, devzero@xxxxxx wrote: > > > You can compile with --disable-internal-dns. That builds a fast external > > > helper that calls gethostbyname() for squid and passes the results back > > > without blocking other requests. > > > > fantastic ! i recompiled with that option and afterwards the open port is gone automatically > > without touching the .conf and now being "replaced" by 5 dnshelper processes. i assume this > > won`t probably perform as good as before, but that doesn`t matter for me. > > Just a few notes: > > * its slow compared to internal dns; > * it may use your nsswitch config if you've got a hosts database in something other than > DNS (people used to stick em in NIS, for example, which I believe is the kind of > thing the dnshelper stuff is still around for;) > * what again was the reason you absolutely, positively have to use the external helper? > * finally, a DNS resolver like bind will cache just as well as using something like > nscd with local get*host*() type calls. > > > > adrian > > -- > - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - > - $25/pm entry-level bandwidth-capped VPSes available in WA - > _______________________________________________________________________ Jetzt neu! Schützen Sie Ihren PC mit McAfee und WEB.DE. 3 Monate kostenlos testen. http://www.pc-sicherheit.web.de/startseite/?mc=022220
