I understand the security concern, but if squid is accessed by Users only within the company and company's intranet is secure enough, then it is an overkill as DNS is performed twice(Squid being used in transparent mode), once by the browser and then second time by the Squid. Shouldn't we have this as configurable through squid.conf file, though with the disclaimer you wrote earlier. This looks like a good feature to have. Like: Disble DNS lookups by Squid, instead use the DST IP address in the intercepted HTTP requested. #disable_dns_lookup, hence use Dst IP from the packet Thanks Saurabh -----Original Message----- From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] Sent: Monday, March 24, 2008 10:28 AM To: Saurabh Agarwal Cc: squid-users@xxxxxxxxxxxxxxx Subject: Re: How squid does Src/Dst IP address matching Saurabh Agarwal wrote: > Thanks Amos, I have one follow up question though on your reply > > src - performs an OS call to retrieve the IP of the other end of the TCP > > connection socket its been given. > > dst - retrieves the FQDN being looked up from the request headers, and > performs a DNS lookup on it to retrieve the address. > >>> To determine the dst IP address, why do we don't perform an OS call > to retrieve the destination IP address. Is it technically possible? If > yes how? IF we can do it, then we can save some time in the DNS lookup > that squid performs. It's possible. Most OS provide sgetsockopt() calls to retrieve them. Squid does not use these in order to protect its cache against compromised users. When trusting the users requested dst-IP a single infected web client retrieving a bad web page could poison the cache and pass the infection on to all other users. Amos > > Thanks > Saurabh > -----Original Message----- > From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx] > Sent: Monday, March 17, 2008 4:01 PM > To: Saurabh Agarwal > Cc: squid-users@xxxxxxxxxxxxxxx > Subject: Re: How squid does Src/Dst IP address matching > > Saurabh Agarwal wrote: >> Hi >> >> Can someone please tell how does squid does the acl evaluation related >> to Src/Dst IP address? Like "acl myNet dst 10.0.0.0/255.255.0.0" >> >> As I understand squid does not get to know the IP layer information >> which has the destination IP address field. >> >> But in the HTTP header we have the name of the server like >> "Host mail.yahoo.com", which can be used to determine the destination > IP >> Address. >> >> Does squid resolves the IP address of mail.yahoo.com before it does > the >> Dst Address acls matching or evaluation? > > > With src and dst it differs in the methods of attaining the IP. But the > evaluation is identical. > > src - performs an OS call to retrieve the IP of the other end of the TCP > > connection socket its been given. > > dst - retrieves the FQDN being looked up from the request headers, and > performs a DNS lookup on it to retrieve the address. > > Both then pass the IP to the ACL processing to be checked. > > Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
