-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 In my installation I use caching DNS (unbound) in conjunction with Squid. This cachind DNS directly on squid box and solves many problem with DNS. Unbound cache itself uses custom TTL setting (maximal) for DNS records, which is overrides provider/original DNS settings. 02.07.15 18:43, Stakres пишет: > Hi Amos, > > "/You can get around it somewhat by having the ISP resolvers use each other > same as proxy chains do./" > This is impossible to do in a multi-level ISPs archi, because each ISP could > use any DNS servers (google, level3, etc...). From the original end user to > the latest ISP step the dns header could be using an ip address that the > Squid could not know. > > "/Consider some malicious server at 192.168.0.2 responding with an infected > JPG to all requests. An infected server contains a script that fetches the > Google icon from 192.168.0.2 using Host:www.google.com. /" > Totaly agree with you but what we/you could do is to replace the original > dns records from the headers by the records squid will find and allow the > cache hit. > Here, squid only applies the correct dns but deny the object to be cached. > if squid corrects the dns it means the object should be safe (normaly) so it > should accept to see the object saved into the cache (partial object or > not), right ? > > So, fixing a wrong dns record is a good thing I agree, but why do you deny > the cache action if the request was corrected ? > > What about if the end user has fixed to a special dns server (home made, > exotic server, etc...), here the ISP cannot increase the % saving and this > point (% saving) is the top priority for the ISP that's why he needs > solutions like Squid products. > > Do you think we could have a workaround for fixing the wrong dns record from > headers (Squid action) and having the object cached ? or it does not make > sense because other security issues ? > > I read many forums where admins are requesting this behaviour, I 'm sure > we/you can find a nice solution for all of us . > > Fred > > > > > -- > View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/TProxy-and-client-dst-passthru-tp4670189p4672022.html > Sent from the Squid - Users mailing list archive at Nabble.com. > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVlTfiAAoJENNXIZxhPexGzE0H/igDMTH/YQQa5LxjuxS7kz5B tCiGhynWB4LDl8rs9bWKUrvL+vSTU3P5CiiZgSSdSJL3HmpOr/C2tLlepAh3zkql pKTjlb/Lw6X5q8HpGRc6hRHoR2qaFpXM28H01358UQpZPIEIxG4ivgPz9hSkZZ72 6RnZR1uVlgGBRqh1mPDdPFUq8WCGi49InqjkZwd+cxOVeoujJDdKwI1mKYU/QDoy UkPQRLfPDnqJBo4Y4Fowj/aQTTreQSLGtjhIIuGlOllomIdU9d8JruUHKUPfEnZe mIWk9oMAL4e0hhZf1l+1Du6w4g1XCQ750a6DOjaYZaTmyBuSdyeaER3y/cc566M= =9HYZ -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users