On 4/07/2015 1:21 a.m., Stakres wrote: > Amos, > You told the Squid will check the original dns from the headers, then it'll > do its own dns resolution to verify they both match. > So, if no match, Squid does the request to internet based on the dns it > found. > If I'm right, that the current way, correct ? Depends on what you mean by "it found". ORIGINAL_DST comes from TCP packet headers, which cannot be forged without the packets going astray. Squid trusts it when in doubt. Squid own DNS lookup is for the HTTP Host header value. To compare against the TCP value. Host can be trivially forged. So neither Host nor the DNS resulting from it can be trusted when in doubt. > > What we could do is the same way but as Squid has downloaded the object > based on its dns records, it means the object is correct, the right one. So, > keep all details from Squid job and push the object to the cache (if > cacheable). When there is doubt about what server is correct there is no "right" object. Squid relays the request to the place the client would have reached had the proxy not been intercepting the traffic (ORIGINAL_DST). Then prevents the unreliable object being given to other clients (cached). There does seem to be one bug in that Squid will not always HIT on existing cache content for the requested URL. Any help finding and fixing that. > > user request -> squid checks the dns is ok (corrects it if needed) -> squid > download the right object and cache. > user request -> squid checks the dns is ok (corrects it if needed) -> squid > pushs from its cache. > > Again, if Squid requests the right object based on its dns requests, it'll > deliver to clients the good one. > So, we should not see ORIGINAL_DST anymore... Thats the CVE-2009-0801 problem. Whenever the Host header DNS is used the proxy and all other clients fetching the cached URL from it, are subject to malicious alterations made to that header. Thus its only near-trustworthy when the DNS results contain the TCP dst-IP. We let the request through to the ORIGINAL_DST to reduce penalty on the client. But caching without the trust is going a bit too far. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users