Search squid archive

Re: More host header forgery pain with peek/splice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 26/08/2016 4:17 a.m., Steve Hill wrote:
> 
> This one just seems to keep coming up and I'm wondering how other people
> are dealing with it:
> 
> When you peek and splice a transparently proxied connection, the SNI
> goes through the host validation phase.  Squid does a DNS lookup for the
> SNI, and if it doesn't resolve to the IP address that the client is
> connecting to, Squid drops the connection.
> 
> When accessing one of the increasingly common websites that use DNS load
> balancing, since the DNS results change on each lookup, Squid and the
> client may not get the same DNS results, so Squid drops perfectly good
> connections.
> 
> Most of this problem goes away if you ensure all the clients use the
> same DNS server as squid, but not quite.  Because the TTL on DNS records
> only has a resolution of 1 second, there is a period of up to 1 second
> when the DNS records Squid knows about doesn't match the ones that the
> client knows about.  The client and squid may expire the records up to 1
> second apart.

FYI: Services sending TTL of just 1 or even a few seconds are abusing
the DNS system. Rotating the order of IPs in the RR record is a
standardized feature and works just fine with how Squid does its checks.

NP: using "8.8.8.8" in both Squid and client does not count as using the
same resolver. Because that service is an entire farm of resolvers that
can and do respond differently to any two requests - even if they are
made simultaneously. Not a single machine using a single cache of DNS data.

> 
> So what's the solution?  (Notably the validation check can't be disabled
> without hacking the code).
> 

Well, hacking the code. But not necessarily in the obvious way of
disabling checks. Redesign in Squid DNS component is needed. If you want
to sponsor and/or test that work mail me privately. Though its unlikely
to be available for use in the short term .

Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux