On 2025-03-18 06:25, David Touzeau wrote:
We note that Squid performs a client DNS PTR query each time client
sends query.
We have taken care to ensure that
* that the log model does not use machine names
* No acls concerning workstation hostnames are added.
FWIW, the phrase "workstation hostnames" is a red flag for me,
especially when the other bullet uses "machine names" terminology. In my
experience, it is easy to overlook a logformat %code or ACL that
requires Squid to do a reverse DNS lookup.
N.B. In modern Squids (including your v6.3), default ICAP logformat
triggers reverse DNS lookups if icap_log is enabled.
We use kerberos authentication with Squid: is
negotiate_kerberos_auth/process plugin is able to perform PTR requests?
I am not a Kerberos expert, but I believe that plugin can trigger DNS
requests at startup (at least). I do not know whether it can trigger DNS
requests at runtime. You should be able to check that theory by
disabling authentication for a test client/transaction.
Is there another option that denies squid to perform such requests?
I do not think so. You have to figure out what triggers those queries
and adjust the corresponding configuration accordingly. I can offer a
free private review of your cache.log file collected while reproducing
the problem using as few transactions as possible and enabling full
debugging (e.g., setting debug_options to ALL,9). More hints are
available at
https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction
If you would like to proceed with the above analysis, please email me a
link to the corresponding compressed cache.log.
HTH,
Alex.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users
