Re: squid 6.3: client internal ip address PTR DNS query

David Touzeau <david@xxxxxxxxxxxxxx> · Tue, 18 Mar 2025 19:41:12 +0100



    Hi Alex 

      
      Thanks

      
      The information provided is very useful.

      Although ICAP is not used, the log configuration is active.

      Let's validate the first leads you've given us

    
    regards

    
    Le 18/03/2025 à 15:07, Alex Rousskov a
      écrit :

    
    On
      2025-03-18 06:25, David Touzeau wrote:
      

        We note that Squid performs a client DNS PTR query each time
        client sends query.
        

        We have taken care to ensure that
        

          * that the log model does not use machine names
        

          * No acls concerning workstation hostnames are added.
        

      FWIW, the phrase "workstation hostnames" is a red flag for me,
      especially when the other bullet uses "machine names" terminology.
      In my experience, it is easy to overlook a logformat %code or ACL
      that requires Squid to do a reverse DNS lookup.
      

      N.B. In modern Squids (including your v6.3), default ICAP
      logformat triggers reverse DNS lookups if icap_log is enabled.
      

      We use kerberos authentication with Squid:
        is negotiate_kerberos_auth/process plugin is able to perform PTR
        requests?
        

      I am not a Kerberos expert, but I believe that plugin can trigger
      DNS requests at startup (at least). I do not know whether it can
      trigger DNS requests at runtime. You should be able to check that
      theory by disabling authentication for a test client/transaction.
      

      Is there another option that denies squid
        to perform such requests?
        

      I do not think so. You have to figure out what triggers those
      queries and adjust the corresponding configuration accordingly. I
      can offer a free private review of your cache.log file collected
      while reproducing the problem using as few transactions as
      possible and enabling full debugging (e.g., setting debug_options
      to ALL,9). More hints are available at
https://wiki.squid-cache.org/SquidFaq/BugReporting#debugging-a-single-transaction

      
      If you would like to proceed with the above analysis, please email
      me a link to the corresponding compressed cache.log.
      

      HTH,
      

      Alex.
      

      _______________________________________________
      

      squid-users mailing list
      

      squid-users@xxxxxxxxxxxxxxxxxxxxx
      

      https://lists.squid-cache.org/listinfo/squid-users
      

    -- 
David Touzeau - Artica Tech France
Development team, level 3 support
----------------------------------
P: +33 6 58 44 69 46
www: https://wiki.articatech.com
www: http://articatech.net 
  

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.squid-cache.org/listinfo/squid-users