Re: [squid-users] Restricting listening "UDP DNS client port" to an interface/IP?

From: Henrik Nordstrom <[email protected]>
Date: Fri, 8 Apr 2005 00:53:21 +0200 (CEST)

On Wed, 6 Apr 2005, Martin Koniczek wrote:

> but if i'd use ICP/HTCP as well, on other addresses/interfaces, i'd run into
> trouble?

Only if this Squid needs to send ICP queries to other caches and using
the same address as used when making DNS queries is not acceptable.

> looks as if by default it's not easy to protect squid's nameresolving system
> from spoofed packets, even if you run a dedicated nameserver to serve squid.

You could look into hardening the Squid DNS client from spoofing. There is
a lot that can be improved in this regard:

   - Query ID
   - Use of TCP

Note: If you run a caching nameserver locally on 127.0.0.1 then you will
be as protected from spoofing as the implementation of the caching name
server, which is usually quite good. By using 127.0.0.1 you protect Squid
from spoofing as noone outside of the box can send you packets with a
source of 127.0.0.1, and noone locally on the box can send you packets
with a source port of the DNS server..

Regards
Henrik
Received on Thu Apr 07 2005 - 16:53:23 MDT

This archive was generated by hypermail pre-2.1.9 : Sun May 01 2005 - 12:00:03 MDT