[Bug 239302] [NEW] Setting squid's udp_incoming_address address to 127.0.0.1 stop its DNS requests working

Ralph Corderoy ralph at inputplus.co.uk
Wed Jun 11 22:33:20 BST 2008 

Public bug reported:

Binary package hint: squid

Ubuntu 8.04, squid 2.6.18-1ubuntu3.

By default, squid was listening for TCP connections and UDP packets on
all interfaces.  This can be checked with

    sudo netstat -tulep | grep -i squid

I wanted to make listen only on localhost for incoming HTTP connections
on port 3128, the default port, and also only send and receive on
localhost for inter-squid ICP packets since I've no other squids to talk
to.

Editing /etc/squid/squid.conf to set `http_port localhost:3128' worked
for the TCP port.

Setting `udp_incoming_address 127.0.0.1' did cause the UDP listening
socket(s) to be only on that interface, but also caused squid to stop
proxying.  /var/log/squid/cache.log has pairs of lines, several for each
incoming request.

    2008/06/11 21:45:00| comm_udp_sendto: FD 6, 212.159.6.10, port 53: (22) Invalid argument
    2008/06/11 21:45:00| idnsSendQuery: FD 6: sendto: (22) Invalid argument

strace(8) confirmed that squid was attempting DNS lookups on the
request's host but sendto(2) was returning EINVAL.  lsof(8) can be used
to confirm that the DNS request is trying to be sent to my ISPs DNS
server through a UDP socket bound to the loopback interface.  The socket
used by idnsSendQuery() for DNS requests is initialised in
src/dns_internal.c's idnsInit().

    if (DnsSocket < 0) {
        int port;
        struct in_addr addr;
        if (Config.Addrs.udp_outgoing.s_addr != no_addr.s_addr)
            addr = Config.Addrs.udp_outgoing;
        else
            addr = Config.Addrs.udp_incoming;
        DnsSocket = comm_open(SOCK_DGRAM,
            IPPROTO_UDP,
            addr,
            0,
            COMM_NONBLOCKING,
            "DNS Socket");

By default, Config.Addrs.udp_outgoing is 255.255.255.255 (no_addr) and
Config.Addrs.udp_incoming is 0.0.0.0.  This means the DNS socket is
opened on 0.0.0.0, all interfaces, so sendto() to the DNS server works
wherever it is.  By setting `udp_incoming_address 127.0.0.1', I've made
squid send UDP DNS requests out of 127.0.0.1 destined for the Internet;
EINVAL.

It should be possible to specify a new `dns_outgoing_address' config
item separately and have that default to 0.0.0.0.  At it stands, I have
to have squid sitting on the Internet, listening for UDP packets from
the Internet, when it doesn't need them.

Having found the problem, I find it was known about in 2003.

    http://www.squid-cache.org/mail-archive/squid-users/200301/0676.html

I really think this needs addressing.  It's more reassuring to have
servers listening on as few interfaces as necessary.

** Affects: squid (Ubuntu)
     Importance: Undecided
         Status: New

-- 
Setting squid's udp_incoming_address address to 127.0.0.1 stop its DNS requests working
https://bugs.launchpad.net/bugs/239302
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to squid in ubuntu.

More information about the Ubuntu-server-bugs mailing list