why squid listen on high udp port number

When starting squid with the default configuration (compiled from source), you may notice that the squid process listens not only on TCP port 3128, but also a high UDP port.

netstat -tlunp | grep squid


tcp 0 0 :::3128 :::* LISTEN 3520/(squid)
udp 0 0 0.0.0.0:52431 0.0.0.0:* 3520/(squid)
udp 0 0 :::51621 :::* 3520/(squid)

What in the hell is that 52431 UDP port used for? Let’s find out.
Edit squid.conf, add the following line to configure debug output:

debug_options 78,9 5,9 50,9

restart squid, check the debug output in cache.log:

2012/02/17 02:06:37| Starting Squid Cache version 3.1.19 for x86_64-unknown-linux-gnu...
2012/02/17 02:06:37.140| idnsInit: attempt open DNS socket to: [::]
2012/02/17 02:06:37.140| comm_openex: Attempt open socket for: [::]
2012/02/17 02:06:37.140| comm_openex: Opened socket FD 7 : family=10, type=2, protocol=17
2012/02/17 02:06:37.140| comm_open: FD 7 is a new socket
2012/02/17 02:06:37.140| commBind: bind socket FD 7 to [::]
2012/02/17 02:06:37.140| idnsInit: attempt open DNS socket to: 0.0.0.0
2012/02/17 02:06:37.140| comm_openex: Attempt open socket for: 0.0.0.0
2012/02/17 02:06:37.140| comm_openex: Opened socket FD 8 : family=2, type=2, protocol=17
2012/02/17 02:06:37.140| comm_open: FD 8 is a new socket
2012/02/17 02:06:37.140| commBind: bind socket FD 8 to 0.0.0.0
2012/02/17 02:06:37.140| comm_local_port: FD 7: port 51621(family=10)
2012/02/17 02:06:37.140| DNS Socket created at [::], FD 7
2012/02/17 02:06:37.141| commSetSelect(FD 7,type=1,handler=1,client_data=0,timeout=0)
2012/02/17 02:06:37.141| comm_local_port: FD 8: port 52431(family=2)
2012/02/17 02:06:37.141| DNS Socket created at 0.0.0.0, FD 8
2012/02/17 02:06:37.141| commSetSelect(FD 8,type=1,handler=1,client_data=0,timeout=0)
2012/02/17 02:06:37.141| Adding nameserver 127.0.0.1 from /etc/resolv.conf
...

from the above output, we can figure out that those 2 high ports are used for DNS things. In fact, it’s used for the “internal dns”, a mechanism for squid to effectively manages DNS queries.

Some sys admins like to bind local service to internal interface only, so there come’s a requirement: how can we make squid to ‘listen’ ONLY on internal interface for those udp ports? According to the Squid configuration directives:

udp_incoming_address	is used for UDP packets received from other
				caches.

	The default behavior is to not bind to any specific address.

	Only change this if you want to have all UDP queries received on
	a specific interface/address.

	NOTE: udp_incoming_address is used by the ICP, HTCP, and DNS
	modules. Altering it will affect all of them in the same manner.

Add udp_incoming_address xxx.xxx.xx.xx to squid.conf, the udp ports will then bind to xxx.xxx.xx.xx.
However, there may be a trap. If you have two interfaces, one with IP 192.168.1.1, the other 12.34.56.78.
when you set “udp_incoming_address 192.168.1.1″, the proxy may stuck because of DNS problem. especially, when you can’t reach the dns server from local IP.

This entry was posted in System Administration and tagged , , . Bookmark the permalink.

Leave a Reply