brute force – Find configured domains accepted by a reverse proxy

I am playing around with a machine from hack the box. I found what appears to be a squid v. 4.6 listening on port 3128. None of my requests works

< HTTP/1.1 400 Bad Request
< Server: squid/4.6
< Mime-Version: 1.0
< Date: Fri, 30 Oct 2020 23:27:28 GMT
< Content-Type: text/html;charset=utf-8
< Content-Length: 3505
< X-Squid-Error: ERR_INVALID_URL 0
< Vary: Accept-Language
< Content-Language: en
< X-Cache: MISS from unbalanced
< X-Cache-Lookup: NONE from unbalanced:3128
< Via: 1.1 unbalanced (squid/4.6)
< Connection: close

Among the possible reasons, the displayed error page mentions that Missing hostname is the most probable one. I am looking for a way to find this (these) domain name(s)

Since this machine is meant to be accessed with a VPN only, there is no point in using DNS crawlers such as dnsmap or dnsenum. There is no DNS server on this machine nor in this lab environment (that I know of).

There is no fail2ban nor any brute-force preventing mechanism so I thought about brute forcing the domain name. All the http fuzzers I know allow to fuzz nearly anything except domains. Do you know such a tool of do I need to script it myself?

Do you think of a more straightforward approach?