LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-16-2006, 02:04 PM   #1
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
How does a client resolve dns queries with transparent proxy ?


SETUP :
*Squid has been configured properly to act as transparent proxy.
*Squid & gateway-firewall, both are installed & working on a single box, so we donot need to do DNAT.
*Client is having SQUID/FIREWALL box to act as its gateway.
*As i have a static ip, i donot need to do MASQUAREDING as well.
*There's no rule running apart from the PREROUTING rule defined below & hence all the chains have their default policy as accept.
*Packet forwarding is enabled at kernel level.
*My LAN clients are not pointing towards any Name server.

As per the Official/Non-official howto's i only got to run
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp--dport 80 -j REDIRECT --to-ports 8080
& it is running also.

Now my queries,

What happens to DNS, name queries.
Whenever my client try to browse, e.g. www.google.com, the first packet which comes to my box is for name conversion(dns) & not for port 80 & hence which doesnt hit the rule i am running & hence i am not able to make this transparent thing done. As its keep trying for name to ip conversion again & again for different DNS servers.

Though if i try to access any website with its ip address, i am not facing any problems, like in the same scenario i can browse google.com through http://64.233.187.99/

So what else am i supposed to do to make my transparent proxy works, though i expect that i should not be running any other iptable rule apart from the one specified above.

Kindly correct me whenever i am wrong, as its all logic & probably i am missing something.

With best regards,
Amit sharma
 
Old 09-16-2006, 02:38 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
the dns has nothign at all to do with transparent proxying. you just need to provide global DNS to your clients, simple as that. if they can't resolve google.com how can they try to reach it? normally you'd just have a global dns server listed in /etc/resolv.conf or if you have an all in one adsl router on your net connection, they often serer global dns on behalf of the network, so use that a s a dns server and it relays to your isp.
 
Old 09-16-2006, 03:13 PM   #3
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Original Poster
Rep: Reputation: 31
Thanks for the clarification. But i am still little confused that why it isnt mentioned even in any of the transparent proxy's Official/Non-official how to's & tutorials. They should atleast mention that you also got to forward packets for DNS queries(in case of global dns) or you got to mention DNS atleast even in LAN based dns. Because in case of normal SQUID, we never used to use a DNS server on a client box as all the name conversions were going to be done through SQUID box itself.
--

Quote:
Originally Posted by acid_kewpie
the dns has nothign at all to do with transparent proxying. you just need to provide global DNS to your clients, simple as that.
Then in that case, if i do mention my global DNS to my clients then i got to do SNAT as well. As in the present state(without SNAT) this packet would'nt come back to me ever.
I can forward DNS queries with
Code:
iptables -t nat -A POSTROUTING -p udp --dport 53 -j SNAT --to $EXT-DEV-IP
& then after the name conversion, i can use my normal squid to work in transparent mode.

Is this the normal way a TRANSPARENT PROXY (squid) works ?
I mean DNS works seperately & if in case you are having a global ip DNS, you got to do SNAT & forward the packets apart from normal SQUID cache & provide function.
 
Old 09-16-2006, 04:22 PM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
it's normal / expected that any given client pc can do global dns lookups. this isn't impressive or abnormal in any way and doesn't merit explicit requirements to be given. as i said above, the normal way on a home lan is that your adsl router either serves global dns directly or, as with *ANY* data going through the router, does a masquarade on that ip data.

again this is utterly unrelated to transparent proxies in every way. the fact that they are transparent should on it's own suggest that nothing else at all should be changed. any home user not using any proxy at all will do normal global dns lookups and then connect directly to that remote web server. exactly the same here, as if the client has no idea whatsoever that it's been proxied (i.e. it's transparent) it's not going to act differently in any way at all either.
 
Old 09-16-2006, 04:48 PM   #5
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Original Poster
Rep: Reputation: 31
Thanks. , I got the point.

Regards,
Amit..
 
Old 09-17-2006, 11:49 AM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
and if you really don't wanna FORWARD any DNS packets, then just install a DNS daemon on your squid box and set the LAN clients to use that, instead of the external DNS... dnsmasq is what i use for this type of thing, for example... just my ...

Last edited by win32sux; 09-17-2006 at 04:30 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
dns client cannot resolve on dns server jtvillegas Linux - Software 3 03-12-2016 03:30 PM
Configuring a transparent proxy on a client machine ONLY instead of a server machine. clinux_rulz Linux - Networking 1 05-31-2006 02:53 AM
transparent proxy that automaticly configure a client gateway myheart Linux - Networking 2 01-19-2005 07:44 PM
Client Configuration for Transparent proxy adham1sa Linux - Networking 2 12-28-2004 11:54 PM
why do my client PCs need to enter the DNS of the ISP to resolve names? help kublador Linux - Networking 4 04-03-2003 05:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:53 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration