LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices



Reply
 
Search this Thread
Old 07-09-2009, 10:04 AM   #1
vaibhavs
Member
 
Registered: Jun 2008
Posts: 113

Rep: Reputation: 15
Squid Proxy: DNS Requests


HI,

I have just setup a Squid Proxy server (IP: 192.168.1.13)

CentOS-5, Squid, Dansguardian, Single Ethernet.
All working perfect!

I just have a small query regarding DNS query forwarding.
While setting network config on the desktop, I have set the G/w IP as 192.168.1.13.

Now, If I setup Pri & Sec DNS IP of the ISP, then the internet works fine. But if I setup the DNS IP = 192.168.1.13, I am unable to surf.
THe DNS query resolution does not happen.

I would like DNS queries to travel via 192.168.1.13.
Simple DNS forwarding via 192.168.1.13 to the ISP's DNS server.

What & how should I set this up.
A very simple solution is appreciated.

Thx
Vai
 
Old 07-09-2009, 10:58 AM   #2
jimbo1954
Member
 
Registered: Oct 2006
Location: High Wycombe, Bucks, UK.
Distribution: Debian and Fedora Core in equal measure
Posts: 258

Rep: Reputation: 33
Squid is an HTTP proxy working on port 80. It takes queries and passes them on to the target host's web server, and stores the response so that others downstream of the proxy can get the web page without having to request from the Internet.

DNS is not HTTP. It uses UDP port 53, and will make queries in a totally different protocol to that which a web proxy can understand, so unless you have some non-squid way of getting DNS queries through the system running the squid proxy, you will get exactly what you are seeing.

I guess you could set up some routing such that the proxy can proxy the HTTP, and simply redirect the DNS query, but to what end? The proxy won't do anything with the DNS messages, so I'd simply send your DNS queries to the right place in the first place.

HTH
 
Old 07-09-2009, 11:26 AM   #3
vaibhavs
Member
 
Registered: Jun 2008
Posts: 113

Original Poster
Rep: Reputation: 15
Some reading around suggests I should setup BIND and configure it in FORWARDING mode.

I followed one particular documentation created by someone on the internet, but it did not help.
I am sure I did something incorrect or missed something.

If BIND is my best move forward, pls suggest me to some simple and easy way to setup BIND & configure it in FORWARDING mode to forward DNS queries to my ISP's NS.

Thx
Vai
 
Old 07-09-2009, 01:35 PM   #4
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,919

Rep: Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778
Quote:
Originally Posted by vaibhavs View Post

I would like DNS queries to travel via 192.168.1.13.
Simple DNS forwarding via 192.168.1.13 to the ISP's DNS server.
But you don't explain why you would want to do this. Would you care to enlighten me?

Quote:
Some reading around suggests I should setup BIND and configure it in FORWARDING mode.
While that would work, it doesn't seem to be the best solution (so, my suspicion is that you could but you shouldn't).

Bind is probably:
  • the most difficult to configure (you seem to be some way to finding that out)
  • history suggests its one of the candidates with the worst security record
  • it is probably the lowest performance solution
most of the above seems to be a consequence of the the fact that it is the most flexible, swiss army knife solution, but if you don't need that flexibility, does that make it a good solution for your situation?
 
Old 07-10-2009, 01:35 AM   #5
vaibhavs
Member
 
Registered: Jun 2008
Posts: 113

Original Poster
Rep: Reputation: 15
Let me explain this again..


I have setup a Squid Proxy server (IP: 192.168.1.13)
CentOS-5, Squid, Dansguardian, Single Ethernet.
All working perfect!

I have 2 ISPs.

Sometimes with the primary ISp goes down, I need to move the proxy server to the secondary ISP.
When ISP is changed the DNS values also needs to be changed.

If I use ISP's DNS on the client PCs, all users will have to change their DNS everytime the ISP's are switched.
If I use Proxy's DNS on the client PCs, the users do not have to change anything.

I can define all DNS values in the server and then forget about DNSes.
I hope this is much clearer now.

I agree, BIND is not my best option, more so for a novice like me.
Hence pls suggest the best alternate and some pointers on setting it up.

Thx
Vai
 
Old 07-10-2009, 03:21 AM   #6
jimbo1954
Member
 
Registered: Oct 2006
Location: High Wycombe, Bucks, UK.
Distribution: Debian and Fedora Core in equal measure
Posts: 258

Rep: Reputation: 33
You say you are using 2 ISPs. How are you managing routing to them from within your network (preference of 1 ISP over another). I assume you are using iBGP to get the network to recognise the relative states of the two, and their suitability as a route to the Internet. It might help if we had had this information initially, it complicates your attempts somewhat

You will have DNS servers in both ISPs. You could set up a DNS cache server (using something like DJBDNS, or if you *must*, then BIND) and arrange that your DNS cache server collects information from one, the other or both ISPs, and have the clients in the network point at the DNS Cache server for resolution.

FWIW, I totally concurr with salasi's analysis of BIND, it's from a long time ago when there weren't bad people on the 'net and alternatives should be examined
 
Old 07-10-2009, 03:57 AM   #7
vaibhavs
Member
 
Registered: Jun 2008
Posts: 113

Original Poster
Rep: Reputation: 15
Currently, I manually change the G/w IP in ifcfg-eth0 whenevr ISP-1 goes down.

I believe DNS forwarding server will be simpler than DNS cache server.

Can you suggest the simplest of options : DJBDNS or BIND or anything else ??

Can't IPtable DNAT DNS requests work and eliminate the need of any of the above ??

Thx
Vai
 
Old 07-11-2009, 04:39 AM   #8
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,919

Rep: Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778Reputation: 778
Quote:
Originally Posted by vaibhavs View Post
Currently, I manually change the G/w IP in ifcfg-eth0 whenevr ISP-1 goes down.
so, you are only trying to cure half of the problem...

Quote:
Can you suggest the simplest of options : DJBDNS or BIND or anything else ??
I am unsure what is in the centos repositories for this version (which is a factor, but one that you are in a better position to check than I am), but:
DNSMASQ and maradns are possibly as easy as they can be. Pdns is a possible too (but I've never installed it so I'm guessing).

As Dnsmasq can also act as a DHCP server, if you want both, probably that's the best choice. (Its still in the race, even if you only want DNS.)

DJBDNS is a good option, too, but, the last time I installed it (an old ubuntu) it wasn't a simple 'install from repos' but a somewhat involved local build. Not really difficult, but rather more stages than you'd like. If it is available from repos for your distro, this doesn't apply.

That said, having built it, the time to configure was just seconds.

Out of the list, DJBDNS is probably, judging by the historical record, the most secure. Even when Bind has vulns that are common to others, Bind is probably the one that gets the most hack attempts, as the hackers (& script kiddies, if that's a wortwhile distiction) try to go after the one that is most used in the Fortune-500-type (and, probably more to the point, three letter agencies and the like) sites.

So, if you do decide on Bind, someone in your organisation (and that may be one person) has got to realise that part of their job is to make frequent checks on whether new vulnerabilities have been found and taking the action to mitigate the threats in double quick time, and that has to happen good days and bad, high days and holidays. If your organisation isn't capable of doing this, you shouldn't be using Bind.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
redirect all http requests to a different squid proxy server r2d2#jedi Linux - Networking 1 05-27-2009 01:31 AM
DNS / Squid / iptables / proxy / browsing error mcphilbrick Linux - General 0 08-21-2007 12:17 PM
Squid problem: Howto always forward requests to x.y to other proxy intens Linux - Networking 3 01-16-2007 03:14 PM
Unresovlable Web Proxy DNS requests tsa Linux - Networking 0 03-19-2004 11:18 AM
Squid Proxy for DNS, WWW, & FTP gboutwel Linux - Networking 5 11-11-2002 06:36 PM


All times are GMT -5. The time now is 01:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration