Users use DNS from the isp to bypass Squid

erwincas · 07-22-2010, 05:13 PM

I'm using Fedora 10 as a proxy server using squid, but I recently noticed that some users use the IPS's Dns to bypass the proxy and surf the web freely. So my question is, is this a problem with Squid or perhaps I can solve the problem whit IPTables.

Thanks for the help.

damgar · 07-22-2010, 08:27 PM

Blocking these servers and any others you can think of ought to go a long way Free Public DNS Server

Code:

Service provider: Google

8.8.8.8
8.8.4.4
Service provider: ScrubIt
Public dns server address:

67.138.54.100
207.225.209.66
Service provider:dnsadvantage
Dnsadvantage free dns server list:

156.154.70.1
156.154.71.1
Service provider:OpenDNS
OpenDNS free dns server list:

208.67.222.222
208.67.220.220
Service provider: vnsc-pri.sys.gtei.net
Public Name server IP address:

4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5
4.2.2.6

estabroo · 07-22-2010, 08:48 PM

you shouldn't need to block any dns, just convert your squid into a transparent proxy, they'll still be able to get around certain stuff from things like google cached pages or via a tunnel, but anything heading toward a normal web server will get sent to squid first.

erwincas · 07-22-2010, 11:43 PM

I don't want to block any DNS, ok maybe this will explain more clearly my problem

in windows, I put this configuration.

Ip Address 192.168.0.10
Subnet Mask 255.255.255.0
Gateway 192.168.0.1

Preferred DNS Server (left in blank)
Alternate DNS Server (left in blank)

and in the browser I configure the proxy as follows

Address 192.168.0.1 Port 3128

Whit this configuration windows is behind the Squid.

BUT!!!!!

If the user add the DNS from my ISP

Ip Address 192.168.0.10
Subnet Mask 255.255.255.0
Gateway 192.168.0.1

Preferred DNS Server 216.230.147.x
Alternate DNS Server 216.230.128.x

windows surf the web like it were connected directly to the router and doesn't
matter if there is a Proxy server.

Thanks again for the help.

estabroo · 07-23-2010, 12:37 AM

Like I said switch your squid over to a transparent proxy. To do this you'll need to redirect any port 80 traffic to it typically via iptables dnat if you are using linux as the outbound router os. The nice thing about this is it doesn't require them to configure the proxy in their browser.

http://www.cyberciti.biz/tips/linux-...uid-howto.html

erwincas · 07-23-2010, 10:35 PM

Thanks for your replay. I will use your suggestion and post later if the issue were corrected.

win32sux · 07-23-2010, 11:58 PM

Alternatively, you could disable IP forwarding on the router for the clients, thereby forcing them to use Squid to get outside the LAN. FWIW, a stopgap while you decide your best approach could be (on the router):

Code:

iptables -I FORWARD -p UDP -i $LAN_IFACE -o $WAN_IFACE --dport 53 -j REJECT
iptables -I FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE --dport 53 -j REJECT
iptables -I FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE --dport 80 -j REJECT
iptables -I FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE --dport 443 -j REJECT

This prevents Web traffic (at least that which uses the standard ports) from being forwarded, which essentially means they'll be forced to use Squid for this sort of thing. I'd make sure outbound DNS queries aren't being used by the clients for anything else before blocking them, though.