HI,

I have just setup a Squid Proxy server (IP: 192.168.1.13)

CentOS-5, Squid, Dansguardian, Single Ethernet.
All working perfect!

I just have a small query regarding DNS query forwarding.
While setting network config on the desktop, I have set the G/w IP as 192.168.1.13.

Now, If I setup Pri & Sec DNS IP of the ISP, then the internet works fine. But if I setup the DNS IP = 192.168.1.13, I am unable to surf.
THe DNS query resolution does not happen.

I would like DNS queries to travel via 192.168.1.13.
Simple DNS forwarding via 192.168.1.13 to the ISP's DNS server.

What & how should I set this up.
A very simple solution is appreciated.

Thx
Vai

Squid is an HTTP proxy working on port 80. It takes queries and passes them on to the target host's web server, and stores the response so that others downstream of the proxy can get the web page without having to request from the Internet.

DNS is not HTTP. It uses UDP port 53, and will make queries in a totally different protocol to that which a web proxy can understand, so unless you have some non-squid way of getting DNS queries through the system running the squid proxy, you will get exactly what you are seeing.

I guess you could set up some routing such that the proxy can proxy the HTTP, and simply redirect the DNS query, but to what end? The proxy won't do anything with the DNS messages, so I'd simply send your DNS queries to the right place in the first place.

HTH

Some reading around suggests I should setup BIND and configure it in FORWARDING mode.

I followed one particular documentation created by someone on the internet, but it did not help.
I am sure I did something incorrect or missed something.

If BIND is my best move forward, pls suggest me to some simple and easy way to setup BIND & configure it in FORWARDING mode to forward DNS queries to my ISP's NS.

Thx
Vai

But you don't explain why you would want to do this. Would you care to enlighten me?

While that would work, it doesn't seem to be the best solution (so, my suspicion is that you could but you shouldn't).

Bind is probably:

• the most difficult to configure (you seem to be some way to finding that out)
• history suggests its one of the candidates with the worst security record
• it is probably the lowest performance solution

most of the above seems to be a consequence of the the fact that it is the most flexible, swiss army knife solution, but if you don't need that flexibility, does that make it a good solution for your situation?

Let me explain this again..


I have setup a Squid Proxy server (IP: 192.168.1.13)
CentOS-5, Squid, Dansguardian, Single Ethernet.
All working perfect!

I have 2 ISPs.

Sometimes with the primary ISp goes down, I need to move the proxy server to the secondary ISP.
When ISP is changed the DNS values also needs to be changed.

If I use ISP's DNS on the client PCs, all users will have to change their DNS everytime the ISP's are switched.
If I use Proxy's DNS on the client PCs, the users do not have to change anything.

I can define all DNS values in the server and then forget about DNSes.
I hope this is much clearer now.

I agree, BIND is not my best option, more so for a novice like me.
Hence pls suggest the best alternate and some pointers on setting it up.

Thx
Vai

You say you are using 2 ISPs. How are you managing routing to them from within your network (preference of 1 ISP over another). I assume you are using iBGP to get the network to recognise the relative states of the two, and their suitability as a route to the Internet. It might help if we had had this information initially, it complicates your attempts somewhat

You will have DNS servers in both ISPs. You could set up a DNS cache server (using something like DJBDNS, or if you *must*, then BIND) and arrange that your DNS cache server collects information from one, the other or both ISPs, and have the clients in the network point at the DNS Cache server for resolution.

FWIW, I totally concurr with salasi's analysis of BIND, it's from a long time ago when there weren't bad people on the 'net and alternatives should be examined

Currently, I manually change the G/w IP in ifcfg-eth0 whenevr ISP-1 goes down.

I believe DNS forwarding server will be simpler than DNS cache server.

Can you suggest the simplest of options : DJBDNS or BIND or anything else ??

Can't IPtable DNAT DNS requests work and eliminate the need of any of the above ??

Thx
Vai

so, you are only trying to cure half of the problem...

I am unsure what is in the centos repositories for this version (which is a factor, but one that you are in a better position to check than I am), but:
DNSMASQ and maradns are possibly as easy as they can be. Pdns is a possible too (but I've never installed it so I'm guessing).

As Dnsmasq can also act as a DHCP server, if you want both, probably that's the best choice. (Its still in the race, even if you only want DNS.)

DJBDNS is a good option, too, but, the last time I installed it (an old ubuntu) it wasn't a simple 'install from repos' but a somewhat involved local build. Not really difficult, but rather more stages than you'd like. If it is available from repos for your distro, this doesn't apply.

That said, having built it, the time to configure was just seconds.

Out of the list, DJBDNS is probably, judging by the historical record, the most secure. Even when Bind has vulns that are common to others, Bind is probably the one that gets the most hack attempts, as the hackers (& script kiddies, if that's a wortwhile distiction) try to go after the one that is most used in the Fortune-500-type (and, probably more to the point, three letter agencies and the like) sites.

So, if you do decide on Bind, someone in your organisation (and that may be one person) has got to realise that part of their job is to make frequent checks on whether new vulnerabilities have been found and taking the action to mitigate the threats in double quick time, and that has to happen good days and bad, high days and holidays. If your organisation isn't capable of doing this, you shouldn't be using Bind.