Search squid archive

Re: [squid-users] DNS lookup failure when transparent proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks Chris and all others for your useful contributions on this.

Although I had the proxy firewall setup correctly, it turns out that I had not setup the proxy server correctly to do NAT / routing.
With the help of the tcpdump command on port 53 on both proxy interfaces, I could see DNS requests from the client were making it through the proxy firewall to the ISP name server.
Likewise, a response from the name server was being received by the external (internet facing) interface on the proxy.
Here though, the packets were getting lost (and were not being redirected to the client machines on the internal LAN).


Taking a user friendly option, I eventually solved the problem by installing the gui tool 'guidedog' on the proxy and configuring a setting to enable routing.

Steve

----- Original Message ----- From: "Chris Robertson" <crobertson@xxxxxxx>
To: <squid-users@xxxxxxxxxxxxxxx>
Sent: Friday, May 13, 2005 7:14 PM
Subject: RE: [squid-users] DNS lookup failure when transparent proxy



On 5/13/05, Steven Morris <steven.morris@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi,


I've installed squid version 2.5 release 9 on redhat linux fedora core 3

and
setup a proxy server (with 2 ethernet ports) between my LAN and the
internet.
I've successfully configured Squid so the proxy server runs
transparently
and intercepts all http requests from clients on the LAN.
When I enter IP address's (including the IP address for google) in the
client's web browser URL, the pages are served fine, but when I enter a
domain name in the URL,
the browser returns the 'Page Cannot be displayed message'.

The client machine and proxy (in /etc/resolv.conf) both know our ISP
nameservers IP address and I've configured the proxy server firewall to
allow DNS lookups via UDP on port 53.

If the client browser is configured to use the proxy server (rather than
have it run transparently), DNS lookups work fine and domain name URL
pages
are displayed.
I would however, really like to get DNS lookups working with a
transparent
proxy setup.

I can't see it myself but would this involve changing settings in
squid.conf?.. or perhaps some form of iptables forwarding command for
DNS
responses on UDP port 53? (ie to forward incoming
responses from the nameserver to the proxy back to the client machines
on
the LAN).

Any possible solutions would be greatly appreciated.

Regards,

Steve


----- Original Message ----- From: "dev singh" <dev.pratap@xxxxxxxxx>
To: "Steven Morris" <steven.morris@xxxxxxxxxxxxxxxxxxxxxxx>
Cc: <squid-users@xxxxxxxxxxxxxxx>
Sent: Friday, May 13, 2005 1:22 PM
Subject: Re: [squid-users] DNS lookup failure when transparent proxy



Hi steve,

Start caching DNS on proxy server and put ur server's private ip as
the primary DNS on client and the things will go.

I think the problem with ur existing configuration is that the private
ip which u r using on ur clients , they are not known by ur DNS
server.

r u avle to ping ur dns server from ur clinet . if u r able to do that
than ur configuration will work otherwise it won't.

For more detail reason kindly give a rough sketch of ur setup
Regards
dev

-----Original Message-----
From: Steven Morris [mailto:steven.morris@xxxxxxxxxxxxxxxxxxxxxxx]
Sent: Friday, May 13, 2005 6:40 AM
To: dev singh
Cc: squid-users@xxxxxxxxxxxxxxx
Subject: Re: [squid-users] DNS lookup failure when transparent proxy


Hi Dev,

Thanks very much for your response.

Am I correct in thinking that I should set my LAN client's primary DNS
server address to the IP address of the proxy server?
You mentioned I should start caching DNS on the proxy server.. how would I

go about this?  Do I need to configure something on
the proxy server / squid.conf to enable this?

I'm not currently able to ping our ISP dns server from the client.  I can
however (as expected) ping the dns server from the proxy server.

My setup involves the following:
Proxy server with two ethernet ports.
eth0: A LAN with the client machines attached.. these are the clients
whose
http requests are being served transparently by the proxy server.
eth1: Another LAN containing a wireless router with connection to the
internet.

In squid.conf, I've setup the configuration for a transparent proxy:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

I've set the port used by clients to acces squid (http_port 3128) and ran
the iptables command that redirects incoming tcp packets on port 80 to
port
3128.
Apart from this (and some configuration to ACL's in squid.conf), I've not
changed anything from the default installation of squid.

Regards
Steve



Basically what's happening is your clients have no DNS server to query (they
can't ping the ISP DNS server, so likely can't query it), so don't know how
to translate domain names into IP addresses. When the clients are set up to
explicitly use the Proxy, they just send the request to it and let it work
out all the details (including DNS lookups).


Running a caching DNS server is not too difficult (especially if you have
managed DNS servers to query), and you can find instructions scattered
around the net. FC3 comes with BIND 9 (use YUM to install it if it's not on
the system), and if you edit the /etc/named.conf file to add your ISP DNS
servers as forwarders, you should be pretty set. "man named.conf" will give
you a good idea of how to add forwarders. If it's not enough, I'd be happy
to help off list.


Your other option (assuming that you have NAT working) is to allow the
clients behind the Squid server to use the ISP nameservers directly.

Chris




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux