Thanks Chris and all others for your useful contributions on this.
Although I had the proxy firewall setup correctly, it turns out that I had not setup the proxy server correctly to do NAT / routing.
With the help of the tcpdump command on port 53 on both proxy interfaces, I could see DNS requests from the client were making it through the proxy firewall to the ISP name server.
Likewise, a response from the name server was being received by the external (internet facing) interface on the proxy.
Here though, the packets were getting lost (and were not being redirected to the client machines on the internal LAN).
Taking a user friendly option, I eventually solved the problem by installing the gui tool 'guidedog' on the proxy and configuring a setting to enable routing.
Steve
----- Original Message ----- From: "Chris Robertson" <crobertson@xxxxxxx>
To: <squid-users@xxxxxxxxxxxxxxx>
Sent: Friday, May 13, 2005 7:14 PM
Subject: RE: [squid-users] DNS lookup failure when transparent proxy
On 5/13/05, Steven Morris <steven.morris@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi,
I've installed squid version 2.5 release 9 on redhat linux fedora core 3
transparentlyand setup a proxy server (with 2 ethernet ports) between my LAN and the internet. I've successfully configured Squid so the proxy server runstransparentand intercepts all http requests from clients on the LAN. When I enter IP address's (including the IP address for google) in the client's web browser URL, the pages are served fine, but when I enter a domain name in the URL, the browser returns the 'Page Cannot be displayed message'.
The client machine and proxy (in /etc/resolv.conf) both know our ISP nameservers IP address and I've configured the proxy server firewall to allow DNS lookups via UDP on port 53.
If the client browser is configured to use the proxy server (rather than
have it run transparently), DNS lookups work fine and domain name URL
pages
are displayed.
I would however, really like to get DNS lookups working with aDNSproxy setup.
I can't see it myself but would this involve changing settings in squid.conf?.. or perhaps some form of iptables forwarding command foronresponses on UDP port 53? (ie to forward incoming responses from the nameserver to the proxy back to the client machines----- Original Message ----- From: "dev singh" <dev.pratap@xxxxxxxxx>the LAN).
Any possible solutions would be greatly appreciated.
Regards,
Steve
To: "Steven Morris" <steven.morris@xxxxxxxxxxxxxxxxxxxxxxx>
Cc: <squid-users@xxxxxxxxxxxxxxx>
Sent: Friday, May 13, 2005 1:22 PM
Subject: Re: [squid-users] DNS lookup failure when transparent proxy
Hi steve,
Start caching DNS on proxy server and put ur server's private ip as the primary DNS on client and the things will go.
I think the problem with ur existing configuration is that the private ip which u r using on ur clients , they are not known by ur DNS server.
r u avle to ping ur dns server from ur clinet . if u r able to do that than ur configuration will work otherwise it won't.
For more detail reason kindly give a rough sketch of ur setup Regards dev
-----Original Message----- From: Steven Morris [mailto:steven.morris@xxxxxxxxxxxxxxxxxxxxxxx] Sent: Friday, May 13, 2005 6:40 AM To: dev singh Cc: squid-users@xxxxxxxxxxxxxxx Subject: Re: [squid-users] DNS lookup failure when transparent proxy
Hi Dev,
Thanks very much for your response.
Am I correct in thinking that I should set my LAN client's primary DNS
server address to the IP address of the proxy server?
You mentioned I should start caching DNS on the proxy server.. how would I
whosego about this? Do I need to configure something on the proxy server / squid.conf to enable this?
I'm not currently able to ping our ISP dns server from the client. I can however (as expected) ping the dns server from the proxy server.
My setup involves the following: Proxy server with two ethernet ports. eth0: A LAN with the client machines attached.. these are the clientsporthttp requests are being served transparently by the proxy server. eth1: Another LAN containing a wireless router with connection to the internet.
In squid.conf, I've setup the configuration for a transparent proxy: httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on
I've set the port used by clients to acces squid (http_port 3128) and ran the iptables command that redirects incoming tcp packets on port 80 to3128. Apart from this (and some configuration to ACL's in squid.conf), I've not changed anything from the default installation of squid.
Regards Steve
Basically what's happening is your clients have no DNS server to query (they
can't ping the ISP DNS server, so likely can't query it), so don't know how
to translate domain names into IP addresses. When the clients are set up to
explicitly use the Proxy, they just send the request to it and let it work
out all the details (including DNS lookups).
Running a caching DNS server is not too difficult (especially if you have
managed DNS servers to query), and you can find instructions scattered
around the net. FC3 comes with BIND 9 (use YUM to install it if it's not on
the system), and if you edit the /etc/named.conf file to add your ISP DNS
servers as forwarders, you should be pretty set. "man named.conf" will give
you a good idea of how to add forwarders. If it's not enough, I'd be happy
to help off list.
Your other option (assuming that you have NAT working) is to allow the clients behind the Squid server to use the ISP nameservers directly.
Chris
