-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Mark, ( and others ) Thanks so much for the reply. I fully understand now. Kenneth P. Oncinian Panasonic Communications Philippines Corporation Information Systems Division - Network and Infrastructure Department - -- PGP Public Key: http://m.1asphost.com/koncinian/koncinian.gnupg.key Mark Elsen wrote: >> Hi List, >> >> My connection to the internet is only through a remote proxy >> server. I have been using squid to connect to this remote proxy >> server using the cache_peer option ( cache_peer xx.xx.xx.xx >> parent 8080 0 no-query default ) and it is working fine if >> specified manually in the client's browser setting. >> >> In my attempt to configure a transparent squid using PF, ( squid >> is running on the openbsd gateway ) I have found out that the >> client is trying to connect to the internet using the DNS server >> configured in the client, which does not work, because the DNS >> server specified in the client is only internal. >> >> This is why squid is working if specified manually in the >> browser, it does not use the DNS setting of the client, but it >> directs the request to the parent proxy specified in cache_peer. >> >> I think I have correctly configured squid and PF to work in >> transparent mode since I can see the traffic being redirected if >> a site can be accessed by the internal DNS server, ( example, >> websites located in WAN ). >> >> any suggestions for transparent squid to work without the client >> having a true DNS server configured? I hope i have explained this >> correctly. >> > > Of course not, since the browser is configured without any proxy > settings, it thinks it has full internet access. Hence the need for > DNS lookups. This is one of the basic disadvantages of transp. > proxying; for a complete list , check below : > > > > The anti-intercepting or WHYNOT-transparant proxying bible : > ------------------------------------------------------------------------------------------- > > > - Intercepting HTTP breaks TCP/IP standards because user agents > think they are talking directly to the origin server. - It causes > path-MTU to fail. Possibly making the website not accessible. - As > a result for instance on older IE versions ; "reload" did not work > as expected. - You can't use proxy authentication - You can't use > IDENT lookups - Intercepting proxies are incompatible with IP > filtering designed to prevent address spoofing. - Clients are still > expected to have full Internet DNS resolving capabilities , when in > certain Intranet/Firewalling setups , this is not always wanted. - > Related to above : because of transp. proxy setup : suppose a > browser connects to a site which is down.HOWEVER , due to the > transparant proxying setup. It gets a connected state to the > interceptor. The end user may get wrong error messages or a > browser, seemingly doing nothing anymore. > > M. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD+pWZ9MTaiXoaMBgRAvlfAJ9UqDf+ElVuvbDC5EnGcDgEbw8ujwCeLw6x aEmtJ95asnp+YCSvQwN1WNk= =k830 -----END PGP SIGNATURE-----
