On Fri, 15 Oct 2010 23:57:13 +0800, mohd hafiz <bmhafiz@xxxxxxxxx> wrote: > sorry for late response, > > >>>> >>> Does i need to configure each browser to pass request to squid? Can it >>> be done by the iptables at the server side. i want it transparent to >>> the user. >> >> You can use WPAD methods to setup the browsers in bulk with little or no >> user knowledge. They only need to set the browser to the "auto-detect" >> setting if it's not already defaulting to that. >> >> If you want to get really tricky you can start intercepting DNS going to >> servers outside your networks and pointing them at a recursive resolver >> under your own control. The success of this depends on whether the client >> software is doing DNSSEC or other security measures on their DNS replies. >> > > i have a local resolver in my main server. how can intercept DNS going > outside and point it to a recursive server under my control? Firewall NAT. Same as you redirect port 80 to squid, but redirecting port 53 UDP to the internal DNS resolver. Amos