>>>>> >>>> Does i need to configure each browser to pass request to squid? Can it >>>> be done by the iptables at the server side. i want it transparent to >>>> the user. >>> >>> You can use WPAD methods to setup the browsers in bulk with little or > no >>> user knowledge. They only need to set the browser to the "auto-detect" >>> setting if it's not already defaulting to that. >>> >>> If you want to get really tricky you can start intercepting DNS going > to >>> servers outside your networks and pointing them at a recursive resolver >>> under your own control. The success of this depends on whether the > client >>> software is doing DNSSEC or other security measures on their DNS > replies. >>> >> >> i have a local resolver in my main server. how can intercept DNS going >> outside and point it to a recursive server under my control? > > Firewall NAT. Same as you redirect port 80 to squid, but redirecting port > 53 UDP to the internal DNS resolver. > Can i do as below: eth0= interface to internet $LAN_IN = interface to lan $SQUID_SERVER = local DNS resolver $SQUID_PORT = 3128 iptables -t nat -A PREROUTING -i $LAN_IN -p udp --dport 53 -j DNAT --to $SQUID_SERVER:$SQUID_PORT iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT --to-port 3128 this will redirect udp port 53 to my local resolver server. thanks
