> i get a new proxy address (eg,3121212.proxy.com) and a port number(in the range of 30000). it's not the listening port.< It is not their listening port ? I doubt it, how else could you use it ? I can think about some type of DNS rotation, they use. When their proxy.com at any time slot points to another of their IPs out of the pool reserved for this domain, they modify their DNS A-record for next time slot, to use another IP. And, when having a second pool of IPs, they might also rotate the nnnn.proxy.com (CNAME) within their DNS-record. Using some type of redirection, they finally always point to the same physical proxy. Because of the IP rotation, the GFW will have problems to dynamically detect this service by means of traffic to same IP. However, the vast amount of DNS requests for proxy.com might be a hint, as the TTL must be just the (short) time slot. Intruders into the service will need to scan the correct IPs/ports during correct time slot, and then have access only during this time slot. Even this might be minimized by checking intruders IP characteristics, like country. Or integrate some type of port-scan detection, to block this potential intruder. So more or less safe, unless a lot of effort is invested figuring out the DNS tricks. So it is not a question, that such a scheme is possible to be done using squid. Because the real effort has to be invested in DNS manipulation. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/how-to-implement-access-control-using-connetcing-hostname-and-port-tp4666818p4666842.html Sent from the Squid - Users mailing list archive at Nabble.com.
