Jump to content

DNS lookup while using a transparent proxy


Recommended Posts



I have a problem in Eclipse for accessing update sites (for plugins). I am behind a NTLM proxy.

Strangely, this proxy asks for a password while in Linux but not when in Windows…

To get around this annoying password issue, I already setup a working cntlmd proxy. I can use this proxy for mounting a remote DavFS2 share, for example.


But the issue I have with Eclipse seems to involve proxy configuration. So I decided a transparent proxy could solve this issue. I installed tinyproxy on top of cntlmd, and added the following rule to the firewall:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to 8888


Now, I can configure Firefox for direct access to the Internet, and display a web site only if I give this web site's IP instead of its name! I surmise that it's because when configured for direct access, Firefox performs DNS lookups using the local (intranet) DNS, instead of squeezing its lookups through the proxy and accessing a broader DNS (I wonder which…).


So my question is: How can I make all DNS lookups go transparently through the transparent proxy?

With a bonus issue: Will it then be possible not to go through the proxy for a local domain?



Link to comment
Share on other sites

Yves, from what I remember, there are two rules you need for sorting out iptables with a transparent proxy. You need the masquerading rule, as well as the rule that you already have.

Link to comment
Share on other sites

I've thought about this a bit more, and it actually makes sense:

— When configured for proxy access, the browser doesn't expect the standard web protocols to be available. Thus, whether the URL is given by name or by IP, it always gives the query to the proxy, expecting it to return the query result. The proxy is expected to deal with DNS.

— With direct access, the browser is directly using the Internet protocols, hence in case of a URL with a name, it first tries to find out the IP for this name (DNS), and then tries to contact the web server at this IP; that's normal proceeding.


If my understanding is correct, there's no way a simple HTTP proxy can be configured to be a DNS proxy as well: ports are not the same. I have to configure both separately. As a matter of fact, my transparent proxy is working, as showed by the success I had when using IP-based URLs.

You're right Ian, in theory, for a full transparent proxy, there are missing iptables rules, but in my case, this one is enough because I'm the only user of this proxy. It's a selfish use :)


As far as I know, in Linux, Name Service is configured by /etc/nsswitch.conf, “hosts†line. On my home PC, here's what this line is like:

hosts:           mdns4 files nis dns   wins

On my work PC, only “files†and “dns†are relevant (I have no Zeroconf, no Nis, no Wins), but “files†would mean to reference each and every web server in my /etc/hosts file…


So there are only two ways I can solve my problem:

— add another plugin to nsswitch (like nss_tcb, nss_mdns, nss_wins), which would somehow be aware of the transparent proxy,

— or have my own DNS server.


Since I don't know of any nsswitch plugin for this purpose, I took the second route.

A bit more search pointed me at dnsmasq as a basis for this DNS server. Now I have a responding DNS server at configured with as an upstream DNS server, and a pre-configured tunnel through “cntlmd†from to (OpenDNS).


Here comes my next problem! the cntlmd tunnel is listening on TCP/1053, but dnsmasq queries UDP/1053…

How can I close the circuit?


I already tried inserting ttdns (listening on UDP/1053, with OpenDNS for upstream) between dnsmasq and cntlmd (acting as a SOCKS server on TCP/9050 instead of providing a tunnel). But this failed: “ttdnsd†complains with “connection failedâ€, “Is Tor running?†And indeed Tor is not running…


What else could I try?



Link to comment
Share on other sites

You can always install bind and set up a forwarder to an external DNS so then /etc/resolv.conf would only have:


nameserver localhost


for example, assuming you have bind on the same machine you are using, and then the /etc/named.conf will have the forwarder to some external DNS elsewhere, or however many you want to point. It wouldn't need any local zones as such, but could be configured that way.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...