Jump to content

DNS lookup while using a transparent proxy


theYinYeti
 Share

Recommended Posts

Hello,

 

I have a problem in Eclipse for accessing update sites (for plugins). I am behind a NTLM proxy.

Strangely, this proxy asks for a password while in Linux but not when in Windows…

To get around this annoying password issue, I already setup a working cntlmd proxy. I can use this proxy for mounting a remote DavFS2 share, for example.

 

But the issue I have with Eclipse seems to involve proxy configuration. So I decided a transparent proxy could solve this issue. I installed tinyproxy on top of cntlmd, and added the following rule to the firewall:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to 8888

 

Now, I can configure Firefox for direct access to the Internet, and display a web site only if I give this web site's IP instead of its name! I surmise that it's because when configured for direct access, Firefox performs DNS lookups using the local (intranet) DNS, instead of squeezing its lookups through the proxy and accessing a broader DNS (I wonder which…).

 

So my question is: How can I make all DNS lookups go transparently through the transparent proxy?

With a bonus issue: Will it then be possible not to go through the proxy for a local domain?

 

Yves.

Link to comment
Share on other sites

Yves, from what I remember, there are two rules you need for sorting out iptables with a transparent proxy. You need the masquerading rule, as well as the rule that you already have.

Link to comment
Share on other sites

I've thought about this a bit more, and it actually makes sense:

— When configured for proxy access, the browser doesn't expect the standard web protocols to be available. Thus, whether the URL is given by name or by IP, it always gives the query to the proxy, expecting it to return the query result. The proxy is expected to deal with DNS.

— With direct access, the browser is directly using the Internet protocols, hence in case of a URL with a name, it first tries to find out the IP for this name (DNS), and then tries to contact the web server at this IP; that's normal proceeding.

 

If my understanding is correct, there's no way a simple HTTP proxy can be configured to be a DNS proxy as well: ports are not the same. I have to configure both separately. As a matter of fact, my transparent proxy is working, as showed by the success I had when using IP-based URLs.

You're right Ian, in theory, for a full transparent proxy, there are missing iptables rules, but in my case, this one is enough because I'm the only user of this proxy. It's a selfish use :)

 

As far as I know, in Linux, Name Service is configured by /etc/nsswitch.conf, “hosts†line. On my home PC, here's what this line is like:

hosts:           mdns4 files nis dns   wins

On my work PC, only “files†and “dns†are relevant (I have no Zeroconf, no Nis, no Wins), but “files†would mean to reference each and every web server in my /etc/hosts file…

 

So there are only two ways I can solve my problem:

— add another plugin to nsswitch (like nss_tcb, nss_mdns, nss_wins), which would somehow be aware of the transparent proxy,

— or have my own DNS server.

 

Since I don't know of any nsswitch plugin for this purpose, I took the second route.

A bit more search pointed me at dnsmasq as a basis for this DNS server. Now I have a responding DNS server at 127.0.0.1:53 configured with 127.0.0.1:1053 as an upstream DNS server, and a pre-configured tunnel through “cntlmd†from 127.0.0.1:1053 to 208.67.222.222:53 (OpenDNS).

 

Here comes my next problem! the cntlmd tunnel is listening on TCP/1053, but dnsmasq queries UDP/1053…

How can I close the circuit?

 

I already tried inserting ttdns (listening on UDP/1053, with OpenDNS for upstream) between dnsmasq and cntlmd (acting as a SOCKS server on TCP/9050 instead of providing a tunnel). But this failed: “ttdnsd†complains with “connection failedâ€, “Is Tor running?†And indeed Tor is not running…

 

What else could I try?

 

Yves.

Link to comment
Share on other sites

You can always install bind and set up a forwarder to an external DNS so then /etc/resolv.conf would only have:

 

nameserver localhost

 

for example, assuming you have bind on the same machine you are using, and then the /etc/named.conf will have the forwarder to some external DNS elsewhere, or however many you want to point. It wouldn't need any local zones as such, but could be configured that way.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...