Re: [squid-users] transparent proxy without client DNS setting

From: Mark Elsen <mark.elsen@dont-contact.us>
Date: Mon, 20 Feb 2006 12:23:15 +0100

> Hi List,
>
> My connection to the internet is only through a remote proxy server.
> I have been using squid to connect to this remote proxy server using
> the cache_peer option ( cache_peer xx.xx.xx.xx parent 8080 0 no-query
> default )
> and it is working fine if specified manually in the client's browser
> setting.
>
> In my attempt to configure a transparent squid using PF, ( squid is
> running on the
> openbsd gateway ) I have found out that the client is trying to
> connect to the
> internet using the DNS server configured in the client, which does not
> work, because
> the DNS server specified in the client is only internal.
>
> This is why squid is working if specified manually in the browser, it
> does not use
> the DNS setting of the client, but it directs the request to the
> parent proxy specified
> in cache_peer.
>
> I think I have correctly configured squid and PF to work in
> transparent mode since I can see
> the traffic being redirected if a site can be accessed by the internal
> DNS server, ( example,
> websites located in WAN ).
>
> any suggestions for transparent squid to work without the client
> having a true DNS server configured?
> I hope i have explained this correctly.
>

Of course not, since the browser is configured without any
proxy settings, it thinks it has full internet access.
Hence the need for DNS lookups. This is one of the basic
disadvantages of transp. proxying; for a complete list , check below :

  The anti-intercepting or WHYNOT-transparant proxying bible :
  -------------------------------------------------------------------------------------------

 - Intercepting HTTP breaks TCP/IP standards because user agents
think they are talking directly to the origin server.
   - It causes path-MTU to fail. Possibly making the website not accessible.
   - As a result for instance on older IE versions ; "reload" did not
work as expected.
   - You can't use proxy authentication
   - You can't use IDENT lookups
   - Intercepting proxies are incompatible with IP filtering designed
to prevent address spoofing.
   - Clients are still expected to have full Internet DNS resolving
capabilities , when in certain Intranet/Firewalling setups , this
is not always wanted.
   - Related to above : because of transp. proxy setup : suppose a browser
connects to a site
which is down.HOWEVER , due to the transparant proxying setup. It gets
a connected state to the interceptor. The
end user may get wrong error messages or a browser, seemingly
doing nothing anymore.

M.
Received on Mon Feb 20 2006 - 04:23:23 MST

This archive was generated by hypermail pre-2.1.9 : Wed Mar 01 2006 - 12:00:03 MST