>>>>>
>>>> Does i need to configure each browser to pass request to squid? Can it
>>>> be done by the iptables at the server side. i want it transparent to
>>>> the user.
>>>
>>> You can use WPAD methods to setup the browsers in bulk with little or
> no
>>> user knowledge. They only need to set the browser to the "auto-detect"
>>> setting if it's not already defaulting to that.
>>>
>>> If you want to get really tricky you can start intercepting DNS going
> to
>>> servers outside your networks and pointing them at a recursive resolver
>>> under your own control. The success of this depends on whether the
> client
>>> software is doing DNSSEC or other security measures on their DNS
> replies.
>>>
>>
>> i have a local resolver in my main server. how can intercept DNS going
>> outside and point it to a recursive server under my control?
>
> Firewall NAT. Same as you redirect port 80 to squid, but redirecting port
> 53 UDP to the internal DNS resolver.
>
Can i do as below:
eth0= interface to internet
$LAN_IN = interface to lan
$SQUID_SERVER = local DNS resolver
$SQUID_PORT = 3128
iptables -t nat -A PREROUTING -i $LAN_IN -p udp --dport 53 -j DNAT
--to $SQUID_SERVER:$SQUID_PORT
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j REDIRECT
--to-port 3128
this will redirect udp port 53 to my local resolver server.
thanks
Received on Sat Oct 16 2010 - 13:49:01 MDT
This archive was generated by hypermail 2.2.0 : Wed Oct 20 2010 - 12:00:02 MDT