Re: [squid-users] transparent proxy without client DNS setting

From: Kenneth Oncinian <[email protected]>
Date: Tue, 21 Feb 2006 12:22:49 +0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mark, ( and others )

Thanks so much for the reply.
I fully understand now.

Kenneth P. Oncinian
Panasonic Communications Philippines Corporation
Information Systems Division - Network and Infrastructure Department
- --
PGP Public Key: http://m.1asphost.com/koncinian/koncinian.gnupg.key

Mark Elsen wrote:
>> Hi List,
>>
>> My connection to the internet is only through a remote proxy
>> server. I have been using squid to connect to this remote proxy
>> server using the cache_peer option ( cache_peer xx.xx.xx.xx
>> parent 8080 0 no-query default ) and it is working fine if
>> specified manually in the client's browser setting.
>>
>> In my attempt to configure a transparent squid using PF, ( squid
>> is running on the openbsd gateway ) I have found out that the
>> client is trying to connect to the internet using the DNS server
>> configured in the client, which does not work, because the DNS
>> server specified in the client is only internal.
>>
>> This is why squid is working if specified manually in the
>> browser, it does not use the DNS setting of the client, but it
>> directs the request to the parent proxy specified in cache_peer.
>>
>> I think I have correctly configured squid and PF to work in
>> transparent mode since I can see the traffic being redirected if
>> a site can be accessed by the internal DNS server, ( example,
>> websites located in WAN ).
>>
>> any suggestions for transparent squid to work without the client
>> having a true DNS server configured? I hope i have explained this
>> correctly.
>>
>
> Of course not, since the browser is configured without any proxy
> settings, it thinks it has full internet access. Hence the need for
> DNS lookups. This is one of the basic disadvantages of transp.
> proxying; for a complete list , check below :
>
>
>
> The anti-intercepting or WHYNOT-transparant proxying bible :
> -------------------------------------------------------------------------------------------
>
>
> - Intercepting HTTP breaks TCP/IP standards because user agents
> think they are talking directly to the origin server. - It causes
> path-MTU to fail. Possibly making the website not accessible. - As
> a result for instance on older IE versions ; "reload" did not work
> as expected. - You can't use proxy authentication - You can't use
> IDENT lookups - Intercepting proxies are incompatible with IP
> filtering designed to prevent address spoofing. - Clients are still
> expected to have full Internet DNS resolving capabilities , when in
> certain Intranet/Firewalling setups , this is not always wanted. -
> Related to above : because of transp. proxy setup : suppose a
> browser connects to a site which is down.HOWEVER , due to the
> transparant proxying setup. It gets a connected state to the
> interceptor. The end user may get wrong error messages or a
> browser, seemingly doing nothing anymore.
>
> M.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD+pWZ9MTaiXoaMBgRAvlfAJ9UqDf+ElVuvbDC5EnGcDgEbw8ujwCeLw6x
aEmtJ95asnp+YCSvQwN1WNk=
=k830
-----END PGP SIGNATURE-----
Received on Mon Feb 20 2006 - 21:23:15 MST

This archive was generated by hypermail pre-2.1.9 : Wed Mar 01 2006 - 12:00:03 MST