Tproxy + DNS + OpenDNS = Borked
Hey Guys, After getting tproxy running on a server that handles a dozen or so of our clients I've run into an interesting problem that I'm having issue with fixing. Some of our clients use openDNS to filter porn websites but when TPROXY is in use they client can still access it, I've figured out that its because the TPROXY server is looking up the DNS directly, I cant change the server to use openDNS with the clients account because a number of clients using openDNS use it aswell. Is there anyway to get squid and TPROXY to spoof DNS requests to show as coming from the client IP and not cache the result? Cheers Tristram
On 20 May 2010 07:55, Tristram Cheer <tproxy@tristramcheer.com> wrote:
Is there anyway to get squid and TPROXY to spoof DNS requests to show as coming from the client IP and not cache the result?
With a bit of coding, sure. This has an impact on your cache contents - since each client has a "different view" of DNS, content is going to have to be cached according to the client themselves rather than just globally. Also, cached content for client A that isn't filtered by open DNS will be returned to client B that is filtered by open DNS because cached content doesn't necessarily require constant revalidation, and cached content w/out revalidation won't require a DNS lookup to complete. That'll require further code changes. You should bounce further questions like this to the squid-users@ list, rather than this list! Adrian
Hi Adrian, Thanks for the info, I was thinking that squid-users might be more helpful. For what its worth we dont cache HTML only large files/images etc but I hadn't thought about the "views" issue. Thanks for your help Regards Tristram On 20 May 2010 12:45, Adrian Chadd <adrian.chadd@gmail.com> wrote:
On 20 May 2010 07:55, Tristram Cheer <tproxy@tristramcheer.com> wrote:
Is there anyway to get squid and TPROXY to spoof DNS requests to show as coming from the client IP and not cache the result?
With a bit of coding, sure. This has an impact on your cache contents - since each client has a "different view" of DNS, content is going to have to be cached according to the client themselves rather than just globally. Also, cached content for client A that isn't filtered by open DNS will be returned to client B that is filtered by open DNS because cached content doesn't necessarily require constant revalidation, and cached content w/out revalidation won't require a DNS lookup to complete. That'll require further code changes.
You should bounce further questions like this to the squid-users@ list, rather than this list!
Adrian
On 20 May 2010 08:58, Tristram Cheer <tproxy@tristramcheer.com> wrote:
Hi Adrian,
Thanks for the info, I was thinking that squid-users might be more helpful. For what its worth we dont cache HTML only large files/images etc but I hadn't thought about the "views" issue.
No worries. Glad I could help somewhat. Adrian
participants (2)
-
Adrian Chadd
-
Tristram Cheer