[squid-users] Force DNS queries over TCP?

Yuri Voinov yvoinov at gmail.com
Thu Jun 30 19:30:27 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
 
I've google-fu for you:

!
http://serverfault.com/questions/295819/cisco-router-redirect-any-dns-request-to-my-own-dns-server

ip access-list extended transparent_dns
permit udp any any eq 53

route-map redirect_dns permit 10
match ip address transparent_dns
set ip next-hop ip.of.your.server
route-map redirect_dns permit 20

interface fax/x
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip policy route-map redirect_dns


01.07.2016 1:29, Yuri Voinov пишет:
>
> Just no forward queries to roots, what's the problem with Unbound?
>
> 01.07.2016 1:26, Jorgeley Junior пишет:
> > I'm not sure, but, if your ISP
>       is intercepting your DNS queries, maybe you could use the mangle
>       netfilter table to change your DNS queries and so deceive your
>       ISP, but I'm almost sure that the root servers will not recognize.
>       It was just an idea.
>
>
>
>       > 2016-06-30 16:16 GMT-03:00 Yuri Voinov <yvoinov at gmail.com
>       <mailto:yvoinov at gmail.com>>:
>
>
>
>
>
>       > Consider TCP/UDP/53 Cisco interception + Unbound + dnscrypt.
>       And 127.0.0.1:53 <http://127.0.0.1:53> as your squid's DNS
>       resolver finally.
>
>
>
>
>
>       > 01.07.2016 1:07, Chris Horry пишет:
>
>
>
>
>
>
>
>
>
>       >       > On 06/30/2016 14:55, Alex Crow wrote:
>
>
>
>       >       >>
>
>
>
>       >       >>
>
>
>
>       >       >> On 30/06/16 19:40, brendan kearney wrote:
>
>
>
>       >       >>>
>
>
>
>       >       >>> Nscd or name server caching daemon may be
>       of help.  I
>
>       >       believe you can
>
>
>
>       >       >>> run your own bind instqnce and point it at
>       the roots,
>
>       >       instead of using
>
>
>
>       >       >>> your isp's broken implementation
>
>
>
>       >       >>>
>
>
>
>       >       >>> On Jun 30, 2016 2:21 PM, "Chris Horry"
>
>       >       <zerbey at gmail.com <mailto:zerbey at gmail.com>
>
>
>
>       >       >>> <mailto:zerbey at gmail.com>
>       <mailto:zerbey at gmail.com>> wrote:
>
>
>
>       >       >>
>
>
>
>       >       >> If the ISP is intercepting and redirecting all
>
>       >       connections to UDP/53,
>
>
>
>       >       >> which seems to be the case, I'm not sure this
>       would help,
>
>       >       unless the
>
>
>
>       >       >> roots support TCP access.
>
>
>
>       >       >>
>
>
>
>       >       >> Chris, can you confirm this seems to be your
>       ISP's
>
>       >       behaviour? If so,
>
>
>
>       >       >> avoiding sending *any* queries in cleartext
>       via UDP/53 is
>
>       >       the only way
>
>
>
>       >       >> to do it.
>
>
>
>
>
>
>
>       >       > That is indeed my ISP's behaviour, they force
>       redirect UDP/53
>
>       >       to their
>
>
>
>       >       > broken implementation so the only option I have is
>       to use
>
>       >       TCP.
>
>
>
>
>
>
>
>       >       > Chris
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>       >       > _______________________________________________
>
>
>
>       >       > squid-users mailing list
>
>
>
>       >       > squid-users at lists.squid-cache.org
>       <mailto:squid-users at lists.squid-cache.org>
>
>
>
>       >       > http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
>
>
>
>       >     _______________________________________________
>
>       >     squid-users mailing list
>
>       >     squid-users at lists.squid-cache.org
>       <mailto:squid-users at lists.squid-cache.org>
>
>       >     http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
>
>
>
>
>
>       > --
>
>       > *_
>
>       > _*
>
>       > *_
>
>       > _*
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdXNSAAoJENNXIZxhPexGsAQH/iBYOYkDKok5CHsQsjQ8HLZX
bgm7Lj8Ivcn2oa0jRlh5JAMbqYvzDgBvryPR/9Hz2B1rOggNpdK70W7q3+DLhjRU
TKC7+TlyklLy9TEjGl0ntAXT9s/zetr6Y47FgCOycqxE6jEByZcbnwkch/jnACGz
/qRa1P9nLop7cAXU7Lo1be27tDatYbhBXuhHsyUVKLnmyTRUbC/wtRGtYZ6gsxU1
Clp6sIhM656SVK79cN2JGQCEuECtalGIuJsi5DpmdlUJrizEStc7IfJKznyKVaAs
ATh5VmTCERuzylzSd5rsGOw6wkKwN/zfbuS9DwzUFgLyT2aeJhm7djsJjVNO3I4=
=lZ7H
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160701/0a035046/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160701/0a035046/attachment.key>


More information about the squid-users mailing list