Transparent Proxy DNS error

Home Page Forums Network Management ZeroShell Transparent Proxy DNS error

This topic contains 8 replies, has 0 voices, and was last updated by  ixalthim 2 years, 2 months ago.

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #44626

    ixalthim
    Member

    I have enabled transparent proxy, and am having some issues.

    We use an internal DNS server so that local resources will resolve to the local IP addresses. For example, tfs.mydomain.com resolves to our internal TFS server address of 10.1.10.17. However, mydomain.com will actually resolve to the public IP address.

    DHCP is configured so that it will hand out our DNS server (10.1.10.10).

    When I enable proxy, none of our internal web pages will work. We just get DNS errors.

    How can I fix this?

    #54229

    iulyb
    Member

    Internal traffic should not go through ZS. unless is Wireless or Wireless -> Wired.
    Even so, Proxy should not count. Where are u trying to access your sites from?

    I have dns server on zs authoritative for home.domain.com and a few net appliances with http servers for admin/config with an entry on dns : appliance.home.domain.com
    I can access http://spa.home.domain.com without any problems from my wireless laptop from both my routed or bridged wireless networks.

    On the other hand havp project is kind of dead. I just added it for fun a few days ago and have no idea how to make it work with netflix. For real life stuff you should consider squid + some cache on ssd + squidclamav http://squidclamav.darold.net/

    #54230

    ixalthim
    Member

    Internal traffic will go through ZS if it is on a different subnet/VLAN, which it is. In my case, I have 5 interfaces, and 17 VLANs (and yes, there are reasons why I have 17 VLANs).

    I am trying to access from 10.1.2.0/24, and the servers are on 10.1.10.0/24.

    I believe if I could get ZS to use our internal DNS server that this would probably work just fine, but I don’t know where ZS gets it DNS info from (or how to change it to point to a different DNS server). I tried changing /etc/resolv.conf, but it didn’t seem to work.

    #54231

    iulyb
    Member

    Ok, in my case I have one wireless 192.168.15.XX and i can acess webservers on 192.168.5.xx.

    I am using nets fot capture and not IFs.
    Here is my setup on https proy:
    src:192.168.5.0/24 Capture
    src:192.168.5.105 Not Capture
    src:192.168.15.0/24 Capture
    src:192.168.5.104 Not Capture

    5.105 and 5.104 are my TVs and are excluded in order to work with netflix.

    Here is my firewall.

    Chain Proxy (1 references)
    pkts bytes target prot opt in out source destination
    169 10140 ACCEPT tcp -- * * 192.168.5.104 0.0.0.0/0
    208 12480 ACCEPT tcp -- * * 192.168.5.105 0.0.0.0/0
    700 42776 REDIRECT tcp -- * * 192.168.5.0/24 0.0.0.0/0 redir ports 55559
    601 33740 REDIRECT tcp -- * * 192.168.15.0/24 0.0.0.0/0 redir ports 55559

    ZS get the DNS usually by DHCP from ISP if its own dns server is down. If you run DNS server on ZS then will use itself as resolver (and cache??? ) and it will forward request to whatever forwarder you have under forwarder section. You may need to activate ZS,s dns server and put your server as forwarder
    On linux you can also mess with the DNS supplied by DHCP by editing ifcfg-ethxxx script and adding a DNS=xx.xx.xx.xx entry. Unfortunately I don’t see an option to specify your own DNS’s IP and GW for an interface. ZS have this info somewhere under $register dir. I never needed this is, but a few more option on IF setup would be nice. Let me know and if is easy enough I might create a patch.

    #54232

    ixalthim
    Member

    Are you accessing your server by DNS or by IP? I managed to get ZS to use my DNS (at least temporarily), but it still didn’t work. I have no idea where to go from here.

    #54233

    iulyb
    Member

    @ixalthim wrote:

    Are you accessing your server by DNS or by IP? I managed to get ZS to use my DNS (at least temporarily), but it still didn’t work. I have no idea where to go from here.

    Works on both cases. I use ZS’s DNS.
    On DNS I setup an SOA for home.domain.com then I added corresponded A records.

    nas 192.168.5.55
    pap 192.168.5.56
    zs 192.168.5.5

    Other thing to manage is to setup forwarders on the DNS. You can have 8.8.8.8, 4.4.4.4 as forwarders, but I would recommend to use the ones from your ISP.

    Next is to test ZS. You loin into go on ZS and enter ns lookup, then type server then type zeroshell.org. You should see somenthing like this

    >nslookup
    > zeroshell.org
    Server: 127.0.0.1
    Address: 127.0.0.1#53

    Non-authoritative answer:
    Name: zeroshell.org
    Address: 192.254.190.111

    then your local record:

    > nas.home.domain.com
    Server: 127.0.0.1
    Address: 127.0.0.1#53
    Name: nas.home.domain.com
    Address: 192.168.5.55

    Now, you need to make sure your computer use ZS dns. Easy way is use DHCP and in DHCP to have only one DNS pointing to your DNS router.

    Now, on the routes part. The easy way is to go by interface. Go into the router section on ZS and check routing table. ZS usually does a good job here when there is only one IP range per interface but you said 5 IF and 17 LANs so you need to check carefully. Make sure every single subnet is tied to its interface.
    You will have to ping from all directions, ex from a host on 10.1.1.1 to a host in 10.1.2.1 and so on..
    You will need to add all this networks in DHCP.
    Start with 3 networks and then grow.

    #54234

    ixalthim
    Member

    It works if I set up a SOA for MyDomain.com in ZS, however, our website isn’t hosted local, so it seems to break that…is there a way to forward that request onto the ISP DNS servers, or even our local DNS server?

    #54235

    iulyb
    Member

    Okay, I might overcomplicated your issue.

    I didn’t pay a close attention to resolver setup on ZS. My understanding is that you only need ZS to resolve right your tfs.domain entry, more precisely transparent proxy app on ZS.
    You can try to setup DNS as cache and forwarder only on ZS. Enable DNS, don’t bother with SOA, just under forwarders add your internal DNS server.
    Make sure your internal DNS server has the right forwarders ( e.g ISP, Google).
    On DHCP pass the internal.

    #54236

    ixalthim
    Member

    yeah, that was the first thing I tried, but it appears that the forwarder doesn’t work, or I configured it wrong.

    I set the domain to MyDomain.com and server to 10.1.10.10, but it still didn’t work (10.1.10.10 is our internal DNS server).

    #54237

    iulyb
    Member

    OK
    then turn off the entire DNS and as root try

    echo "nameserver xxx.xxx.xxx.xxx" > /etc/resolv.conf

    Where xxx is your local DNS IP.
    If it works you will need to add it into postboot script.

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.