Re: [squid-users] Force DNS queries over TCP?

2016-07-01 Thread reinerotto 
You overlooked this one in my post:
...
(assuming, all traffic from users is routed via squid box) 

Which is easy to be done in a local squid, serving as/in gateway to the
internet. Whether personal or for a large LAN.
My "iptables rules to redirect port 53" are not so easy to be
implemented/achieved in large scale setup, like for an ISP, I have to agree
on. 
 Anyway, I think the opener of this thread now has a possible path to go
(research first) :-)




--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Force-DNS-queries-over-TCP-tp4678324p4678356.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-07-01 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 

cisco is just one of them.

Let me explain to you why the conversation turned for Cisco. Squid (as
by as another proxies) is used most frequently as a server for the user
group. Each of them can set their own DNS settings. That may be
completely different from Squid or infrastructure settings. In this
case, the infrastructure will be broadcast DNS queries from clients to
the outside world. Without the full intercept port tcp/udp/53 on the
infrastructure and the implementation of transparent DNS proxy is not
possible to completely eliminate the situation where proxies and clients
will perform DNS queries to different DNS servers. Make it with a chip
pure software method, often very difficult. If we talk about personal
proxy - then yes, you can do anything you want, just software.

So, lets differentiate. We are talking about shared proxy - in
infrastructure with active network equipement, or about personal proxy
on own PC with full administrative control and with completely another
goals.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdo4XAAoJENNXIZxhPexG/rcH/0zdp/Y5VsJ5YZZ6dilmQyjk
xQu6QdOQYB8FCMD9ljZrPjsOiK0VsvuIM3Z/l5Zy770HfO30hhk2r3gkuhh9nWsr
NDSFIJJdVicdaQzI98fXbDnTK0A2OCggZePA/OvkYgkDUdAwtWcCzQcSxxfmkm9Q
HoXVctYdTp8SX3VtzqxhJVhi30oBSmV4nsv/H/JxYAoAXP5J2DchU1pJsyqtXY2S
3rdDePOGzKmokcECfG3o2pyFA5I9zqbEO2xW5z1UzZs4swbfIzI/Pn98G+/PwljW
WzekQ3dRo8WCLFSS4x5tcDPyFTsJAgeUPyGP55Tt5SMq84womVURQgqXnHwCM1s=
=dCde
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-07-01 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
:) I'm moron too :)


01.07.2016 21:30, Antony Stone пишет:
> On Friday 01 July 2016 at 17:25:49, Yuri Voinov wrote:
>
>> DNScrypt is offtopic here.
>
> ... says the man who has posted 11 of the 22 (now 23) emails in this
thread...
>
>
> Antony.
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdo1VAAoJENNXIZxhPexGvlcIAKj0jCJ9KukVBqc+nXyliI6f
UbYZoqaSg5riNr4K+iGmSPODP+ezHuk7vufnXEYlzdKjumTUk639hRkdgZOJ4wp4
lyxJc8SxUUoqTmfG5Dulc6pSa9gfJGDoE3UyMoSDq8ORCTOcWx7jI/Mab286/CXp
/vMu9v6sz8A8DWl9Mi0YdkP9Kk1PTR5qCwIoZB7+60J36RgBLE1K1A+UVRZmxrjz
Q2zGBpI8m2sNSaV2vu9dCuhLXfDCuoOfJcoYLYp224fkAUWWWNUHlyxsPScTe3el
i06hn3ANNfkIZrqLps7AyQansLIQvK00s4NZdV0IgAWEP3ps116J6Zp+DXjJQAw=
=8oiO
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-07-01 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 


01.07.2016 20:27, reinerotto пишет:
> Please, don't be so cryptic in your comments. The long quotations of the org
DNScrypt is offtopic here.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdot8AAoJENNXIZxhPexG1RMH/21m/r+SjV+MrENuc0aTtVwO
bhjegP3ZH1+WIGx6MSaTTh5DS70RS6MYEIbMtzQ62AFQsfOE/UO1zfF5KZ0AxVoi
11e4aesInWhojYePi4e8jzrH21TwjWQgPZKmUtTfxYN8+rvrjG+QUm9Px6CJtVgL
CFQyVnVq9bMxYGKZEkKPLqNlY5u4ocWl0R6c0bYAtLkeVrbIYCkFoaJtYkWiPTyJ
NeXjrtk6bRYF8A24LM1DU5Jffa9aIFACbBfYQv88W4C6PfZjmETeOAAEj+1YXiXr
sBTLpgm/fx/h/2u3z3L36fqyzjvGldZtp6RhyJHWYSPQeXiXePOUvz6ikCK+nHU=
=rOGJ
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-07-01 Thread Antony Stone 
On Friday 01 July 2016 at 17:25:49, Yuri Voinov wrote:

> DNScrypt is offtopic here.

... says the man who has posted 11 of the 22 (now 23) emails in this thread...


Antony.

-- 
"Black holes are where God divided by zero."

 - Steven Wright

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-07-01 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Dont forget about legal issues.

Using anti-ISP filtration/censorship crypto solutions can be completely
out-of-law in some countries.


01.07.2016 20:27, reinerotto пишет:
> Please, don't be so cryptic in your comments. The long quotations of the org
> post are also a bit annoying, but anyway:
>
> As you obviously do not understand the principle, how it works _without_
> cisco, lemme explain:
> (assuming, all traffic from users is routed via squid box)
> - iptables rules (redirect port 53) make shure, all clients only use
> _local_dnsmasq for DNS.
> - Squid also uses only _local_ dnsmasq
> - local dnsmasq uses upstream DNS _only_ via dnscrpyt_proxy.
> - dnsmasq-proxy is configured to access one of the dns-crypt-enabled DNS
> servers.
> cisco is just one of them.
>
>
>
>
>
>
> --
> View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Force-DNS-queries-over-TCP-tp4678324p4678350.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdos9AAoJENNXIZxhPexGpOYIAJai5s5FTXyxw47EAFp94Pfg
csElCyWbpxGWlhGOX5t75TpmAE1Aq+1tgjwOw1b+cqSdldoOSwGI+drgYMpgh89w
i7L278egRf9y/d65eJQeINeIG77vnVtp6STOWceohIZt/eL9RSI+BtwLr5Y2Zns+
s7kSPv4O3C7W1+vV0wMOGA+74j+QdkYUZ+vNH7LSY3HmKOLZGY+dqs7MnK4uRy+p
YGdjC+0OtP7ppspm7pEwvBHZ9S+WDMrrfXJFLOTYnUhRz6W6nYKMWOXs9uPOvnio
T3+BHnrsbVFrCYksNcMsD/0pINTXB4Zazm3C75NKF+R+POg2kpolf4b9dwuweAQ=
=STNm
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-07-01 Thread reinerotto 
Please, don't be so cryptic in your comments. The long quotations of the org
post are also a bit annoying, but anyway:

As you obviously do not understand the principle, how it works _without_
cisco, lemme explain:
(assuming, all traffic from users is routed via squid box)
- iptables rules (redirect port 53) make shure, all clients only use
_local_dnsmasq for DNS.
- Squid also uses only _local_ dnsmasq
- local dnsmasq uses upstream DNS _only_ via dnscrpyt_proxy.
- dnsmasq-proxy is configured to access one of the dns-crypt-enabled DNS
servers. 
cisco is just one of them.






--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Force-DNS-queries-over-TCP-tp4678324p4678350.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-06-30 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Just fantasy required :) :) :)
And Google-fu :)

01.07.2016 2:52, Yuri Voinov пишет:
>
> IDK when user is only one :) There is no Cisco required :)
>
>
> 01.07.2016 2:05, reinerotto пишет:
> > There is no need for cisco stuff.
> > dnscrypt-proxy+dnsmasq, for example, to be used + one of the many open
> > dnscrypt servers form this list:
>
>
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
>
> > In principle, run dnsmasq on your squid box, and use dnscrypt-proxy to
> > connect dnsmasq to upstream open dnscrypt-enabled dns-server fom list
> above.
> > Make sure, squid uses this local dnsmasq as dns server.
> > Finally, use iptables to redirect all dns-requsts from clients to your
> > dnsmasq.
>
>
>
>
>
>
>
>
> > --
> > View this message in context:
>
http://squid-web-proxy-cache.1019090.n4.nabble.com/Force-DNS-queries-over-TCP-tp4678324p4678343.html
> > Sent from the Squid - Users mailing list archive at Nabble.com.
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdYdmAAoJENNXIZxhPexGb/YH/2AGFrKlobnL7fVQRBRDmwA2
wCuByAha0RjVEKGPvZoiC741GeFVKMXhqNTwsiAsCH1xXjHDdlMekA595ofdonPP
KYdJByCuCqKOaPXLWcJkfmc+KpcTO7rHcq1Lm5yyZG6Y76TjpRqa1uFFwigrk9Tb
sCrrHZDL4C0+x1V+zPQMP0apf6fLiuWwv+nFzF59yzUNpJUYMRXk52Y2q/AqaQS0
r5Pc3oUcGWV0BUYU41HfAgn3MfYnjY9hGsqolwi0YlGjrXAjBFyIwi+1rJgtz1JA
fzyq4GwNfWLhC5NNoYOCmXoEdLmXTwykYXWjl3rDV+vPZ5AXNjgG1oOZIfBtRQw=
=Biv4
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-06-30 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
IDK when user is only one :) There is no Cisco required :)


01.07.2016 2:05, reinerotto пишет:
> There is no need for cisco stuff.
> dnscrypt-proxy+dnsmasq, for example, to be used + one of the many open
> dnscrypt servers form this list:
>
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
>
> In principle, run dnsmasq on your squid box, and use dnscrypt-proxy to
> connect dnsmasq to upstream open dnscrypt-enabled dns-server fom list
above.
> Make sure, squid uses this local dnsmasq as dns server.
> Finally, use iptables to redirect all dns-requsts from clients to your
> dnsmasq.
>
>
>
>
>
>
>
>
> --
> View this message in context:
http://squid-web-proxy-cache.1019090.n4.nabble.com/Force-DNS-queries-over-TCP-tp4678324p4678343.html
> Sent from the Squid - Users mailing list archive at Nabble.com.
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdYZ1AAoJENNXIZxhPexGBpQIAM2Bc+6spxFL4ROPBxXFYYCv
7jpTfRXJkzZtqRxMPpCBWN2/zuV8Xhwaf30O2pS0B6WhnY9usblpazScnER3NYF2
zBy7W4OOmKiaeOO3aEV7AgK/zmaxqZ8nSWt+rGCpvs+8Af2kxFpmn5vfI/pj9wiJ
jIckvxMUANqtjPIfDsc0+Xs1qw297xada40TMB3YqozeZmTYSzobSm9fCTreeVwY
3+SF+vhTY+BGJhb6CgyY3quyoWMdfJ9T8GU5k0kIF1JPSc/yArHjAt2Qj/xkcRSC
BYyJPPoRf92cF7bLi9TZt5idAVwmXHhi4z6EsKdEtMcaAb+SbzxFuPFzgqKBKGE=
=3wyd
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-06-30 Thread reinerotto 
There is no need for cisco stuff. 
dnscrypt-proxy+dnsmasq, for example, to be used + one of the many open
dnscrypt servers form this list:
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

In principle, run dnsmasq on your squid box, and use dnscrypt-proxy to
connect dnsmasq to upstream open dnscrypt-enabled dns-server fom list above.
Make sure, squid uses this local dnsmasq as dns server. 
Finally, use iptables to redirect all dns-requsts from clients to your
dnsmasq. 








--
View this message in context: 
http://squid-web-proxy-cache.1019090.n4.nabble.com/Force-DNS-queries-over-TCP-tp4678324p4678343.html
Sent from the Squid - Users mailing list archive at Nabble.com.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-06-30 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
I'm wrong. 11,50$
http://www.ebay.com/itm/Cisco-1800-Series-1841-Router-With-64MB-Flash-Card-w-Power-Cord-/142035497145

01.07.2016 1:35, Yuri Voinov пишет:
>
> PS. Initial level Cisco router cost at eBay is less than 40$. It's a
garbage.
>
>
> 01.07.2016 1:33, Chris Horry пишет:
>
>
>
>
>   > On 06/30/2016 15:30, Yuri Voinov wrote:
>
>   >>
>
>   >> I've google-fu for you:
>
>   >>
>
>   >> !
>
>   >>
>
http://serverfault.com/questions/295819/cisco-router-redirect-any-dns-request-to-my-own-dns-server
>
>   >>
>
>   >> ip access-list extended transparent_dns
>
>   >> permit udp any any eq 53
>
>   >>
>
>   >> route-map redirect_dns permit 10
>
>   >> match ip address transparent_dns
>
>   >> set ip next-hop ip.of.your.server
>
>   >> route-map redirect_dns permit 20
>
>   >>
>
>   >> interface fax/x
>
>   >> ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
>
>   >> ip policy route-map redirect_dns
>
>   >>
>
>
>
>   > I implemented something very similar to this but using SSH
>   (since I
>
>   > don't have a Cisco router, this is a home setup!).
>
>
>
>   > Chris
>
>
>
>
>
>
>
>   > ___
>
>   > squid-users mailing list
>
>   > squid-users@lists.squid-cache.org
>
>   > http://lists.squid-cache.org/listinfo/squid-users
>
>

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdXUBAAoJENNXIZxhPexGtDcH/3ooFSdpZnSnkp6OtQPs48Bm
enKgEazSDkBR84VymCTcRsMRz3z0v2yc3qT6S1ebOxzhDAFuHna6T229eNdiOKxS
G+dBW6ZX7dpQbyAE+N6F7+BUWy/ZIEqzFwEiBLE4FMzTaNoaIEZQc1w50UJfBrOH
SRZaT5t54JvYL/PJ4v+z1vAYzvAeAi88mUmcEzB2oGu1hDEEhBad2AMKZZXC8wMG
pjOFTV7TgEcGGFWnbKoMHl3r0DxhJ2YVVIw+qHC7OSG8fl8KJEhZx1aX00PMO2WW
3fihokSU9Fw7eERVJc3rlTe8ZF/RTgU3AUCoovm6AnePPbmXQzyKDVwIpIGRifo=
=gNk+
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-06-30 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
PS. Initial level Cisco router cost at eBay is less than 40$. It's a
garbage.


01.07.2016 1:33, Chris Horry пишет:
>
>
> On 06/30/2016 15:30, Yuri Voinov wrote:
>>
>> I've google-fu for you:
>>
>> !
>>
http://serverfault.com/questions/295819/cisco-router-redirect-any-dns-request-to-my-own-dns-server
>>
>> ip access-list extended transparent_dns
>> permit udp any any eq 53
>>
>> route-map redirect_dns permit 10
>> match ip address transparent_dns
>> set ip next-hop ip.of.your.server
>> route-map redirect_dns permit 20
>>
>> interface fax/x
>> ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
>> ip policy route-map redirect_dns
>>
>
> I implemented something very similar to this but using SSH (since I
> don't have a Cisco router, this is a home setup!).
>
> Chris
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdXSFAAoJENNXIZxhPexGYvsIALYc+IjGOcxdRIjfACXHOj9l
JozmL/VQGjpfDkvEWB+OVhhEB+DgfM5/1BlUQ4ZlVaUtSdRiXvstrN5Us+PtP7lq
vX2aEs/8GX9LZQMcYMZiqFhaHe71gNOoDSsUx2cqiV2L2T45XzIx9DK8QbXxKuut
BNPIrqlMpUtpNf647IGsJ3WFWzpwULy1AnnluSm57CZqNQb469PDhwjTAkpoh17X
I0DU78LAOmAidlE8KS2NuEDp314O3n95pil9PL39Fc+ZbSUjnRQv1Tt+eQm/BlC8
De559O44QApg3hQqQtX36ATZqWgeHzXe/5l8SSveRkc5vt8KayIoy81obNADBKg=
=ya8i
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-06-30 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
DNScrypt is not required any crypto. it encrypted itself. Just Google-fu
it. :)


01.07.2016 1:33, Chris Horry пишет:
>
>
> On 06/30/2016 15:30, Yuri Voinov wrote:
>>
>> I've google-fu for you:
>>
>> !
>>
http://serverfault.com/questions/295819/cisco-router-redirect-any-dns-request-to-my-own-dns-server
>>
>> ip access-list extended transparent_dns
>> permit udp any any eq 53
>>
>> route-map redirect_dns permit 10
>> match ip address transparent_dns
>> set ip next-hop ip.of.your.server
>> route-map redirect_dns permit 20
>>
>> interface fax/x
>> ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
>> ip policy route-map redirect_dns
>>
>
> I implemented something very similar to this but using SSH (since I
> don't have a Cisco router, this is a home setup!).
>
> Chris
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdXRGAAoJENNXIZxhPexG4pQH/iQikKeQnzZQVoiafEa0sfAh
Wsnnk3A28QJaofgoL2BbvDY9oDV6K5StIWEu8S/GwJeb+KufcTC5YHNS1DgPFNbp
gvfBD5ARV2nlTM2ZTJJdrneDwEzEu9opqqswb2PRDE8UhNmabyl/M7DDCCM/fckB
zWcsGyalzp2rj8Hn4DKHigfaBN8YzQDjccerhF3Tw2V8IRF6K3ctQpWR26fFwoJt
F8hiRfUH9OsE46l4mNG7SFpHVMZGDJ7t9y+4TK9oHX7CW6+FPlVUZWp+YUnuKXlJ
FFGLXRVTRWxmgFieLNh11uv1tPnrFFBbk0FezvMKbK3tnJz6L7Qn38yRQ7vTpss=
=9XH8
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-06-30 Thread Chris Horry 


On 06/30/2016 15:30, Yuri Voinov wrote:
> 
> I've google-fu for you:
> 
> !
> http://serverfault.com/questions/295819/cisco-router-redirect-any-dns-request-to-my-own-dns-server
> 
> ip access-list extended transparent_dns
> permit udp any any eq 53
> 
> route-map redirect_dns permit 10
> match ip address transparent_dns
> set ip next-hop ip.of.your.server
> route-map redirect_dns permit 20
> 
> interface fax/x
> ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
> ip policy route-map redirect_dns
> 

I implemented something very similar to this but using SSH (since I
don't have a Cisco router, this is a home setup!).

Chris

-- 
Chris Horry
zer...@gmail.com
http://www.twitter.com/zerbey
PGP:638C3E7A



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-06-30 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
This is no f*cking problem. Intercept DNS queries first, resolve it by
DNSCrypt, output for your users. Viola, profit!

01.07.2016 1:26, Jorgeley Junior пишет:
> I'm not sure, but, if your ISP is intercepting your DNS queries, maybe you 
> could use the mangle
netfilter table to change your DNS queries and so deceive your ISP, but
I'm almost sure that the root servers will not recognize. It was just an
idea.
>
> 2016-06-30 16:16 GMT-03:00 Yuri Voinov >:
>
>
> Consider TCP/UDP/53 Cisco interception + Unbound + dnscrypt. And
127.0.0.1:53  as your squid's DNS resolver finally.
>
>
> 01.07.2016 1:07, Chris Horry пишет:
>
>
>
>
>   > On 06/30/2016 14:55, Alex Crow wrote:
>
>   >>
>
>   >>
>
>   >> On 30/06/16 19:40, brendan kearney wrote:
>
>   >>>
>
>   >>> Nscd or name server caching daemon may be of help.  I
>   believe you can
>
>   >>> run your own bind instqnce and point it at the roots,
>   instead of using
>
>   >>> your isp's broken implementation
>
>   >>>
>
>   >>> On Jun 30, 2016 2:21 PM, "Chris Horry"
>   
>
>   >>>  > wrote:
>
>   >>
>
>   >> If the ISP is intercepting and redirecting all
>   connections to UDP/53,
>
>   >> which seems to be the case, I'm not sure this would help,
>   unless the
>
>   >> roots support TCP access.
>
>   >>
>
>   >> Chris, can you confirm this seems to be your ISP's
>   behaviour? If so,
>
>   >> avoiding sending *any* queries in cleartext via UDP/53 is
>   the only way
>
>   >> to do it.
>
>
>
>   > That is indeed my ISP's behaviour, they force redirect UDP/53
>   to their
>
>   > broken implementation so the only option I have is to use
>   TCP.
>
>
>
>   > Chris
>
>
>
>
>
>
>
>   > ___
>
>   > squid-users mailing list
>
>   > squid-users@lists.squid-cache.org

>
>   > http://lists.squid-cache.org/listinfo/squid-users
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org

> http://lists.squid-cache.org/listinfo/squid-users
>
>
>
>
> --
> *_
> _*
> *_
> _*

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdXK0AAoJENNXIZxhPexG18QIALd3PhGiRehrvqSEVE+x7i29
VNLJzkAgswlKB5HSIkyF1LPwFzJ5hErfdN8gEY/QAyEEi7XbDLN63CzKmMHfuwJY
LxGWEYlWN26eciJtchpA7wM3s1yGDXRO7jnsGPwUV6Ctm5g72Q/Hpyr5Lr5dUZX5
6zdNCKnMlbO//PS943YBJHCAUbl1xxgQwGIowDYjUnEcXhuMBGZXqrErNQfNFAoi
ymoKleAmqOb2BAlvCloo2ZyLIzsoslWxhKktNEnfPb5hBh9XXGRmrRQ3ikSyKXKW
nSbhQlwXbu/GJJQkmuXEvKS/WfaAjDzggBX4j7+4APnmfxQTriVB4VJ3iTEXk3A=
=XMR0
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-06-30 Thread Jorgeley Junior 
I'm not sure, but, if your ISP is intercepting your DNS queries, maybe you
could use the mangle netfilter table to change your DNS queries and so
deceive your ISP, but I'm almost sure that the root servers will not
recognize. It was just an idea.

2016-06-30 16:16 GMT-03:00 Yuri Voinov :

>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Consider TCP/UDP/53 Cisco interception + Unbound + dnscrypt. And
> 127.0.0.1:53 as your squid's DNS resolver finally.
>
>
> 01.07.2016 1:07, Chris Horry пишет:
> >
> >
> > On 06/30/2016 14:55, Alex Crow wrote:
> >>
> >>
> >> On 30/06/16 19:40, brendan kearney wrote:
> >>>
> >>> Nscd or name server caching daemon may be of help.  I believe you can
> >>> run your own bind instqnce and point it at the roots, instead of using
> >>> your isp's broken implementation
> >>>
> >>> On Jun 30, 2016 2:21 PM, "Chris Horry"  >>>  > wrote:
> >>
> >> If the ISP is intercepting and redirecting all connections to UDP/53,
> >> which seems to be the case, I'm not sure this would help, unless the
> >> roots support TCP access.
> >>
> >> Chris, can you confirm this seems to be your ISP's behaviour? If so,
> >> avoiding sending *any* queries in cleartext via UDP/53 is the only way
> >> to do it.
> >
> > That is indeed my ISP's behaviour, they force redirect UDP/53 to their
> > broken implementation so the only option I have is to use TCP.
> >
> > Chris
> >
> >
> >
> > ___
> > squid-users mailing list
> > squid-users@lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQEcBAEBCAAGBQJXdXAkAAoJENNXIZxhPexGYlAH/A8NZGERE0+0i6N3IWQsvR1o
> LV9GIrmHZ6fBuMTgYWdul7YUDcUV5OT1kZ6GslbHdG/cfT7EqXDmWEUOy36kdTc6
> 50sIDLDGgD4XU3J0AFDyKV+yma1kuO8D3ZcE3nYMbSveX/MmdSZkoatIKwVKJkIP
> W1DFWFhHICC9Xzxia2t+qnRQ3TpXNnTEQbg2j4uMVbgeeYqOWkjg2VG/RcaxIrk6
> AQsXfPzwHC4Dy1GmDSEEEzu2+Q5lfL/IXStLENi9x4izmy+236/5ZOybv3Co6NRG
> 2EQdOoSeLvz2MgEbrNbHYABDkqt4Pjo7JKjONdAbnEBAAIgNKwW5pUSCBQok5+4=
> =paVE
> -END PGP SIGNATURE-
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>


--
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-06-30 Thread Yuri Voinov 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
 
Consider TCP/UDP/53 Cisco interception + Unbound + dnscrypt. And
127.0.0.1:53 as your squid's DNS resolver finally.


01.07.2016 1:07, Chris Horry пишет:
>
>
> On 06/30/2016 14:55, Alex Crow wrote:
>>
>>
>> On 30/06/16 19:40, brendan kearney wrote:
>>>
>>> Nscd or name server caching daemon may be of help.  I believe you can
>>> run your own bind instqnce and point it at the roots, instead of using
>>> your isp's broken implementation
>>>
>>> On Jun 30, 2016 2:21 PM, "Chris Horry" >> > wrote:
>>
>> If the ISP is intercepting and redirecting all connections to UDP/53,
>> which seems to be the case, I'm not sure this would help, unless the
>> roots support TCP access.
>>
>> Chris, can you confirm this seems to be your ISP's behaviour? If so,
>> avoiding sending *any* queries in cleartext via UDP/53 is the only way
>> to do it.
>
> That is indeed my ISP's behaviour, they force redirect UDP/53 to their
> broken implementation so the only option I have is to use TCP.
>
> Chris
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-BEGIN PGP SIGNATURE-
Version: GnuPG v2
 
iQEcBAEBCAAGBQJXdXAkAAoJENNXIZxhPexGYlAH/A8NZGERE0+0i6N3IWQsvR1o
LV9GIrmHZ6fBuMTgYWdul7YUDcUV5OT1kZ6GslbHdG/cfT7EqXDmWEUOy36kdTc6
50sIDLDGgD4XU3J0AFDyKV+yma1kuO8D3ZcE3nYMbSveX/MmdSZkoatIKwVKJkIP
W1DFWFhHICC9Xzxia2t+qnRQ3TpXNnTEQbg2j4uMVbgeeYqOWkjg2VG/RcaxIrk6
AQsXfPzwHC4Dy1GmDSEEEzu2+Q5lfL/IXStLENi9x4izmy+236/5ZOybv3Co6NRG
2EQdOoSeLvz2MgEbrNbHYABDkqt4Pjo7JKjONdAbnEBAAIgNKwW5pUSCBQok5+4=
=paVE
-END PGP SIGNATURE-



0x613DEC46.asc
Description: application/pgp-keys
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-06-30 Thread Chris Horry 


On 06/30/2016 14:55, Alex Crow wrote:
> 
> 
> On 30/06/16 19:40, brendan kearney wrote:
>>
>> Nscd or name server caching daemon may be of help.  I believe you can
>> run your own bind instqnce and point it at the roots, instead of using
>> your isp's broken implementation
>>
>> On Jun 30, 2016 2:21 PM, "Chris Horry" > > wrote:
> 
> If the ISP is intercepting and redirecting all connections to UDP/53,
> which seems to be the case, I'm not sure this would help, unless the
> roots support TCP access.
> 
> Chris, can you confirm this seems to be your ISP's behaviour? If so,
> avoiding sending *any* queries in cleartext via UDP/53 is the only way
> to do it.

That is indeed my ISP's behaviour, they force redirect UDP/53 to their
broken implementation so the only option I have is to use TCP.

Chris

-- 
Chris Horry
zer...@gmail.com
http://www.twitter.com/zerbey
PGP:638C3E7A



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-06-30 Thread Alex Crow 
Packt Publishing has a book about FreeSWAN (don't use that) which is
almost all applicable to LibreSWAN (do use this, it's a newer fork).

Easiest is to set up a tunnel with PSKs, more secure is with RSA keys or
X509 certs.

Alex

On 30/06/16 19:20, Chris Horry wrote:
>
> On 06/30/2016 13:34, Alex Crow wrote:
>> I'd suggest changing IP as this practice is
>>
>> a) a violation of trust, forcing you to use a potentially compromised
>> resource you have no control over
>> b) a clear violation of net-neutrality
>> c) a violation of standards (as it's probably one of those that instead
>> of returning NXDOMAIN as required sends you to an advertising page.
>> )
> Tell me about it.  My ISP and I are having a pitched battle about it
> now.  Unfortunately my options are limited in my current area but at
> least it's not Comcast!
>
>> I'm pretty sure you /can/ configure BIND to work like that. I should
>> imagine you could set up forwarders to TCP-based DNS servers.
>>
>> The other option is to get a DNS server set up on a VPS and tunnel your
>> requests to it via IPSEC.
> Sounds like a good idea, time to learn IPSEC!
>
> Thanks,
>
> Chris
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-06-30 Thread brendan kearney 
Nscd or name server caching daemon may be of help.  I believe you can run
your own bind instqnce and point it at the roots, instead of using your
isp's broken implementation
On Jun 30, 2016 2:21 PM, "Chris Horry"  wrote:

>
>
> On 06/30/2016 13:34, Alex Crow wrote:
> > I'd suggest changing IP as this practice is
> >
> > a) a violation of trust, forcing you to use a potentially compromised
> > resource you have no control over
> > b) a clear violation of net-neutrality
> > c) a violation of standards (as it's probably one of those that instead
> > of returning NXDOMAIN as required sends you to an advertising page.
> > )
>
> Tell me about it.  My ISP and I are having a pitched battle about it
> now.  Unfortunately my options are limited in my current area but at
> least it's not Comcast!
>
> > I'm pretty sure you /can/ configure BIND to work like that. I should
> > imagine you could set up forwarders to TCP-based DNS servers.
> >
> > The other option is to get a DNS server set up on a VPS and tunnel your
> > requests to it via IPSEC.
>
> Sounds like a good idea, time to learn IPSEC!
>
> Thanks,
>
> Chris
>
> --
> Chris Horry
> zer...@gmail.com
> http://www.twitter.com/zerbey
> PGP:638C3E7A
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-06-30 Thread Chris Horry 


On 06/30/2016 13:34, Alex Crow wrote:
> I'd suggest changing IP as this practice is
> 
> a) a violation of trust, forcing you to use a potentially compromised
> resource you have no control over
> b) a clear violation of net-neutrality
> c) a violation of standards (as it's probably one of those that instead
> of returning NXDOMAIN as required sends you to an advertising page.
> )

Tell me about it.  My ISP and I are having a pitched battle about it
now.  Unfortunately my options are limited in my current area but at
least it's not Comcast!

> I'm pretty sure you /can/ configure BIND to work like that. I should
> imagine you could set up forwarders to TCP-based DNS servers.
> 
> The other option is to get a DNS server set up on a VPS and tunnel your
> requests to it via IPSEC.

Sounds like a good idea, time to learn IPSEC!

Thanks,

Chris

-- 
Chris Horry
zer...@gmail.com
http://www.twitter.com/zerbey
PGP:638C3E7A



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Force DNS queries over TCP?

2016-06-30 Thread Alex Crow 
I'd suggest changing IP as this practice is

a) a violation of trust, forcing you to use a potentially compromised
resource you have no control over
b) a clear violation of net-neutrality
c) a violation of standards (as it's probably one of those that instead
of returning NXDOMAIN as required sends you to an advertising page.
)
I'm pretty sure you /can/ configure BIND to work like that. I should
imagine you could set up forwarders to TCP-based DNS servers.

The other option is to get a DNS server set up on a VPS and tunnel your
requests to it via IPSEC.

Alex

On 30/06/16 18:21, Chris Horry wrote:
> Hello,
>
> My ISP have started forcing DNS queries to pass through their own DNS
> server, which appears to have many issues (can't resolve twitter.com for
> one).  I won't bore the list with my conversations with them over that part.
>
> They are not actively blocking TCP DNS queries so I have a workaround.
>
> Recognising that DNS over TCP is not an ideal solution
>
> 1. Can Squid be configured to use TCP by default for DNS inquiries?  If
> not consider this a feature request :)
> 2. Is there a DNS caching server that can do this instead (BIND9 doesn't
> seem to have it as an option)
>
> Any help appreciated.
>
> Thanks,
>
> Chris
>
>
>
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users


--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856).

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Force DNS queries over TCP?

2016-06-30 Thread Chris Horry 
Hello,

My ISP have started forcing DNS queries to pass through their own DNS
server, which appears to have many issues (can't resolve twitter.com for
one).  I won't bore the list with my conversations with them over that part.

They are not actively blocking TCP DNS queries so I have a workaround.

Recognising that DNS over TCP is not an ideal solution

1. Can Squid be configured to use TCP by default for DNS inquiries?  If
not consider this a feature request :)
2. Is there a DNS caching server that can do this instead (BIND9 doesn't
seem to have it as an option)

Any help appreciated.

Thanks,

Chris

-- 
Chris Horry
zer...@gmail.com
http://www.twitter.com/zerbey
PGP:638C3E7A



signature.asc
Description: OpenPGP digital signature
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users