www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

Transparent Proxy DNS error

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
ixalthim



Joined: 20 May 2013
Posts: 17

PostPosted: Thu Aug 25, 2016 7:24 pm    Post subject: Transparent Proxy DNS error Reply with quote

I have enabled transparent proxy, and am having some issues.

We use an internal DNS server so that local resources will resolve to the local IP addresses. For example, tfs.mydomain.com resolves to our internal TFS server address of 10.1.10.17. However, mydomain.com will actually resolve to the public IP address.

DHCP is configured so that it will hand out our DNS server (10.1.10.10).

When I enable proxy, none of our internal web pages will work. We just get DNS errors.

How can I fix this?
Back to top
View user's profile Send private message
iulyb



Joined: 02 Jun 2016
Posts: 81

PostPosted: Fri Aug 26, 2016 2:27 pm    Post subject: Reply with quote

Internal traffic should not go through ZS. unless is Wireless or Wireless -> Wired.
Even so, Proxy should not count. Where are u trying to access your sites from?

I have dns server on zs authoritative for home.domain.com and a few net appliances with http servers for admin/config with an entry on dns : appliance.home.domain.com
I can access http://spa.home.domain.com without any problems from my wireless laptop from both my routed or bridged wireless networks.

On the other hand havp project is kind of dead. I just added it for fun a few days ago and have no idea how to make it work with netflix. For real life stuff you should consider squid + some cache on ssd + squidclamav http://squidclamav.darold.net/
Back to top
View user's profile Send private message
ixalthim



Joined: 20 May 2013
Posts: 17

PostPosted: Fri Aug 26, 2016 3:16 pm    Post subject: Reply with quote

Internal traffic will go through ZS if it is on a different subnet/VLAN, which it is. In my case, I have 5 interfaces, and 17 VLANs (and yes, there are reasons why I have 17 VLANs).

I am trying to access from 10.1.2.0/24, and the servers are on 10.1.10.0/24.

I believe if I could get ZS to use our internal DNS server that this would probably work just fine, but I don't know where ZS gets it DNS info from (or how to change it to point to a different DNS server). I tried changing /etc/resolv.conf, but it didn't seem to work.
Back to top
View user's profile Send private message
iulyb



Joined: 02 Jun 2016
Posts: 81

PostPosted: Sat Aug 27, 2016 1:36 am    Post subject: Reply with quote

Ok, in my case I have one wireless 192.168.15.XX and i can acess webservers on 192.168.5.xx.

I am using nets fot capture and not IFs.
Here is my setup on https proy:
src:192.168.5.0/24 Capture
src:192.168.5.105 Not Capture
src:192.168.15.0/24 Capture
src:192.168.5.104 Not Capture

5.105 and 5.104 are my TVs and are excluded in order to work with netflix.

Here is my firewall.
Code:
Chain Proxy (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  169 10140 ACCEPT     tcp  --  *      *       192.168.5.104        0.0.0.0/0           
  208 12480 ACCEPT     tcp  --  *      *       192.168.5.105        0.0.0.0/0           
  700 42776 REDIRECT   tcp  --  *      *       192.168.5.0/24       0.0.0.0/0            redir ports 55559
  601 33740 REDIRECT   tcp  --  *      *       192.168.15.0/24      0.0.0.0/0            redir ports 55559


ZS get the DNS usually by DHCP from ISP if its own dns server is down. If you run DNS server on ZS then will use itself as resolver (and cache??? ) and it will forward request to whatever forwarder you have under forwarder section. You may need to activate ZS,s dns server and put your server as forwarder
On linux you can also mess with the DNS supplied by DHCP by editing ifcfg-ethxxx script and adding a DNS=xx.xx.xx.xx entry. Unfortunately I don't see an option to specify your own DNS's IP and GW for an interface. ZS have this info somewhere under $register dir. I never needed this is, but a few more option on IF setup would be nice. Let me know and if is easy enough I might create a patch.
Back to top
View user's profile Send private message
ixalthim



Joined: 20 May 2013
Posts: 17

PostPosted: Wed Sep 07, 2016 2:04 pm    Post subject: Reply with quote

Are you accessing your server by DNS or by IP? I managed to get ZS to use my DNS (at least temporarily), but it still didn't work. I have no idea where to go from here.
Back to top
View user's profile Send private message
iulyb



Joined: 02 Jun 2016
Posts: 81

PostPosted: Wed Sep 07, 2016 5:25 pm    Post subject: Reply with quote

ixalthim wrote:
Are you accessing your server by DNS or by IP? I managed to get ZS to use my DNS (at least temporarily), but it still didn't work. I have no idea where to go from here.


Works on both cases. I use ZS's DNS.
On DNS I setup an SOA for home.domain.com then I added corresponded A records.

nas 192.168.5.55
pap 192.168.5.56
zs 192.168.5.5

Other thing to manage is to setup forwarders on the DNS. You can have 8.8.8.8, 4.4.4.4 as forwarders, but I would recommend to use the ones from your ISP.

Next is to test ZS. You loin into go on ZS and enter ns lookup, then type server then type zeroshell.org. You should see somenthing like this

Code:
>nslookup
> zeroshell.org
Server:      127.0.0.1
Address:   127.0.0.1#53

Non-authoritative answer:
Name:   zeroshell.org
Address: 192.254.190.111


then your local record:
Code:
> nas.home.domain.com
Server:      127.0.0.1
Address:   127.0.0.1#53
Name:   nas.home.domain.com
Address: 192.168.5.55


Now, you need to make sure your computer use ZS dns. Easy way is use DHCP and in DHCP to have only one DNS pointing to your DNS router.

Now, on the routes part. The easy way is to go by interface. Go into the router section on ZS and check routing table. ZS usually does a good job here when there is only one IP range per interface but you said 5 IF and 17 LANs so you need to check carefully. Make sure every single subnet is tied to its interface.
You will have to ping from all directions, ex from a host on 10.1.1.1 to a host in 10.1.2.1 and so on..
You will need to add all this networks in DHCP.
Start with 3 networks and then grow.
Back to top
View user's profile Send private message
ixalthim



Joined: 20 May 2013
Posts: 17

PostPosted: Thu Sep 08, 2016 2:23 pm    Post subject: Reply with quote

It works if I set up a SOA for MyDomain.com in ZS, however, our website isn't hosted local, so it seems to break that...is there a way to forward that request onto the ISP DNS servers, or even our local DNS server?
Back to top
View user's profile Send private message
iulyb



Joined: 02 Jun 2016
Posts: 81

PostPosted: Thu Sep 08, 2016 4:06 pm    Post subject: Reply with quote

Okay, I might overcomplicated your issue.

I didn't pay a close attention to resolver setup on ZS. My understanding is that you only need ZS to resolve right your tfs.domain entry, more precisely transparent proxy app on ZS.
You can try to setup DNS as cache and forwarder only on ZS. Enable DNS, don't bother with SOA, just under forwarders add your internal DNS server.
Make sure your internal DNS server has the right forwarders ( e.g ISP, Google).
On DHCP pass the internal.
Back to top
View user's profile Send private message
ixalthim



Joined: 20 May 2013
Posts: 17

PostPosted: Thu Sep 08, 2016 5:15 pm    Post subject: Reply with quote

yeah, that was the first thing I tried, but it appears that the forwarder doesn't work, or I configured it wrong.

I set the domain to MyDomain.com and server to 10.1.10.10, but it still didn't work (10.1.10.10 is our internal DNS server).
Back to top
View user's profile Send private message
iulyb



Joined: 02 Jun 2016
Posts: 81

PostPosted: Thu Sep 08, 2016 8:37 pm    Post subject: Reply with quote

OK
then turn off the entire DNS and as root try

Code:
echo "nameserver xxx.xxx.xxx.xxx" > /etc/resolv.conf


Where xxx is your local DNS IP.
If it works you will need to add it into postboot script.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group