Selective proxy by DNS using Squid and BIND

bindPROXY

I am wondering on the feasibility of this setup.

I want to selectively proxy some DNS entries. For example, I want most DNS queries to resolve normally, but I want example.com to go through my proxy server. Furthermore, my proxy server is not in my office (it's in my data center).

The solution I have imagined comes in two parts:

First, use BIND as a caching DNS server, and overwrite or force example.com to point to my proxy server. I assume this can be done? I am not very experienced with BIND configuration.

Second, use Squid to proxy all requests received that target example.com to the REAL example.com IP. I want to proxy http requests and other protocols that hit the right ports. So for example, I would also want to proxy ssh if it is done through port 80 for example. Can Squid work as this sort of proxy, or can it only work as an http proxy?

So for example the end result would look something like this. For the initial DNS query:

+----+ >--dns query example.com---> +-----------+
| PC |                              | my-server |
+----+ <----return my-server IP---< +-----------+

Then the the PC is "fooled" into thinking that example.com points to my server, instead of the real example.com. So this happens:

+----+ >--http://example.com--> +-----------+ >----> +------------------+ 
| PC |                          | my-server |        | REAL example.com |
+----+ <----return content----< +-----------+ <----< +------------------+

Is this setup feasible? What configuration directives should I investigate to do the hard part?

Best Answer

Your first, DNS approach seems to be the best of two. To configure this, you should configure your bind as an authoritative server for zone example.com. A piece of BIND config should look nearly so:

zone "example.com" in{
    type master;
    file "pri.example.com";
};

pri.example.com in this example should contain address records for all subdomains of example.com, you want to redirect. Of course, IP address in these records should point to your proxy server.

I'm not absolutely shure, but you may need to configure your squid in "transparent" mode. There are many examples over Internet.

Squid is HTTP, HTTPS, FTP proxy server. But HTTPS is handled with CONNECT http method used. This is why you may use programs like Corkscrew or Proxytunnel These programs utilize CONNECT method for tunneling. There is a problem with CONNECT timeouts - it is described on ProxyTunnel page. The other approach to handling different protocols is redirecting data with iptables. In this case, handling is done on the 3-rd and 4-th OSI levels (address and transport protocols) and level 7 (application layer) isn't touched.

Hope, my answer will direct you to the right decision.

Related Solutions

Overriding some DNS entries in BIND for internal networks

The best method is via the response policy zone in Bind 9.8.1 or newer. It allows you to override single records in arbitrary zones (and there's no need to create a whole subdomain for that, only the single record you want to change), it allows you to override CNAMEs, etc. Other solutions such as Unbound cannot override CNAMEs.

https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html

EDIT: Let's do this properly then. I will document what I've done based on the tutorial linked above.

My OS is Raspbian 4.4 for Raspberry Pi, but the technique should work without any changes on Debian and Ubuntu, or with minimal changes on other platforms.

Go to where your Bind config files are kept on your system - here it's in /etc/bind. Create in there a file called db.rpz with the following contents:

$TTL 60
@            IN    SOA  localhost. root.localhost.  (
                          2015112501   ; serial
                          1h           ; refresh
                          30m          ; retry
                          1w           ; expiry
                          30m)         ; minimum
                   IN     NS    localhost.

localhost       A   127.0.0.1

www.some-website.com    A        127.0.0.1

www.other-website.com   CNAME    fake-hostname.com.

What does it do?

it overrides the IP address for www.some-website.com with the fake address 127.0.0.1, effectively sending all traffic for that site to the loopback address
it sends traffic for www.other-website.com to another site called fake-hostname.com

Anything that could go in a Bind zone file you can use here.

To activate these changes there are a few more steps:

Edit named.conf.local and add this section:

zone "rpz" {
  type master;
  file "/etc/bind/db.rpz";
};

The tutorial linked above tells you to add more stuff to zone "rpz" { } but that's not necessary in simple setups - what I've shown here is the minimum to make it work on your local resolver.

Edit named.conf.options and somewhere in the options { } section add the response-policy option:

options {
  // bunch
  // of
  // stuff
  // please
  // ignore

  response-policy { zone "rpz"; };
}

Now restart Bind:

service bind9 restart

That's it. The nameserver should begin overriding those records now.

If you need to make changes, just edit db.rpz, then restart Bind again.

Bonus: if you want to log DNS queries to syslog, so you can keep an eye on the proceedings, edit named.conf.local and make sure there's a logging section that includes these statements:

logging {
    // stuff
    // already
    // there

    channel my_syslog {
        syslog daemon;
        severity info;
    };
    category queries { my_syslog; };
};

Restart Bind again and that's it.

Test it on the machine running Bind:

dig @127.0.0.1 www.other-website.com. any

If you run dig on a different machine just use @the-ip-address-of-Bind-server instead of @127.0.0.1

I've used this technique with great success to override the CNAME for a website I was working on, sending it to a new AWS load balancer that I was just testing. A Raspberry Pi was used to run Bind, and the RPi was also configured to function as a WiFi router - so by connecting devices to the SSID running on the RPi I would get the DNS overrides I needed for testing.

Configure squid to act as transparent proxy

You need to configure squid.conf to enable the transparent proxy mode. Then, you need to configure your firewall to redirect all web traffic through the proxy. You can look up the information elsewhere.

Best Answer

Related Solutions

Overriding some DNS entries in BIND for internal networks

Configure squid to act as transparent proxy

Related Topic