librelist archives

« back to archive

DNS and proxy

DNS and proxy

From:
Anando Gopal Chetterjee
Date:
2013-08-20 @ 03:31
Deal All
        Within the institution there are some proxy servers and some DNS 
servers. I've used redsocks coupled with iptables to redirect all 
traffic through a proxy server. With this configuration I often get 
'Unresolved hostname' more over dig does not give the IP too (1). Upon 
digging a few times dig gives the IP address (2) then it opens in the 
browser as well. Up-to here every thing seems fine.
        A strange thing happens when the dig is not able to fetch the IP 
address then if I use one of the proxy server, the website opens. The  
DNS server and the proxy server are both within the institute.
        This is  Ubuntu-13.04 os. Do browsers create a DNS cache only 
proxy mode.

Output of dig:
(1)
$ dig download.mozilla.org

; <<>> DiG 9.9.2-P1 <<>> download.mozilla.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31100
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 23

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;download.mozilla.org.        IN    A

;; AUTHORITY SECTION:
.            18994    IN    NS    a.root-servers.net.
...

;; ADDITIONAL SECTION:
a.root-servers.net.    105394    IN    A    198.41.0.4
a.root-servers.net.    105394    IN    AAAA    2001:503:ba3e::2:30
...

;; Query time: 1 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Tue Aug 20 08:20:55 2013
;; MSG SIZE  rcvd: 720




(2)
$ dig download.mozilla.org

; <<>> DiG 9.9.2-P1 <<>> download.mozilla.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48111
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;download.mozilla.org.        IN    A

;; ANSWER SECTION:
download.mozilla.org.    21    IN    CNAME download.dynect.mozilla.net.
download.dynect.mozilla.net. 461 IN    CNAME bouncer01.zlb.phx.mozilla.net.
bouncer01.zlb.phx.mozilla.net. 22 IN    A    63.245.217.39
bouncer01.zlb.phx.mozilla.net. 22 IN    A    63.245.217.36

;; AUTHORITY SECTION:
mozilla.net.        38461    IN    NS    ns4-64.akam.net.
...

;; ADDITIONAL SECTION:
ns1-240.akam.net.    81053    IN    A    193.108.91.240
ns1-240.akam.net.    81053    IN    AAAA    2600:1401:2::f0
...

;; Query time: 1 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Tue Aug 20 08:21:34 2013
;; MSG SIZE  rcvd: 336

Re: DNS and proxy

From:
Anando Gopal Chatterjee
Date:
2013-08-21 @ 09:43
Ok, got a step forward. The proxy servers have a DNS cache. The browser 
asks the proxy server to fetch the website corresponding to the FQDN. 
The proxy from it's cache finds the IP, if not found then it goes to the 
DNS server. That is why often a site opens with proxy setting in browser 
whereas in case of no-proxy the DNS resolution takes time.

Is it possible to mimic this using iptables and redsocks. That is given 
a FQDN instead of DNS resolution then forwarding, the hostname be 
diretly forwarded to proxy server.

Thank you,
Anando Gopal Chetterjee


On Tuesday 20 August 2013 09:01 AM, Anando Gopal Chetterjee wrote:
> Deal All
>        Within the institution there are some proxy servers and some 
> DNS servers. I've used redsocks coupled with iptables to redirect all 
> traffic through a proxy server. With this configuration I often get 
> 'Unresolved hostname' more over dig does not give the IP too (1). Upon 
> digging a few times dig gives the IP address (2) then it opens in the 
> browser as well. Up-to here every thing seems fine.
>        A strange thing happens when the dig is not able to fetch the 
> IP address then if I use one of the proxy server, the website opens. 
> The  DNS server and the proxy server are both within the institute.
>        This is  Ubuntu-13.04 os. Do browsers create a DNS cache only 
> proxy mode.
>
> Output of dig:
> (1)
> $ dig download.mozilla.org
>
> ; <<>> DiG 9.9.2-P1 <<>> download.mozilla.org
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31100
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 23
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;download.mozilla.org.        IN    A
>
> ;; AUTHORITY SECTION:
> .            18994    IN    NS    a.root-servers.net.
> ...
>
> ;; ADDITIONAL SECTION:
> a.root-servers.net.    105394    IN    A    198.41.0.4
> a.root-servers.net.    105394    IN    AAAA    2001:503:ba3e::2:30
> ...
>
> ;; Query time: 1 msec
> ;; SERVER: 127.0.1.1#53(127.0.1.1)
> ;; WHEN: Tue Aug 20 08:20:55 2013
> ;; MSG SIZE  rcvd: 720
>
>
>
>
> (2)
> $ dig download.mozilla.org
>
> ; <<>> DiG 9.9.2-P1 <<>> download.mozilla.org
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48111
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 6
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;download.mozilla.org.        IN    A
>
> ;; ANSWER SECTION:
> download.mozilla.org.    21    IN    CNAME download.dynect.mozilla.net.
> download.dynect.mozilla.net. 461 IN    CNAME 
> bouncer01.zlb.phx.mozilla.net.
> bouncer01.zlb.phx.mozilla.net. 22 IN    A    63.245.217.39
> bouncer01.zlb.phx.mozilla.net. 22 IN    A    63.245.217.36
>
> ;; AUTHORITY SECTION:
> mozilla.net.        38461    IN    NS    ns4-64.akam.net.
> ...
>
> ;; ADDITIONAL SECTION:
> ns1-240.akam.net.    81053    IN    A    193.108.91.240
> ns1-240.akam.net.    81053    IN    AAAA    2600:1401:2::f0
> ...
>
> ;; Query time: 1 msec
> ;; SERVER: 127.0.1.1#53(127.0.1.1)
> ;; WHEN: Tue Aug 20 08:21:34 2013
> ;; MSG SIZE  rcvd: 336


-- 
regards,
/Anando Gopal Chatterjee
12109870
PhD Student
/