Re: [Dnsmasq-discuss] DNS pattern response
Eric Laganowski wrote: I guess I am not communicating this well. The desired dnsmasq behavior would be to reply, say, with 192.168.1.1 to any request starting with wpad., not just local domain, so if, say my domain is domain.local, dnsmasq responds with 192.168.1.1 to both wpad.domain.local and wpad.google.com -Eric That's not possible. If one wanted to implement it, the logical way would be to do full regexp pattern matching on the domains. That has been suggested in the past, but I've always resisted it on the grounds that it's overkill. For wpad, the browser will always append a domain, I think. Can you not just enumerate all the possible domains? Agreed that DHCP would be better way to do this, but also agreed that it don't work on firefox (mainly because Linux lacks an API to the DHCP system than firefox can use, and the standards for DHCP say you need to send DHCPINFORM packets from a privileged port, which makes doing so from process run by an ordinary user impossible.) Simon.
Re: [Dnsmasq-discuss] DNS pattern response
On Thu, Dec 3, 2009 at 10:06 PM, Perette Barella pere...@barella.org wrote: I think there's a misunderstanding on how the WPAD DNS version operates. The wpad.domain.localnet is used by the browser at startup to locate the proxy configuration file which applies to all domains. You don't need a separate wpad.google.com and wpad.amazon.com for every domain users are trying to connect to. If for some reason your local hosts are configured with different domain names (and therefore looking up wpad.google.com or wpad.amazon.com), I think we need more explanation on just what strangeness you've got going on. In general, I think we can say that users who have ignored the DHCP-provided domain and configured their own intend to opt-out of wpad. Browser proxy settings are at the discretion of the user anyway, if you want a mandatory proxy setup you'll need to use iptables to accomplish that, not DNS. There's no need to wildcard match wpad hostnames, which are subject to user-side DNS caching anyway (a user who has configured for domain=google.com probably already has wpad.google.com cached and won't get information from dnsmasq). Any solution to this which involves DNS is inherently broken. Perette You can do the same thing by On 2009年12月03日, at 22:45, Eric Laganowski wrote: Well, while legal advice is always appreciated that was not what I was asking for. I was asking about a specific feature of dnsmasq and I am still at a loss whether it is possible to accomplish what I was looking for or not. On a side note, DHCP option 252 is not supported by Firefox, that is way I am forced to explore other options. Thanks, Eric richardvo...@gmail.com wrote: I think you're going about this the wrong way. Use the DHCP option auto-proxy-config to control the URL browsers use for auto-proxy. Spoofing addresses in other domains doesn't solve any problems, it only creates more (and is borderline illegal in many areas). On Thu, Dec 3, 2009 at 4:48 PM, Eric Laganowski e...@laganowski.net wrote: I guess I am not communicating this well. The desired dnsmasq behavior would be to reply, say, with 192.168.1.1 to any request starting with wpad., not just local domain, so if, say my domain is domain.local, dnsmasq responds with 192.168.1.1 to both wpad.domain.local and wpad.google.com -Eric Date: Wed, 2 Dec 2009 12:52:35 -0430 From: Santiago Zarate santi...@zarate.net.ve Subject: Re: [Dnsmasq-discuss] DNS pattern response To: dnsmasq-discuss@lists.thekelleys.org.uk Message-ID: 200912021252.35536.santi...@zarate.net.ve Content-Type: Text/Plain; charset=us-ascii i guess you can use a cname record... address=/wpad.mydomain.net/10.40.60.90 cname=wpad,wpad.mydomain.net tho... i'm pretty sure that cname=wpad,10.40.60.90 will also work... -- Santiago Zarate santi...@zarate.net.ve (+58) 4129864175 (+58) 4241073905 Date: Wed, 2 Dec 2009 11:45:57 -0500 From: Eric Laganowski elaganow...@hotmail.com Subject: [Dnsmasq-discuss] DNS pattern response To: dnsmasq-discuss@lists.thekelleys.org.uk Message-ID: snt130-w394fd18999d0797477acb7a6...@phx.gbl Content-Type: text/plain; charset=iso-8859-1 Hi! I am playing with browser proxy autodiscovery feature and would like dnsmasq to reply with a certain IP address to any DNS query starting with wpad., any domain might follow. Is it possible to accomplish this with dnsmasq? -Eric ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNS pattern response
richardvo...@gmail.com wrote: On Thu, Dec 3, 2009 at 10:06 PM, Perette Barella pere...@barella.org wrote: I think there's a misunderstanding on how the WPAD DNS version operates. The wpad.domain.localnet is used by the browser at startup to locate the proxy configuration file which applies to all domains. You don't need a separate wpad.google.com and wpad.amazon.com for every domain users are trying to connect to. If for some reason your local hosts are configured with different domain names (and therefore looking up wpad.google.com or wpad.amazon.com), I think we need more explanation on just what strangeness you've got going on. In general, I think we can say that users who have ignored the DHCP-provided domain and configured their own intend to opt-out of wpad. Browser proxy settings are at the discretion of the user anyway, if you want a mandatory proxy setup you'll need to use iptables to accomplish that, not DNS. There's no need to wildcard match wpad hostnames, which are subject to user-side DNS caching anyway (a user who has configured for domain=google.com probably already has wpad.google.com cached and won't get information from dnsmasq). Any solution to this which involves DNS is inherently broken. Guys, all I want to do is to be able to use my company-provided laptop at home which has proxy in the network. It is configured with a different domain than my local subnet for obvious reasons. DHCP was tested and confirmed to work properly with MSIE. FF does not work as it relies purely on DNS (wpad). The idea is to make this as transparent as possible. -Eric
Re: [Dnsmasq-discuss] DNS pattern response
add an IPTABLES rule and that's it.. if i'm not mistaken: # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT Taken from here: http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html 2009/12/4 Eric Laganowski e...@laganowski.net: richardvo...@gmail.com wrote: On Thu, Dec 3, 2009 at 10:06 PM, Perette Barella pere...@barella.org wrote: I think there's a misunderstanding on how the WPAD DNS version operates. The wpad.domain.localnet is used by the browser at startup to locate the proxy configuration file which applies to all domains. You don't need a separate wpad.google.com and wpad.amazon.com for every domain users are trying to connect to. If for some reason your local hosts are configured with different domain names (and therefore looking up wpad.google.com or wpad.amazon.com), I think we need more explanation on just what strangeness you've got going on. In general, I think we can say that users who have ignored the DHCP-provided domain and configured their own intend to opt-out of wpad. Browser proxy settings are at the discretion of the user anyway, if you want a mandatory proxy setup you'll need to use iptables to accomplish that, not DNS. There's no need to wildcard match wpad hostnames, which are subject to user-side DNS caching anyway (a user who has configured for domain=google.com probably already has wpad.google.com cached and won't get information from dnsmasq). Any solution to this which involves DNS is inherently broken. Guys, all I want to do is to be able to use my company-provided laptop at home which has proxy in the network. It is configured with a different domain than my local subnet for obvious reasons. DHCP was tested and confirmed to work properly with MSIE. FF does not work as it relies purely on DNS (wpad). The idea is to make this as transparent as possible. -Eric ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] DNS pattern response
Guys, all I want to do is to be able to use my company-provided laptop
at home which has proxy in the network. It is configured with a
different domain than my local subnet for obvious reasons.
DHCP was tested and confirmed to work properly with MSIE. FF does not
work as it relies purely on DNS (wpad). The idea is to make this as
transparent as possible.
I think you need two things. First, an DNS entry on your home network that
resolves wpad.company.network to a local address. Second, at that address,
you need to provide a web server that serves up a proxy configuration file
that basically says bypass the proxy for everything. Here's an example
proxy.pac file:
function FindProxyForURL(url, host)
{
/*
** Proxy configuration file
**
** Comment out the alert statements by adding // at the
** beginning of the line.
*/
//alert(url= + url);
//alert(host= + host);
if (isPlainHostName(host)) {
//alert(host= + host + return= DIRECT (isPlainHostName));
return DIRECT;
}
if (isInNet(host, 192.168.0.0, 255.255.255.0)) { // For testing at
home.
//alert(host= + host + return= DIRECT (isInNet));
return DIRECT;
}
//alert(host= + host + return= PROXY);
return PROXY 192.168.0.100:3180; // Proxy for testing at home
}
Re: [Dnsmasq-discuss] DNS pattern response
Santiago Zarate wrote: add an IPTABLES rule and that's it.. if i'm not mistaken: # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT # if it is same system iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT Taken from here: http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html I do really appreciate your help guys. I was trying to be as dnsmasq-centric as possible, so some stuff was left out. Another thing that I am trying to accomplish is to make IWA work and SQUID fake_ntlm_auth authenticator working for accounting purposes. Transparent proxying won't help in this scenario unfortunately. -Eric
Re: [Dnsmasq-discuss] DNS pattern response
On Fri, Dec 4, 2009 at 10:27 AM, Eric Laganowski e...@laganowski.net wrote: richardvo...@gmail.com wrote: On Thu, Dec 3, 2009 at 10:06 PM, Perette Barella pere...@barella.org wrote: I think there's a misunderstanding on how the WPAD DNS version operates. The wpad.domain.localnet is used by the browser at startup to locate the proxy configuration file which applies to all domains. You don't need a separate wpad.google.com and wpad.amazon.com for every domain users are trying to connect to. If for some reason your local hosts are configured with different domain names (and therefore looking up wpad.google.com or wpad.amazon.com), I think we need more explanation on just what strangeness you've got going on. In general, I think we can say that users who have ignored the DHCP-provided domain and configured their own intend to opt-out of wpad. Browser proxy settings are at the discretion of the user anyway, if you want a mandatory proxy setup you'll need to use iptables to accomplish that, not DNS. There's no need to wildcard match wpad hostnames, which are subject to user-side DNS caching anyway (a user who has configured for domain=google.com probably already has wpad.google.com cached and won't get information from dnsmasq). Any solution to this which involves DNS is inherently broken. Guys, all I want to do is to be able to use my company-provided laptop at home which has proxy in the network. It is configured with a different domain than my local subnet for obvious reasons. DHCP was tested and confirmed to work properly with MSIE. FF does not work as it relies purely on DNS (wpad). The idea is to make this as transparent as possible. And when your laptop has the IP address of wpad.mycompany.com already in the local cache? dnsmasq cannot solve this, you need to use iptables to force traffic through a proxy. Santiago showed you how to configure that. -Eric
Re: [Dnsmasq-discuss] DNS pattern response
Jan 'RedBully' Seiffert wrote: I have this laying around for some time, here for dnsmasq 2.50. This way one can write: address=/:^wpad\..*:/192.168.0.1 or something like that... Note: This patch is not that well tested... Had to modify a little. Preliminary tests show expected behavior. Thanks so much, Eric Simon. Greetings Jan
Re: [Dnsmasq-discuss] DNS pattern response
Guys, all I want to do is to be able to use my company-provided laptop at home which has proxy in the network. It is configured with a different domain than my local subnet for obvious reasons. DHCP was tested and confirmed to work properly with MSIE. FF does not work as it relies purely on DNS (wpad). The idea is to make this as transparent as possible. What about using profiles with Firefox? Different profiles, different network/proxy settings. KISS. If you have a GNU/Linux machine you could even hard link some of your important files (like password file, extensions, bookmarks, form data) across profiles to avoid copying them. Vince C.
Re: [Dnsmasq-discuss] DNS pattern response
i guess you can use a cname record... address=/wpad.mydomain.net/10.40.60.90 cname=wpad,wpad.mydomain.net tho... i'm pretty sure that cname=wpad,10.40.60.90 will also work... -- Santiago Zarate santi...@zarate.net.ve (+58) 4129864175 (+58) 4241073905
