Squid/SquidGuard NONE/409 and DNS issue
-
Well seems like I am not the only one in the neighborhood having the same issue, at least with dynamic websites, under a transparent proxy with MITM Splice All. In documentation they should mention the consequences of having this setup with dynamic https websites. The idea that pass is that it should work without any issue, if configured as mention, but its not true, at all.
-
curious as to if there was ever a fix or a solution to this. I do have a bunch of NON/409 errors for various websites with Transparent Proxy configured. The solution is either to turn off the proxy and lose reporting or enable true MITM mode but for certain vlans where I can install the certificate thereby losing the effectiveness of the reporting
-
@michmoor I end up with a non transparent proxy, using an auto config proxy deployed through pfsense DHCP option 252, and that auto proxy config hosted in one Microsoft IIS, with a bunch of my pfsense IP gateways where squid is placed/responding.
On MacOS's I had to enable auto config proxy. Since than I didnt had any more issues. Squid cannot handle HTTPS well under transparent proxys.
Thinking in using a transparent proxy on pfsense through squid still gives me nightmares when I think about it....
-
@shawn8888 have you tried to creat a NAT rule to force all users to use the firewall for DNS?
Like this ??
After it doesn't matter what the devices try to use the firewall choses the DNS just change it to what your DNS server is and forget about it.
-
@jonathanlee make a alias with DNS ports
-
@jonathanlee also set WPAD up on the firewall
-
maybe a bit late answer but i also find such problem. And little exploring gives me a good solution.
(We a talking about Transparent Proxy + Splice all SSL mode)
So, first of all, the reason of such problem is one different addresses returned by DNS server
So, first of all Proxy should use the same DNS server as clients, so best way to do it is to use our firewall as DNS server (DNS Resolver turned on), so by DHCP we are setting primary DNS address of our firewall, also will be good to redirect all DNS requests to firewall address and block DoH (here article about DNS redirection "Redirecting Client DNS Requests"
And after this step lot of people says that it does not help, but why? the answer is simple, DNS RoundRobin, we are getting random ip address fore some websites even if we are using cache you can simply check it, if nslookup (for example for google.com, or twitch.tv or some other site which is not working) gives every time different address you will get 409 error.
So how to fix this part? we need to go to DNS Resolver settings, open custom options and add rrest-roundrobin:no which disables randomization of DNS entries. (it should be disabled by default but on pfsense looks like it's enabled)
-
Thanks for the reply,
I just tested this and I got a error,
Just to confirm rrest-roundrobin:no inside of the custom area.
This is the error I got kicked back.
-
@proggggger Another fix to issues with devices that have no option to configure a proxy is to configure DHCP option 252
This hands the proxy out also when it hands out the dhcp ip addresses. Make sure you have the proxy set up on wpad for this to work.
Example:https://192.168.1.1:8080/wpad.dat
is handed out with the dhcp address again if your wpad is set up to also hand out the dns server this fixes a lot of issues.
-
@proggggger said in Squid/SquidGuard NONE/409 and DNS issue:
open custom options and add rrest-roundrobin:no which disables randomization of DNS entries.
@proggggger @jonathanlee Oh, sorry, i've misstyped a little of course command is rrset-roundrobin:no, (i've also misstyped first time and get this error, here is detailed description of all options (Unboud conf man)
@jonathanlee said in Squid/SquidGuard NONE/409 and DNS issue:
This is the error I got kicked back.
thanks for noticing this -
@proggggger Thanks for the reply, I have also read online that roundrobin is enabled by default because it is more secure, what are your thoughts about the security concerns that roundrobin addresses?
-
@jonathanlee of course roundrobin can have some security and reliability impact, and one o it's main goals is to distribute load between different servers but for not big networks i think this impact will be minimal (if you check the rr algorithm, you'll se it just randomizes order of addresses). (maybe it's need to be tested, but for now i don't have possibility to rebuild a network, so i only planing and exploring functions with virtual machines0
-
@proggggger After disabling roundrobin the amount of /409 errors did decrease significantly. I will monitor for a bit more and if its resolved then im going to submit a redmine for a documentation update. This is a long standing problem.
