Dnsmasq and squid



  • Hello,

    I've configured squid as a non-transparent proxy with no mitm filtering and am serving wpad on a web server to clients on my network.  I've noticed that once the proxy is active dnsmasq is no longer working.  I have the following in the advanced options in DNS Forwarder:

    address=/bing.com/216.239.38.120

    address=/yahoo.com/216.239.38.120

    address=/ask.com/216.239.38.120

    address=/google.com/216.239.38.120

    What I am seeing is if I am not running the proxy, these above settings work with no problem. However, once the proxy is enabled they do not function and act as if they weren't even configured.

    Is there another area to set these inside of squid or am I doing something incorrect? The only options I've set in squid are the interfaces squid will bind to and enabling logging.

    TIA



  • One important aspect to be taken in account when using proxy is that it also impacts use of DNS.

    When using either transparent proxy or no proxy, resolving URL (thus FQDN) belongs to machine sending the HTTP request. I suppose your pfSense server here, while when using explicit proxy, browser sends HTTP request to proxy and URL resolution is done at proxy level.

    If your proxy doesn't rely on pfSense as primary DNS server, then your settings are not taken in account.

    Does it clarify the matter? (or am I wrong  ???)



  • @chris4916:

    If your proxy doesn't rely on pfSense as primary DNS server, then your settings are not taken in account.

    Where do I set this at? The primary DNS Servers I have set under General are:

    127.0.0.1
    208.67.220.220
    208.67.222.222



  • It looks OK.
    What if you try to resolve such names from pfSense itself ?



  • Not sure what you mean. I have host overrides I can hit from network clients as well as when I ping Google,Yahoo, ask or bing I get a reply from 216.239.38.120. My browsers just aren't being redirected there. Again once I disable the proxy it works fine.



  • The point, perhaps not clear in my previous statement, is that if you resolve or ping from your workstation, you are using pfSense (thus dnsmasq) as your DNS.
    If your browser is not configured to rely on proxy or if you are using transparent proxy, then your workstation will still used pfSense as a DNS to resolve names.

    When using explicit proxy, your workstation doesn't resolve anything as this is done at proxy level.
    As you have configured pfSense to use 127.0.0.1 as primary DNS, your settings should be OK.

    Therefore my question: what if you try to resolve such name from pfSense? 
    You can test this using "DNS lookup" tool in Diagnostic (GUI) tab or try nslookup directly from pfSense terminal.

    Goal is to understand if pfSense is able to use seetings you defined. If it doesn't, then Squid will not too, IMHO.



  • I did a dns lookup and ping test from pfsense. It in fact Does Not resolve 127.0.0.1. I have set in DSN Forwarder to sequentially use the listed DNS servers in the General setup area. 127.0.0.1 is first followed by OpenDNS.

    If I look under system: general setup, DNS servers show 127.0.0.1. I removed the opendns ones for the time being. Below that Allow DNS to be overridden is unchecked and "Do not use the DNS Forwarder or Resolver as a DNS server for the firewall" is  also unchecked. In the resolver log I see the following: Oct 5 18:14:42 dnsmasq[88850]: using nameserver 127.0.0.1#53.  If I do a DNS lookup on google.com from pfsense I get the following: 127.0.0.1 No response.



  • Anyone have any ideas? I am at a loss here.. Surely someone has a similar setup.


  • Banned

    The idea is that you removed any usable DNS and firewall cannot resolve anything. WTF. You cannot forward DNS forwarder to itself. WTF. Use the resolver or stop breaking this.



  • Well if you could pay attention and read the post you would understand. I only removed the opendns for troubleshooting purposes.. There has to be some reason why 127.0.0.1 has no response. I'm not an idiot.


  • Banned

    WTF??? 127.0.0.1 == the firewall itself. Yeah, it won't resolve anything when you loop forwards to itself. That's a pretty big reason, plus completely stupid way to "troubleshoot" things. Plus, that 127.0.0.1 shouldn't be listed in the System - General fields at all.



  • @doktornotor:

    WTF??? 127.0.0.1 == the firewall itself. Yeah, it won't resolve anything when you loop forwards to itself. That's a pretty big reason, plus completely stupid way to "troubleshoot" things. Plus, that 127.0.0.1 shouldn't be listed in the System - General fields at all.

    Really  ???

    There is something to be clarified then because if, e.g. you run DNS Resolver, you will notice that "network interfaces" in "general section" states:

    Interface IPs used by the DNS Resolver for responding to queries from clients. If an interface has both IPv4 and IPv6 IPs, both are used. Queries to other interface IPs not selected below are discarded. The default behavior is to respond to queries on every available IPv4 and IPv6 address.

    And this covers localhost.

    I'm not saying your wrong but it definitely deserves some explanation.
    Please have a look at this and comment this extract form this page:

    Make sure that the DNS Forwarder/Resolver is always capable of accepting queries on localhost before using it as a DNS server.



  • I've got it working. I have numerous subnet interfaces and because of that didn't see that the loopback interface wasn't enabled in dns forwarder. Don't know how it had been disabled as I doubt I unchecked it. Once it was added things started working fine. Umm, and yes if you want to utilize dnsmasq settings with explicit proxy then you need loopback enabled in either dns forwarder or resolver..


Log in to reply