Squid proxy and DNS

We have a small network enclave that has a single machine that runs a proxy server and DNS server for that enclave. This system's IP is 192.168.1.2.

Recently we have suspected that someone's machine in that enclave might be infected.  We did some research to see if their machine was going to a specific "malicious" site.

( I am blocking some information for security / privacy reasons)

First we found in the DNS logs:

bind.log.120319:19-Mar-2012 09:41:06.885 queries: info: client 192.168.1.2#41359: query: malicious-site.com IN A + (192.168.1.2)

So it looks like maybe squid made the DNS request for the user?

I checked the access log of squid and do not see any traffic to malicious-site.com.

Can someone explain to me how DNS queries work with squid?  It looks like squid is making some queries for users and letting other users make their own queries.

Is there anyway I can track down which client made that DNS request?
LVL 23
savoneAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kerem ERSOYPresidentCommented:
Hi,

There's noting special about Squid using DNS query. Only since your systems internal hosts have their proxy settings they don't do the DNS lookup for HTTP protocol and pass the site to be searched to your proxy so that your proxy resolves names and make the request.

In fact your log record indicates that it was the proxy host who made a query to your DNS about the malicious-site.com (ip 192.168.1.2 and port 41359).

I checked the access log of squid and do not see any traffic to malicious-site.com.

Squid will only log any connection if the connection succeeded. It seems that you're blocking the site access over your firewall so that squid can not connect to the site and this si why you don't have anything in your log.

Since you've blocked traffic to the site the best way to check who's connecting to the site is to listen to the proxy port with tcpdump or wireshark and locate the site which makes the request through the proxy. I won't be suggesting you to restore the connection back and check your squid logs since this might put your network and systems in jeopardy.

Cheers,
K.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
giltjrCommented:
Squid does not proxy https requests, it only allows them to pass through encrypted.  So if a user is accessing a site using SSL the user's computer will do the DNS query.
Duncan RoeSoftware DeveloperCommented:
You can also update your firewall rules to log failed connection attempts
SandyCommented:
check /etc/resolv.conf and squid -z with configuration. if any specific site is needed then i prefer to go with /etc/hosts or conditional forwarding in DNS.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.