Improve company productivity with a Business Account.Sign Up

x
?
Solved

Squid proxy and DNS

Posted on 2012-03-30
4
Medium Priority
?
1,031 Views
Last Modified: 2012-05-15
We have a small network enclave that has a single machine that runs a proxy server and DNS server for that enclave. This system's IP is 192.168.1.2.

Recently we have suspected that someone's machine in that enclave might be infected.  We did some research to see if their machine was going to a specific "malicious" site.

( I am blocking some information for security / privacy reasons)

First we found in the DNS logs:

bind.log.120319:19-Mar-2012 09:41:06.885 queries: info: client 192.168.1.2#41359: query: malicious-site.com IN A + (192.168.1.2)

So it looks like maybe squid made the DNS request for the user?

I checked the access log of squid and do not see any traffic to malicious-site.com.

Can someone explain to me how DNS queries work with squid?  It looks like squid is making some queries for users and letting other users make their own queries.

Is there anyway I can track down which client made that DNS request?
0
Comment
Question by:savone
4 Comments
 
LVL 30

Accepted Solution

by:
Kerem ERSOY earned 375 total points
ID: 37789871
Hi,

There's noting special about Squid using DNS query. Only since your systems internal hosts have their proxy settings they don't do the DNS lookup for HTTP protocol and pass the site to be searched to your proxy so that your proxy resolves names and make the request.

In fact your log record indicates that it was the proxy host who made a query to your DNS about the malicious-site.com (ip 192.168.1.2 and port 41359).

I checked the access log of squid and do not see any traffic to malicious-site.com.

Squid will only log any connection if the connection succeeded. It seems that you're blocking the site access over your firewall so that squid can not connect to the site and this si why you don't have anything in your log.

Since you've blocked traffic to the site the best way to check who's connecting to the site is to listen to the proxy port with tcpdump or wireshark and locate the site which makes the request through the proxy. I won't be suggesting you to restore the connection back and check your squid logs since this might put your network and systems in jeopardy.

Cheers,
K.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 375 total points
ID: 37790938
Squid does not proxy https requests, it only allows them to pass through encrypted.  So if a user is accessing a site using SSL the user's computer will do the DNS query.
0
 
LVL 35

Assisted Solution

by:Duncan Roe
Duncan Roe earned 375 total points
ID: 37792095
You can also update your firewall rules to log failed connection attempts
0
 
LVL 13

Assisted Solution

by:Sandy
Sandy earned 375 total points
ID: 37793227
check /etc/resolv.conf and squid -z with configuration. if any specific site is needed then i prefer to go with /etc/hosts or conditional forwarding in DNS.
0

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Did you know PowerShell can save you time with SaaS platforms? Simply leverage RESTfulAPIs to build your own PowerShell modules. These will kill repetitive tickets and tabs, using the command Invoke-RestMethod. Tune into this webinar to learn how…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question