Arch Linux

archibutor

Member

Registered: 2010-09-08

Posts: 7

Question: How to: Split routing & split DNS

What I wish to accomplish?

Caching HTTP-proxy for my home network which (for example) listens on two different ports (say 8080 and 8081) and the routing decision for outgoing HTTP-data and DNS-queries is based on which port is used. Whenever I mention "browser" in the description below, I mean a WWW-browser configured to use the above mentioned HTTP-proxy.

The problem comes here:

The actual HTTP-data and DNS-queries started by the browser should go through either ethwan or ppp0, based on whether the browser was using proxy on port 8080 or proxy on port 8081. It would be trivial to set up two instances of caching HTTP-proxy and caching DNS-server, one for ethwan and one for ppp0, but then they wouldn't use the same cache.

Oh. But why?

The internet-surfing done without this set-up leaks DNS-queries. I have to set my DNS-queries to go through either ethwan or ppp0. Then when I choose to surf the internet "anonymously" through the ppp0, the DNS-queries would leak through ethwan and the other way around.

Experiments and thoughts:

• I've already accomplished the configuration necessary to get my surfing data going out through either ethwan or ppp0 based on the port used. This was accomplished with Squid caching HTTP-proxy, it's configuration directive "tcp_outgoing_tos" and commands "ip rule" and "ip route". Squid cannot mark DNS-connections in this way.

• "Varnish" has something called "DNS redirector", but 1) I don't fully understand it's purpose 2) Varnish is not a caching proxy for clients, rather it's a reverse proxy for HTTP services

• "Delegate" was able to act as a proxy and listen on a specific port while allowing me to choose which nameserver it would use. If I were to make it a proxy forwarding the connection to a caching HTTP-proxy (I'm not sure it's even possible with delegate), the delegate would do no DNS queries and, well, scrub that.

• "dnsmasq" as a DNS-server doesn't support selecting to which nameserver a DNS-query is sent based on which port the DNS-request came in from the client.

• "djbdns" can match requests based on IP-address, but not based on port.

• "pdns-recursor" it might be possible with a custom backend.

• "Apache Traffic Server" would be nice replacement to Squid, but it's not in the repositories. Besides, it cannot tag outgoing HTTP-connections and cannot send the DNS-request to a specific nameserver based on source port, only based on destination host, domain etc. For a while I thought this was very promising.

• "BIND" cannot match based on port.

For the moment (until someone enlightens me) I refuse to accept the possibility that the only solution might be to write this functionality. I mean it's not That unheard of. Is it? Just thinking with security perspective.

Numbers in the picture

These are possible ideas. Please correct me where I'm missing something or where I'm just plain wrong OR where you have a better or simpler idea.

1.
The HTTP-proxy has to be able to identify clients based on which port they came in.

2.
The HTTP-proxy has to be able to mark the connection going out to the caching DNS-server based on (1.). For example by adding a specific suffix to the hostname being looked up (.ethwan.local or .vpn.local). Or the caching DNS-server could listen on two different ports and the HTTP-proxy must be able to send the DNS-request to the correct port based on (1.).

3.
Linux can have network traffic pass out through a specific interface and gateway by using commands provided by iptables, ip rule and ip route. Combining these commands it's possible to match the outgoing packet by source address, tos and fwmark among others. The HTTP-proxy and the caching DNS-server must be able to tag the outgoing connections in a way matchable by the previous commands and based on (1. and/or 2.).

4.
Well really not an issue, but the caching DNS-server has to be able to either receive dynamic DNS updates from DHCP server or be able to forward DNS-queries to another DNS-server based on the query's domain part. Alternatively the caching DNS-server has to be DHCP-server and DNS-server combined. This is because I want to be able to resolve my clients addresses inside my network.

My question(s):

Please do

1. suggest a better solution

2. correct me where I'm wrong

3. suggest me a caching HTTP-proxy and a caching DNS-server that has the ability to do these things

4. PLEASE say that I have missed the configuration option from one of the mentioned programs that enables this kind of functionality

5. any combination of the above

yejun

Member

Registered: 2009-10-21

Posts: 66

Re: Question: How to: Split routing & split DNS

You need to run 2 dns servers.

archibutor

Member

Registered: 2010-09-08

Posts: 7

Re: Question: How to: Split routing & split DNS

That doesn't accomplish unification of the caches. While programming the needed functionality to the server software(s) is indeed an option, I would like to refrain from doing so, if at all possible. It is more than likely that I have missed a server software that has this functionality built in. Also there are thousands of Linux-users and someone must have tried, researched or even thought of this kind of configuration at some point. I will heed your advice, but will continue waiting for additional suggestions, experiences and experiments.