Yuri Voinov
2015-06-08 12:03:21 UTC
Discussion:
A. Schulze
2015-06-08 12:47:11 UTC
WCCP - Web Cache Communication Protocol
why do you think unbound as a DNS resolver should work at that level ?
Andreas
why do you think unbound as a DNS resolver should work at that level ?
Andreas
Joe Abley
2015-06-08 14:02:19 UTC
Post by A. Schulze
WCCP - Web Cache Communication Protocol
why do you think unbound as a DNS resolver should work at that level ?
A group of sibling resolvers might want to exchange information aboutWCCP - Web Cache Communication Protocol
why do you think unbound as a DNS resolver should work at that level ?
the contents of their respective caches. Caches of DNS data and caches
of web content aren't too different, if you're looking from a
sufficiently high altitude. I can't picture how this would work in a
transparent fashion using a WCCP implementation on a router, but it
seems possible that elements of the protocol might be useful between
individual unbound instances.
(I'm not saying that I think does or should implement WCCP; but it does
feel like the kind of crazy thing NLNet Labs /might/ have thought about
:-)
Joe
Yuri Voinov
2015-06-09 10:07:06 UTC
http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/acns/v55/configuration/local/guide/55ldg/wccpch.html#wp1353686
This is why.
This is why.
Yuri Voinov
2015-06-09 10:12:51 UTC
http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/acns/v55/configuration/local/guide/55ldg/wccpch.html#wp1353686
Loading Image...
Just FYI.
So, the question is same.
Note: I've already used route map to intercept port 53 queries and point it to Unbound instance. But WCCP has lower router CPU load and more effective.
Loading Image...
Just FYI.
So, the question is same.
Note: I've already used route map to intercept port 53 queries and point it to Unbound instance. But WCCP has lower router CPU load and more effective.
W.C.A. Wijngaards
2015-06-22 10:32:52 UTC
Hi Yuri,
onfiguration/local/guide/55ldg/wccpch.html#wp1353686
My guess is that the machine is offering DNS resolution in addition to
the WCCP service. And the DNS and WCCP do not really interact (apart
from DNS lookups or using spare CPU cycles), so you are free to use
any DNS resolver you want.
Best regards,
Wouter
onfiguration/local/guide/55ldg/wccpch.html#wp1353686
My guess is that the machine is offering DNS resolution in addition to
the WCCP service. And the DNS and WCCP do not really interact (apart
from DNS lookups or using spare CPU cycles), so you are free to use
any DNS resolver you want.
Best regards,
Wouter
Post by Yuri Voinov
Note: I've already used route map to intercept port 53 queries and
point it to Unbound instance. But WCCP has lower router CPU load
and more effective.
_______________________________________________ Unbound-users
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
Note: I've already used route map to intercept port 53 queries and
point it to Unbound instance. But WCCP has lower router CPU load
and more effective.
_______________________________________________ Unbound-users
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
krad
2015-06-22 10:55:27 UTC
it doesnt look that way if you read the last bullet point
http://www.crypt.gen.nz/papers/cisco_squid_wccp.html
it seems that the application might well have to be able to spoof the
source address and therefore have some form of awarness
its also eluded to here
https://networklessons.com/network-services/cisco-wccp-squid-transparent-proxy/
http://www.crypt.gen.nz/papers/cisco_squid_wccp.html
it seems that the application might well have to be able to spoof the
source address and therefore have some form of awarness
its also eluded to here
https://networklessons.com/network-services/cisco-wccp-squid-transparent-proxy/
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi Yuri,
onfiguration/local/guide/55ldg/wccpch.html#wp1353686
My guess is that the machine is offering DNS resolution in addition to
the WCCP service. And the DNS and WCCP do not really interact (apart
from DNS lookups or using spare CPU cycles), so you are free to use
any DNS resolver you want.
Best regards,
Wouter
Version: GnuPG v2
iQIcBAEBCAAGBQJVh+RUAAoJEJ9vHC1+BF+NhUEP/j1ChaHD7+Y09c5CZPu792pL
5V2AauBl1t2ZV9eBn+6FOjCIqqfA/DSLgSCUElFdEkxDc4p/qhdavt8HOdmo/H9b
0YQMYCtOtvSpdbDGQDMoTkmY9bB9b2cZXERNxtpIokDNvLta2RTW96jOWGuhRlyF
YHSiO2um1ERe19w75wsayAny4WO5ch4A/c0kx+fGHf7eNqKdCmkf02iTAc4+y7mk
mOMibpaBMZvtq7W+9EyOJ3MeZPsyZrQCM33JtmoRl+OSaJMWGYks2rS2osm/SIOo
bZaMiZcnObJ759KqVvfvZxVW0F3eC+dfBdX/GFoYyZmgqMUCFxzf0RLhjvnqK7lK
pacSaYACrtlzd7GZRnE/t/YrvdepER1n0HKlwuuO0QzZ4qahKCXsgnMBxUie+LJD
x5MM+w4qI+jFXLYYEZWD71WRXn1i61xa5Lx1btsLPhfe/rbREXMPCp38we5Aa0AV
FFwnfrHVpKtxmq5ogVcT3wxxzZshnpDDX78e0YTybPoBvNkTTRO3yAkk1PPJf9IR
t06xfuxcw2SedWlllQTKtdQ06ilRFrRVw/jk6aOxH6TD+7+nnaFa4h2L2B+yUNUQ
Ql54jXx7QYtXaz0LrmDuaXRwV2IAdrZioRnC5B2VFewckmopm1CcHbpHbJIAGJGi
ZTJkXlaLBF7scCJt+5UO
=wOs1
-----END PGP SIGNATURE-----
_______________________________________________
Unbound-users mailing list
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
Hash: SHA256
Hi Yuri,
onfiguration/local/guide/55ldg/wccpch.html#wp1353686
My guess is that the machine is offering DNS resolution in addition to
the WCCP service. And the DNS and WCCP do not really interact (apart
from DNS lookups or using spare CPU cycles), so you are free to use
any DNS resolver you want.
Best regards,
Wouter
Post by Yuri Voinov
Note: I've already used route map to intercept port 53 queries and
point it to Unbound instance. But WCCP has lower router CPU load
and more effective.
_______________________________________________ Unbound-users
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
-----BEGIN PGP SIGNATURE-----Note: I've already used route map to intercept port 53 queries and
point it to Unbound instance. But WCCP has lower router CPU load
and more effective.
_______________________________________________ Unbound-users
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
Version: GnuPG v2
iQIcBAEBCAAGBQJVh+RUAAoJEJ9vHC1+BF+NhUEP/j1ChaHD7+Y09c5CZPu792pL
5V2AauBl1t2ZV9eBn+6FOjCIqqfA/DSLgSCUElFdEkxDc4p/qhdavt8HOdmo/H9b
0YQMYCtOtvSpdbDGQDMoTkmY9bB9b2cZXERNxtpIokDNvLta2RTW96jOWGuhRlyF
YHSiO2um1ERe19w75wsayAny4WO5ch4A/c0kx+fGHf7eNqKdCmkf02iTAc4+y7mk
mOMibpaBMZvtq7W+9EyOJ3MeZPsyZrQCM33JtmoRl+OSaJMWGYks2rS2osm/SIOo
bZaMiZcnObJ759KqVvfvZxVW0F3eC+dfBdX/GFoYyZmgqMUCFxzf0RLhjvnqK7lK
pacSaYACrtlzd7GZRnE/t/YrvdepER1n0HKlwuuO0QzZ4qahKCXsgnMBxUie+LJD
x5MM+w4qI+jFXLYYEZWD71WRXn1i61xa5Lx1btsLPhfe/rbREXMPCp38we5Aa0AV
FFwnfrHVpKtxmq5ogVcT3wxxzZshnpDDX78e0YTybPoBvNkTTRO3yAkk1PPJf9IR
t06xfuxcw2SedWlllQTKtdQ06ilRFrRVw/jk6aOxH6TD+7+nnaFa4h2L2B+yUNUQ
Ql54jXx7QYtXaz0LrmDuaXRwV2IAdrZioRnC5B2VFewckmopm1CcHbpHbJIAGJGi
ZTJkXlaLBF7scCJt+5UO
=wOs1
-----END PGP SIGNATURE-----
_______________________________________________
Unbound-users mailing list
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
W.C.A. Wijngaards
2015-06-22 10:59:24 UTC
Hi Krad,
Yes if that is true then you have to use the WCCP's dns service for
the spoofing. (This sounds like it would break HTTPS, DNSSEC and DANE
for such sites).
Best regards,
Wouter
c
onfiguration/local/guide/55ldg/wccpch.html#wp1353686
Yes if that is true then you have to use the WCCP's dns service for
the spoofing. (This sounds like it would break HTTPS, DNSSEC and DANE
for such sites).
Best regards,
Wouter
Post by krad
it doesnt look that way if you read the last bullet point
http://www.crypt.gen.nz/papers/cisco_squid_wccp.html
it seems that the application might well have to be able to spoof
the source address and therefore have some form of awarness
its also eluded to here
https://networklessons.com/network-services/cisco-wccp-squid-transpare
nt-proxy/it doesnt look that way if you read the last bullet point
http://www.crypt.gen.nz/papers/cisco_squid_wccp.html
it seems that the application might well have to be able to spoof
the source address and therefore have some form of awarness
its also eluded to here
https://networklessons.com/network-services/cisco-wccp-squid-transpare
c
onfiguration/local/guide/55ldg/wccpch.html#wp1353686
Post by krad
My guess is that the machine is offering DNS resolution in addition
to the WCCP service. And the DNS and WCCP do not really interact
(apart from DNS lookups or using spare CPU cycles), so you are free
to use any DNS resolver you want.
Best regards, Wouter
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
My guess is that the machine is offering DNS resolution in addition
to the WCCP service. And the DNS and WCCP do not really interact
(apart from DNS lookups or using spare CPU cycles), so you are free
to use any DNS resolver you want.
Best regards, Wouter
Post by Yuri Voinov
Note: I've already used route map to intercept port 53 queries
and point it to Unbound instance. But WCCP has lower router CPU
load and more effective.
_______________________________________________ Unbound-users
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
_______________________________________________ Unbound-usersNote: I've already used route map to intercept port 53 queries
and point it to Unbound instance. But WCCP has lower router CPU
load and more effective.
_______________________________________________ Unbound-users
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
Yuri Voinov
2015-06-23 12:46:18 UTC
Wouter,
You are completely overlooked some providers in some countries that
censor the DNS/DNSSEC etc.etc.etc. I am interested in is not the purpose
of hacking, and to counteract censorship, if everyone understands what I
mean.
Please keep in mind,I'm talking about the interception of requests for
name resolution in favor of a clean cache, which is used as a source of
reliable server through dnscrypt. So, my users can't get poisoned by
provider DNS answers.
Thank you for understanding.
As I thought, Unbound is completely unable to work withWCCPv2, as
opposed to Cisco commercial solutions.
WBR, Yuri
You are completely overlooked some providers in some countries that
censor the DNS/DNSSEC etc.etc.etc. I am interested in is not the purpose
of hacking, and to counteract censorship, if everyone understands what I
mean.
Please keep in mind,I'm talking about the interception of requests for
name resolution in favor of a clean cache, which is used as a source of
reliable server through dnscrypt. So, my users can't get poisoned by
provider DNS answers.
Thank you for understanding.
As I thought, Unbound is completely unable to work withWCCPv2, as
opposed to Cisco commercial solutions.
WBR, Yuri
Stuart Henderson
2015-06-23 14:25:16 UTC
Post by Yuri Voinov
You are completely overlooked some providers in some countries that
censor the DNS/DNSSEC etc.etc.etc. I am interested in is not the purpose
of hacking, and to counteract censorship, if everyone understands what I
mean.
Please keep in mind,I'm talking about the interception of requests for
name resolution in favor of a clean cache, which is used as a source of
reliable server through dnscrypt. So, my users can't get poisoned by
provider DNS answers.
Perhaps you should look at dnscrypt or similar instead? WCCP for DNSYou are completely overlooked some providers in some countries that
censor the DNS/DNSSEC etc.etc.etc. I am interested in is not the purpose
of hacking, and to counteract censorship, if everyone understands what I
mean.
Please keep in mind,I'm talking about the interception of requests for
name resolution in favor of a clean cache, which is used as a source of
reliable server through dnscrypt. So, my users can't get poisoned by
provider DNS answers.
is more like a mechanism that a provider might want to use to help
them poison answers...
krad
2015-06-23 14:50:43 UTC
Or why not just simply block outbound dns traffic unless from one of your
official sources. It's likely to break some things yes, but its a more up
front and honest policy.
official sources. It's likely to break some things yes, but its a more up
front and honest policy.
Post by Stuart Henderson
is more like a mechanism that a provider might want to use to help
them poison answers...
_______________________________________________
Unbound-users mailing list
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
Post by Yuri Voinov
You are completely overlooked some providers in some countries that
censor the DNS/DNSSEC etc.etc.etc. I am interested in is not the purpose
of hacking, and to counteract censorship, if everyone understands what I
mean.
Please keep in mind,I'm talking about the interception of requests for
name resolution in favor of a clean cache, which is used as a source of
reliable server through dnscrypt. So, my users can't get poisoned by
provider DNS answers.
Perhaps you should look at dnscrypt or similar instead? WCCP for DNSYou are completely overlooked some providers in some countries that
censor the DNS/DNSSEC etc.etc.etc. I am interested in is not the purpose
of hacking, and to counteract censorship, if everyone understands what I
mean.
Please keep in mind,I'm talking about the interception of requests for
name resolution in favor of a clean cache, which is used as a source of
reliable server through dnscrypt. So, my users can't get poisoned by
provider DNS answers.
is more like a mechanism that a provider might want to use to help
them poison answers...
_______________________________________________
Unbound-users mailing list
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
Yuri Voinov
2015-06-23 13:04:44 UTC
And finally, please take a look onto solution, wich is offers
interconnect with Cisco WCCPv2-enabled devices (yes, HTTP/HTTPS/DNS/FTP
transparent interception):
http://www.websense.com/content/home.aspx
Please also pay attention, who is vendor.
You think, this uses for DNSSEC etc. hacking, sure?
interconnect with Cisco WCCPv2-enabled devices (yes, HTTP/HTTPS/DNS/FTP
transparent interception):
http://www.websense.com/content/home.aspx
Please also pay attention, who is vendor.
You think, this uses for DNSSEC etc. hacking, sure?