Discussion:
[Unbound-users] Does unbound work with Cisco WCCP?
Yuri Voinov
2015-06-08 12:03:21 UTC
Permalink
Hi all,

anybody knows - Does unbound work with Cisco WCCP?

And if yes - how to?

WBR, Yuri
A. Schulze
2015-06-08 12:47:11 UTC
Permalink
Post by Yuri Voinov
anybody knows - Does unbound work with Cisco WCCP?
WCCP - Web Cache Communication Protocol
why do you think unbound as a DNS resolver should work at that level ?

Andreas
Joe Abley
2015-06-08 14:02:19 UTC
Permalink
Post by A. Schulze
Post by Yuri Voinov
anybody knows - Does unbound work with Cisco WCCP?
WCCP - Web Cache Communication Protocol
why do you think unbound as a DNS resolver should work at that level ?
A group of sibling resolvers might want to exchange information about
the contents of their respective caches. Caches of DNS data and caches
of web content aren't too different, if you're looking from a
sufficiently high altitude. I can't picture how this would work in a
transparent fashion using a WCCP implementation on a router, but it
seems possible that elements of the protocol might be useful between
individual unbound instances.

(I'm not saying that I think does or should implement WCCP; but it does
feel like the kind of crazy thing NLNet Labs /might/ have thought about
:-)


Joe
Yuri Voinov
2015-06-09 10:07:06 UTC
Permalink
http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/acns/v55/configuration/local/guide/55ldg/wccpch.html#wp1353686

This is why.
Yuri Voinov
2015-06-09 10:12:51 UTC
Permalink
http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/acns/v55/configuration/local/guide/55ldg/wccpch.html#wp1353686

Loading Image...

Just FYI.

So, the question is same.

Note: I've already used route map to intercept port 53 queries and point it to Unbound instance. But WCCP has lower router CPU load and more effective.
W.C.A. Wijngaards
2015-06-22 10:32:52 UTC
Permalink
Hi Yuri,
Post by Yuri Voinov
http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/acns/v55/c
onfiguration/local/guide/55ldg/wccpch.html#wp1353686
Post by Yuri Voinov
http://i.imgur.com/WSSL3kF.png
Just FYI.
So, the question is same.
My guess is that the machine is offering DNS resolution in addition to
the WCCP service. And the DNS and WCCP do not really interact (apart
from DNS lookups or using spare CPU cycles), so you are free to use
any DNS resolver you want.

Best regards,
Wouter
Post by Yuri Voinov
Note: I've already used route map to intercept port 53 queries and
point it to Unbound instance. But WCCP has lower router CPU load
and more effective.
_______________________________________________ Unbound-users
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
krad
2015-06-22 10:55:27 UTC
Permalink
it doesnt look that way if you read the last bullet point

http://www.crypt.gen.nz/papers/cisco_squid_wccp.html

it seems that the application might well have to be able to spoof the
source address and therefore have some form of awarness

its also eluded to here

https://networklessons.com/network-services/cisco-wccp-squid-transparent-proxy/
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi Yuri,
Post by Yuri Voinov
http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/acns/v55/c
onfiguration/local/guide/55ldg/wccpch.html#wp1353686
Post by Yuri Voinov
http://i.imgur.com/WSSL3kF.png
Just FYI.
So, the question is same.
My guess is that the machine is offering DNS resolution in addition to
the WCCP service. And the DNS and WCCP do not really interact (apart
from DNS lookups or using spare CPU cycles), so you are free to use
any DNS resolver you want.
Best regards,
Wouter
Post by Yuri Voinov
Note: I've already used route map to intercept port 53 queries and
point it to Unbound instance. But WCCP has lower router CPU load
and more effective.
_______________________________________________ Unbound-users
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVh+RUAAoJEJ9vHC1+BF+NhUEP/j1ChaHD7+Y09c5CZPu792pL
5V2AauBl1t2ZV9eBn+6FOjCIqqfA/DSLgSCUElFdEkxDc4p/qhdavt8HOdmo/H9b
0YQMYCtOtvSpdbDGQDMoTkmY9bB9b2cZXERNxtpIokDNvLta2RTW96jOWGuhRlyF
YHSiO2um1ERe19w75wsayAny4WO5ch4A/c0kx+fGHf7eNqKdCmkf02iTAc4+y7mk
mOMibpaBMZvtq7W+9EyOJ3MeZPsyZrQCM33JtmoRl+OSaJMWGYks2rS2osm/SIOo
bZaMiZcnObJ759KqVvfvZxVW0F3eC+dfBdX/GFoYyZmgqMUCFxzf0RLhjvnqK7lK
pacSaYACrtlzd7GZRnE/t/YrvdepER1n0HKlwuuO0QzZ4qahKCXsgnMBxUie+LJD
x5MM+w4qI+jFXLYYEZWD71WRXn1i61xa5Lx1btsLPhfe/rbREXMPCp38we5Aa0AV
FFwnfrHVpKtxmq5ogVcT3wxxzZshnpDDX78e0YTybPoBvNkTTRO3yAkk1PPJf9IR
t06xfuxcw2SedWlllQTKtdQ06ilRFrRVw/jk6aOxH6TD+7+nnaFa4h2L2B+yUNUQ
Ql54jXx7QYtXaz0LrmDuaXRwV2IAdrZioRnC5B2VFewckmopm1CcHbpHbJIAGJGi
ZTJkXlaLBF7scCJt+5UO
=wOs1
-----END PGP SIGNATURE-----
_______________________________________________
Unbound-users mailing list
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
W.C.A. Wijngaards
2015-06-22 10:59:24 UTC
Permalink
Hi Krad,

Yes if that is true then you have to use the WCCP's dns service for
the spoofing. (This sounds like it would break HTTPS, DNSSEC and DANE
for such sites).

Best regards,
Wouter
Post by krad
it doesnt look that way if you read the last bullet point
http://www.crypt.gen.nz/papers/cisco_squid_wccp.html
it seems that the application might well have to be able to spoof
the source address and therefore have some form of awarness
its also eluded to here
https://networklessons.com/network-services/cisco-wccp-squid-transpare
nt-proxy/
Post by krad
Hi Yuri,
Post by Yuri Voinov
http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/acns/v55/
c
onfiguration/local/guide/55ldg/wccpch.html#wp1353686
Post by krad
Post by Yuri Voinov
http://i.imgur.com/WSSL3kF.png
Just FYI.
So, the question is same.
My guess is that the machine is offering DNS resolution in addition
to the WCCP service. And the DNS and WCCP do not really interact
(apart from DNS lookups or using spare CPU cycles), so you are free
to use any DNS resolver you want.
Best regards, Wouter
Post by Yuri Voinov
Note: I've already used route map to intercept port 53 queries
and point it to Unbound instance. But WCCP has lower router CPU
load and more effective.
_______________________________________________ Unbound-users
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
_______________________________________________ Unbound-users
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
Yuri Voinov
2015-06-23 12:46:18 UTC
Permalink
Wouter,

You are completely overlooked some providers in some countries that
censor the DNS/DNSSEC etc.etc.etc. I am interested in is not the purpose
of hacking, and to counteract censorship, if everyone understands what I
mean.

Please keep in mind,I'm talking about the interception of requests for
name resolution in favor of a clean cache, which is used as a source of
reliable server through dnscrypt. So, my users can't get poisoned by
provider DNS answers.

Thank you for understanding.

As I thought, Unbound is completely unable to work withWCCPv2, as
opposed to Cisco commercial solutions.

WBR, Yuri
Stuart Henderson
2015-06-23 14:25:16 UTC
Permalink
Post by Yuri Voinov
You are completely overlooked some providers in some countries that
censor the DNS/DNSSEC etc.etc.etc. I am interested in is not the purpose
of hacking, and to counteract censorship, if everyone understands what I
mean.
Please keep in mind,I'm talking about the interception of requests for
name resolution in favor of a clean cache, which is used as a source of
reliable server through dnscrypt. So, my users can't get poisoned by
provider DNS answers.
Perhaps you should look at dnscrypt or similar instead? WCCP for DNS
is more like a mechanism that a provider might want to use to help
them poison answers...
krad
2015-06-23 14:50:43 UTC
Permalink
Or why not just simply block outbound dns traffic unless from one of your
official sources. It's likely to break some things yes, but its a more up
front and honest policy.
Post by Stuart Henderson
Post by Yuri Voinov
You are completely overlooked some providers in some countries that
censor the DNS/DNSSEC etc.etc.etc. I am interested in is not the purpose
of hacking, and to counteract censorship, if everyone understands what I
mean.
Please keep in mind,I'm talking about the interception of requests for
name resolution in favor of a clean cache, which is used as a source of
reliable server through dnscrypt. So, my users can't get poisoned by
provider DNS answers.
Perhaps you should look at dnscrypt or similar instead? WCCP for DNS
is more like a mechanism that a provider might want to use to help
them poison answers...
_______________________________________________
Unbound-users mailing list
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
Yuri Voinov
2015-06-23 13:04:44 UTC
Permalink
And finally, please take a look onto solution, wich is offers
interconnect with Cisco WCCPv2-enabled devices (yes, HTTP/HTTPS/DNS/FTP
transparent interception):

http://www.websense.com/content/home.aspx

Please also pay attention, who is vendor.

You think, this uses for DNSSEC etc. hacking, sure?
Loading...