Hi all,
anybody knows - Does unbound work with Cisco WCCP?
And if yes - how to?
WBR, Yuri
Yuri Voinov:
anybody knows - Does unbound work with Cisco WCCP?
WCCP - Web Cache Communication Protocol
why do you think unbound as a DNS resolver should work at that level ?
Andreas
A group of sibling resolvers might want to exchange information about the contents of their respective caches. Caches of DNS data and caches of web content aren't too different, if you're looking from a sufficiently high altitude. I can't picture how this would work in a transparent fashion using a WCCP implementation on a router, but it seems possible that elements of the protocol might be useful between individual unbound instances.
(I'm not saying that I think does or should implement WCCP; but it does feel like the kind of crazy thing NLNet Labs /might/ have thought about 
Joe
This is why.
http://i.imgur.com/WSSL3kF.png
Just FYI.
So, the question is same.
Note: I've already used route map to intercept port 53 queries and point it to Unbound instance. But WCCP has lower router CPU load and more effective.
Hi Yuri,
http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/acns/v55/c
onfiguration/local/guide/55ldg/wccpch.html#wp1353686
http://i.imgur.com/WSSL3kF.png
Just FYI.
So, the question is same.
My guess is that the machine is offering DNS resolution in addition to
the WCCP service. And the DNS and WCCP do not really interact (apart
from DNS lookups or using spare CPU cycles), so you are free to use
any DNS resolver you want.
Best regards,
Wouter
it doesnt look that way if you read the last bullet point
http://www.crypt.gen.nz/papers/cisco_squid_wccp.html
it seems that the application might well have to be able to spoof the source address and therefore have some form of awarness
its also eluded to here
https://networklessons.com/network-services/cisco-wccp-squid-transparent-proxy/
Hi Krad,
Yes if that is true then you have to use the WCCP's dns service for
the spoofing. (This sounds like it would break HTTPS, DNSSEC and DANE
for such sites).
Best regards,
Wouter
it doesnt look that way if you read the last bullet point
http://www.crypt.gen.nz/papers/cisco_squid_wccp.html
it seems that the application might well have to be able to spoof
the source address and therefore have some form of awarnessits also eluded to here
nt-proxy/
Hi Yuri,
http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/acns/v55/
c
onfiguration/local/guide/55ldg/wccpch.html#wp1353686
Wouter,
You are completely overlooked some providers in some countries that censor the DNS/DNSSEC etc.etc.etc. I am interested in is not the purpose of hacking, and to counteract censorship, if everyone understands what I mean.
Please keep in mind, I’m talking about the interception of requests for name resolution in favor of a clean cache, which is used as a source of reliable server through dnscrypt. So, my users can’t get poisoned by provider DNS answers.
Thank you for understanding.
As I thought, Unbound is completely unable to work with WCCPv2, as opposed to Cisco commercial solutions.
WBR, Yuri
And finally, please take a look onto solution, wich is offers interconnect with Cisco WCCPv2-enabled devices (yes, HTTP/HTTPS/DNS/FTP transparent interception):
Please also pay attention, who is vendor.
You think, this uses for DNSSEC etc. hacking, sure?
Perhaps you should look at dnscrypt or similar instead? WCCP for DNS
is more like a mechanism that a provider might want to use to help
them poison answers...
Or why not just simply block outbound dns traffic unless from one of your official sources. It’s likely to break some things yes, but its a more up front and honest policy.