1

We use a dns based proxying system, which proxies certain addresses based on the dns entry, so for example for website1.com the dns return the IP if the proxy, and the request is sent though that, but for website2.com the dns returns the regular address and the request is sent directly. That's no problem

However, this only works for name based calls. We need to be be able to do the same for certain IP addresses too, but is there any way to do that?

For example, a user browse to a web site with IP 1.2.3.4 but NO DNS entry, neither A nor PTR. We then would need the call to not go to the IP 1.2.3.4, but to our server 10.0.0.4 instead. Is there any way to do that, at all? We realize this would need to be set on the client machine, but still - is there any way to do it?

The clients could be anything, Windows, Mac, Linux, Android, whatever.. probably it's not possible on all, but is it possible on any of them?

gldesign
  • 11
  • 1
  • The calls to IP addresses - do you want sent to the proxy or to the actual device? Is this specifically HTTP traffic or is it some other kind of traffic? What software do you use for the proxy? – Jenny D Dec 20 '13 at 10:47
  • We want the calls from the users device to the final IP address to be proxied via our server so it looks like the are originated from our server, not the users device. We do this today with certain named based calls, using dns to direct then via via sniproxy, but we can't do it for pure IP calls. We don't want to proxy *all* traffix, just selected addresses and IP addresses. – gldesign Dec 20 '13 at 15:07
  • Thanks - second question, though, was what kind of traffic it is. "Calls" is not a networking term which makes it hard to figure out exactly what it is you are doing. – Jenny D Dec 20 '13 at 15:12
  • Sorry, networking isn't what I usually work with, and English isn't my first language. It can be basically any kind of traffic, but typically it's TCP or UDP traffic. When a user encounter a ip based url it's likely to be something like rmtp, and we wouldn't use a proxy but dnat it in our end. – gldesign Dec 20 '13 at 15:46
  • Thanks for the clarification, and lots of people here don't have English as first language, that's why we have to ask one another for help with understanding sometimes :-) Now I have another question: Do you control the network and routing for the target servers or for the client, or both, or neither? – Jenny D Dec 20 '13 at 15:59
  • Basically neither. We can tell clients to possible do simple changes in their systems, but they are regular home users, with neither knowledge nor equipment to do anything advanced. We would basically need to dnat certain IP:s in the client end to point to our server instead of the original IP, but I see no way to do that when the client has nothing else than a regular home router and pc... as I wrote in a comment below, it would need to be something simple, like a hosts file, but not for name resolution but instead fro IP translation. I don' believe there is a solution, but wanted to check.. – gldesign Dec 20 '13 at 16:10
  • If you don't control the network/routing on either end, then there is nothing you can do. Sorry. – Jenny D Dec 22 '13 at 14:42

1 Answers1

1

As you specified networking, there is an option at the network level, I have provided a network solution below flagged with NETWORK. Only a few protocols are commonly proxied, but most work well with NAT (the network solution). HTTP and HTTPS are commonly proxied, so that is my first response.

I am confused by your description of DNS based proxying. It is common of DNS to specify different IP addresses for different addresses, or for related sites to have the same IP address. As you are specifying websites as your hostnames, I believe we can assume you want to proxy websites. I believe the term you are looking for is "name-based virtual hosting" or "name-based proxying"

For HTTP or HTTPS many servers can proxy traffic based on IP address and/or the name specified in the HOST header. The Apache Web Server uses VirtualHosts to separate sites. Other sofware which can proxy traffic has the same or similar functionality. In Apache, to do both ip-based and based proxying for the same site you would create a VirtualHost for the IP address add the require name(s) to that virtual host. You would then configure that VirtualHost to proxy the whole site or part of it.

NETWORKING: If want to redirect an IP address to a different address this can be done by a router. The mechanism used is call NAT (Network Address Translation). In this case you would need DNAT (Destination Network Address Translation.) Some routers can do NAT on a per port (service) address. In this case you would want the related DNS entries to return the IP address being translated.

EDIT: The additional comments provide additional information. As I understand the requirements: - Proxying will only be for users from certain addresses/address ranges, not all traffic to the name/IP will be proxied.
- Proxied requests must appear to originate from the proxy not the original host. - Current solution provided different address records depending on origin of the request. (I believe the existing solution is broken here. DNS request originate from the DNS server the client is using, which may not be the client's device. DNS responses are cached, so you can not rely on a DNS request preceding the request.)

The solution I believe would most likely work is to handle this with NAT rules on a device in front of the server and proxy. This would NAT all traffic you want to proxy to your proxy device based on originating IP address, and pass other traffic directly to the server.

BillThor
  • 27,737
  • 3
  • 37
  • 69
  • We use DNS to override specific zones, for specific destinations, to send calls to those, and only those, via our proxy. At the proxy end we proxy named based calls, and can dnat IP based calls, to the correct end destination - but we need the call from the customer to go to our server somehow even when it's a call to a pure IP address, not preceded by a DNS query. And as with the name based calls, we want it only for certain IP addresses. I don't really believe it can be done, but am interested if someone has a solution - a solution that the client can easily implement on his system. – gldesign Dec 20 '13 at 15:09
  • To clarify, the clients are regular home users, they can't implement a dnat router solution in their end. It would need to be something like a hosts file - but for IP addresses. – gldesign Dec 20 '13 at 15:15