using local dns to allow domain based transparent proxy

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I am from iran and some websites are blocked for iranian ips (like nvidia and intel and so on).
there is this website that advertise that I can access those domains buy just changing my dns to theirs.
so I tried and I saw this:



me@laptop ~> drill devtalk.nvidia.com @94.232.174.194
devtalk.nvidia.com. 300 IN CNAME uk4.shecan.ir.
uk4.shecan.ir. 134 IN A 5.226.141.227


the shecan.ir the the the site that advertise that.



now legality of what their doign aside how this works?
do they just redirect traffic to those sites from a non-iranian ip (uk4.shecan.ir 5.226.141.227) so in effect it is just a proxy.
but they dont proxy all the domains just the blocked one.



I am asking this because I wanted to do this for my self on my router but whatever https transparent proxy that I tried cant differentiate between domains. Do they do this with ips?
so when I use their dns service they give me a dns answer and I connect to that I send my request to that but how do they diff between the domains?
do they use different IPs for all those blocked domains?
is that feasible?



can I do this on my own router?



basically I am trying to test this:
use my dnsmasq to give local IP for the blocked sites(blocked by my isp)
then use iptable on that lan machine to transparently proxy all the traffic via tor.
but my issue is does this work with me giving local destination for blocked domains?



I am doing all this so that I don't have to proxy all my traffic and just proxy the needed domains.










share|improve this question



























    up vote
    0
    down vote

    favorite












    I am from iran and some websites are blocked for iranian ips (like nvidia and intel and so on).
    there is this website that advertise that I can access those domains buy just changing my dns to theirs.
    so I tried and I saw this:



    me@laptop ~> drill devtalk.nvidia.com @94.232.174.194
    devtalk.nvidia.com. 300 IN CNAME uk4.shecan.ir.
    uk4.shecan.ir. 134 IN A 5.226.141.227


    the shecan.ir the the the site that advertise that.



    now legality of what their doign aside how this works?
    do they just redirect traffic to those sites from a non-iranian ip (uk4.shecan.ir 5.226.141.227) so in effect it is just a proxy.
    but they dont proxy all the domains just the blocked one.



    I am asking this because I wanted to do this for my self on my router but whatever https transparent proxy that I tried cant differentiate between domains. Do they do this with ips?
    so when I use their dns service they give me a dns answer and I connect to that I send my request to that but how do they diff between the domains?
    do they use different IPs for all those blocked domains?
    is that feasible?



    can I do this on my own router?



    basically I am trying to test this:
    use my dnsmasq to give local IP for the blocked sites(blocked by my isp)
    then use iptable on that lan machine to transparently proxy all the traffic via tor.
    but my issue is does this work with me giving local destination for blocked domains?



    I am doing all this so that I don't have to proxy all my traffic and just proxy the needed domains.










    share|improve this question

























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I am from iran and some websites are blocked for iranian ips (like nvidia and intel and so on).
      there is this website that advertise that I can access those domains buy just changing my dns to theirs.
      so I tried and I saw this:



      me@laptop ~> drill devtalk.nvidia.com @94.232.174.194
      devtalk.nvidia.com. 300 IN CNAME uk4.shecan.ir.
      uk4.shecan.ir. 134 IN A 5.226.141.227


      the shecan.ir the the the site that advertise that.



      now legality of what their doign aside how this works?
      do they just redirect traffic to those sites from a non-iranian ip (uk4.shecan.ir 5.226.141.227) so in effect it is just a proxy.
      but they dont proxy all the domains just the blocked one.



      I am asking this because I wanted to do this for my self on my router but whatever https transparent proxy that I tried cant differentiate between domains. Do they do this with ips?
      so when I use their dns service they give me a dns answer and I connect to that I send my request to that but how do they diff between the domains?
      do they use different IPs for all those blocked domains?
      is that feasible?



      can I do this on my own router?



      basically I am trying to test this:
      use my dnsmasq to give local IP for the blocked sites(blocked by my isp)
      then use iptable on that lan machine to transparently proxy all the traffic via tor.
      but my issue is does this work with me giving local destination for blocked domains?



      I am doing all this so that I don't have to proxy all my traffic and just proxy the needed domains.










      share|improve this question















      I am from iran and some websites are blocked for iranian ips (like nvidia and intel and so on).
      there is this website that advertise that I can access those domains buy just changing my dns to theirs.
      so I tried and I saw this:



      me@laptop ~> drill devtalk.nvidia.com @94.232.174.194
      devtalk.nvidia.com. 300 IN CNAME uk4.shecan.ir.
      uk4.shecan.ir. 134 IN A 5.226.141.227


      the shecan.ir the the the site that advertise that.



      now legality of what their doign aside how this works?
      do they just redirect traffic to those sites from a non-iranian ip (uk4.shecan.ir 5.226.141.227) so in effect it is just a proxy.
      but they dont proxy all the domains just the blocked one.



      I am asking this because I wanted to do this for my self on my router but whatever https transparent proxy that I tried cant differentiate between domains. Do they do this with ips?
      so when I use their dns service they give me a dns answer and I connect to that I send my request to that but how do they diff between the domains?
      do they use different IPs for all those blocked domains?
      is that feasible?



      can I do this on my own router?



      basically I am trying to test this:
      use my dnsmasq to give local IP for the blocked sites(blocked by my isp)
      then use iptable on that lan machine to transparently proxy all the traffic via tor.
      but my issue is does this work with me giving local destination for blocked domains?



      I am doing all this so that I don't have to proxy all my traffic and just proxy the needed domains.







      linux dns proxy






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Dec 5 at 16:17









      Romeo Ninov

      5,06231727




      5,06231727










      asked Dec 5 at 16:06









      user3111875

      1




      1




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          Yes, you can do that on your own router. The dnsmasq running on your router uses the /etc/hosts file on the router, so you have to edit this file, enter the domains you want to re-route, and give them (different) IP addresses from the private range.



          Then you need the iptables rules to DNAT them to their real address, and sent them out via the tor interface.



          This will be a bit of a hassle to manage when IP addresses for domains change, because you'll have to update your configuration.



          An alternative would be to use a different network namespace on your PC, start two browsers (one in the main namespace, one in the new namespace), wire up the namespace to use tor as a gateway, and in this way differentiate between traffic you want proxied, and traffic you can do directly.






          share|improve this answer




















          • what? I specifically dont want to use the real(actual) ip of the sites. I am trying to do transparent proxy only for some domains on router level and do that without using their actual ip becuase many sites share ips (like on cloudflare). I am aware about explisit proxy and transparent proxy for all connections (80 and 443)
            – user3111875
            Dec 7 at 21:48











          • Re-routing stuff on the domain level doesn't work, sorry. At least not without a customized DNS server, and I don't know any existing software for that. If all you care about is http/https, you can use an http/https proxy, that can work on the domain level.
            – dirkt
            Dec 8 at 8:24










          • then how those guys in my example do it?
            – user3111875
            Dec 8 at 8:50











          • As I wrote: with a customized DNS server. After all, you just "change your DNS to theirs", as you wrote in your question. And yes, you can write your own, too. Though that's probably not the variant with the least effort (unless someone has already written something like it, and made it open-source).
            – dirkt
            Dec 9 at 11:04










          • so just using dnsmasq to assign ip (local) to them is not enought?
            – user3111875
            Dec 9 at 12:39










          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f486183%2fusing-local-dns-to-allow-domain-based-transparent-proxy%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          0
          down vote













          Yes, you can do that on your own router. The dnsmasq running on your router uses the /etc/hosts file on the router, so you have to edit this file, enter the domains you want to re-route, and give them (different) IP addresses from the private range.



          Then you need the iptables rules to DNAT them to their real address, and sent them out via the tor interface.



          This will be a bit of a hassle to manage when IP addresses for domains change, because you'll have to update your configuration.



          An alternative would be to use a different network namespace on your PC, start two browsers (one in the main namespace, one in the new namespace), wire up the namespace to use tor as a gateway, and in this way differentiate between traffic you want proxied, and traffic you can do directly.






          share|improve this answer




















          • what? I specifically dont want to use the real(actual) ip of the sites. I am trying to do transparent proxy only for some domains on router level and do that without using their actual ip becuase many sites share ips (like on cloudflare). I am aware about explisit proxy and transparent proxy for all connections (80 and 443)
            – user3111875
            Dec 7 at 21:48











          • Re-routing stuff on the domain level doesn't work, sorry. At least not without a customized DNS server, and I don't know any existing software for that. If all you care about is http/https, you can use an http/https proxy, that can work on the domain level.
            – dirkt
            Dec 8 at 8:24










          • then how those guys in my example do it?
            – user3111875
            Dec 8 at 8:50











          • As I wrote: with a customized DNS server. After all, you just "change your DNS to theirs", as you wrote in your question. And yes, you can write your own, too. Though that's probably not the variant with the least effort (unless someone has already written something like it, and made it open-source).
            – dirkt
            Dec 9 at 11:04










          • so just using dnsmasq to assign ip (local) to them is not enought?
            – user3111875
            Dec 9 at 12:39














          up vote
          0
          down vote













          Yes, you can do that on your own router. The dnsmasq running on your router uses the /etc/hosts file on the router, so you have to edit this file, enter the domains you want to re-route, and give them (different) IP addresses from the private range.



          Then you need the iptables rules to DNAT them to their real address, and sent them out via the tor interface.



          This will be a bit of a hassle to manage when IP addresses for domains change, because you'll have to update your configuration.



          An alternative would be to use a different network namespace on your PC, start two browsers (one in the main namespace, one in the new namespace), wire up the namespace to use tor as a gateway, and in this way differentiate between traffic you want proxied, and traffic you can do directly.






          share|improve this answer




















          • what? I specifically dont want to use the real(actual) ip of the sites. I am trying to do transparent proxy only for some domains on router level and do that without using their actual ip becuase many sites share ips (like on cloudflare). I am aware about explisit proxy and transparent proxy for all connections (80 and 443)
            – user3111875
            Dec 7 at 21:48











          • Re-routing stuff on the domain level doesn't work, sorry. At least not without a customized DNS server, and I don't know any existing software for that. If all you care about is http/https, you can use an http/https proxy, that can work on the domain level.
            – dirkt
            Dec 8 at 8:24










          • then how those guys in my example do it?
            – user3111875
            Dec 8 at 8:50











          • As I wrote: with a customized DNS server. After all, you just "change your DNS to theirs", as you wrote in your question. And yes, you can write your own, too. Though that's probably not the variant with the least effort (unless someone has already written something like it, and made it open-source).
            – dirkt
            Dec 9 at 11:04










          • so just using dnsmasq to assign ip (local) to them is not enought?
            – user3111875
            Dec 9 at 12:39












          up vote
          0
          down vote










          up vote
          0
          down vote









          Yes, you can do that on your own router. The dnsmasq running on your router uses the /etc/hosts file on the router, so you have to edit this file, enter the domains you want to re-route, and give them (different) IP addresses from the private range.



          Then you need the iptables rules to DNAT them to their real address, and sent them out via the tor interface.



          This will be a bit of a hassle to manage when IP addresses for domains change, because you'll have to update your configuration.



          An alternative would be to use a different network namespace on your PC, start two browsers (one in the main namespace, one in the new namespace), wire up the namespace to use tor as a gateway, and in this way differentiate between traffic you want proxied, and traffic you can do directly.






          share|improve this answer












          Yes, you can do that on your own router. The dnsmasq running on your router uses the /etc/hosts file on the router, so you have to edit this file, enter the domains you want to re-route, and give them (different) IP addresses from the private range.



          Then you need the iptables rules to DNAT them to their real address, and sent them out via the tor interface.



          This will be a bit of a hassle to manage when IP addresses for domains change, because you'll have to update your configuration.



          An alternative would be to use a different network namespace on your PC, start two browsers (one in the main namespace, one in the new namespace), wire up the namespace to use tor as a gateway, and in this way differentiate between traffic you want proxied, and traffic you can do directly.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Dec 6 at 15:54









          dirkt

          16.4k21335




          16.4k21335











          • what? I specifically dont want to use the real(actual) ip of the sites. I am trying to do transparent proxy only for some domains on router level and do that without using their actual ip becuase many sites share ips (like on cloudflare). I am aware about explisit proxy and transparent proxy for all connections (80 and 443)
            – user3111875
            Dec 7 at 21:48











          • Re-routing stuff on the domain level doesn't work, sorry. At least not without a customized DNS server, and I don't know any existing software for that. If all you care about is http/https, you can use an http/https proxy, that can work on the domain level.
            – dirkt
            Dec 8 at 8:24










          • then how those guys in my example do it?
            – user3111875
            Dec 8 at 8:50











          • As I wrote: with a customized DNS server. After all, you just "change your DNS to theirs", as you wrote in your question. And yes, you can write your own, too. Though that's probably not the variant with the least effort (unless someone has already written something like it, and made it open-source).
            – dirkt
            Dec 9 at 11:04










          • so just using dnsmasq to assign ip (local) to them is not enought?
            – user3111875
            Dec 9 at 12:39
















          • what? I specifically dont want to use the real(actual) ip of the sites. I am trying to do transparent proxy only for some domains on router level and do that without using their actual ip becuase many sites share ips (like on cloudflare). I am aware about explisit proxy and transparent proxy for all connections (80 and 443)
            – user3111875
            Dec 7 at 21:48











          • Re-routing stuff on the domain level doesn't work, sorry. At least not without a customized DNS server, and I don't know any existing software for that. If all you care about is http/https, you can use an http/https proxy, that can work on the domain level.
            – dirkt
            Dec 8 at 8:24










          • then how those guys in my example do it?
            – user3111875
            Dec 8 at 8:50











          • As I wrote: with a customized DNS server. After all, you just "change your DNS to theirs", as you wrote in your question. And yes, you can write your own, too. Though that's probably not the variant with the least effort (unless someone has already written something like it, and made it open-source).
            – dirkt
            Dec 9 at 11:04










          • so just using dnsmasq to assign ip (local) to them is not enought?
            – user3111875
            Dec 9 at 12:39















          what? I specifically dont want to use the real(actual) ip of the sites. I am trying to do transparent proxy only for some domains on router level and do that without using their actual ip becuase many sites share ips (like on cloudflare). I am aware about explisit proxy and transparent proxy for all connections (80 and 443)
          – user3111875
          Dec 7 at 21:48





          what? I specifically dont want to use the real(actual) ip of the sites. I am trying to do transparent proxy only for some domains on router level and do that without using their actual ip becuase many sites share ips (like on cloudflare). I am aware about explisit proxy and transparent proxy for all connections (80 and 443)
          – user3111875
          Dec 7 at 21:48













          Re-routing stuff on the domain level doesn't work, sorry. At least not without a customized DNS server, and I don't know any existing software for that. If all you care about is http/https, you can use an http/https proxy, that can work on the domain level.
          – dirkt
          Dec 8 at 8:24




          Re-routing stuff on the domain level doesn't work, sorry. At least not without a customized DNS server, and I don't know any existing software for that. If all you care about is http/https, you can use an http/https proxy, that can work on the domain level.
          – dirkt
          Dec 8 at 8:24












          then how those guys in my example do it?
          – user3111875
          Dec 8 at 8:50





          then how those guys in my example do it?
          – user3111875
          Dec 8 at 8:50













          As I wrote: with a customized DNS server. After all, you just "change your DNS to theirs", as you wrote in your question. And yes, you can write your own, too. Though that's probably not the variant with the least effort (unless someone has already written something like it, and made it open-source).
          – dirkt
          Dec 9 at 11:04




          As I wrote: with a customized DNS server. After all, you just "change your DNS to theirs", as you wrote in your question. And yes, you can write your own, too. Though that's probably not the variant with the least effort (unless someone has already written something like it, and made it open-source).
          – dirkt
          Dec 9 at 11:04












          so just using dnsmasq to assign ip (local) to them is not enought?
          – user3111875
          Dec 9 at 12:39




          so just using dnsmasq to assign ip (local) to them is not enought?
          – user3111875
          Dec 9 at 12:39

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f486183%2fusing-local-dns-to-allow-domain-based-transparent-proxy%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown






          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?