How to implement OpenDNS style proxying of web traffic

I have a requirement that I believe may be impossible and wanted to confirm this with experts in this community.

A client wants us to configure a DNS server to point all non-whitelisted domains to an IP address of a server on the internet. This server should forward / redirect all non-http traffic to an IP address associated with the real DNS record as accurately as possible. However, for all p开发者_如何学Goort 80 traffic, it should intercept the traffic and forward to a web proxy. This could in theory be possible if we had a large block of public IP addresses that could intelligently route based on the sender's IP to the proper destination, but the engineering effort required there to keep the DNS request and subsequent requests to that same domain in sync would be immense. Not to mention we would be limited from a concurrency perspective.This is probably similar to how OpenDNS does their DNS+Proxying, but they only seem to do it for google.com. This needs to work for an arbitrary set of domains (potentially all of them).

Is the above approach feasible? If not, are there other ways this problem can be approached short of requiring specialized gateway hardware?

Ideally the system will minimize bandwidth usage & latency for non-http traffic without requiring anything besides DNS or firewall configuration. I realize we can forward all http traffic at the firewall level, but the client wants to avoid http requests to CDNs or media heavy sites as well as minimize deployment effort across disparate network configurations.

OpenDNS works by blacklisting instead of whitelisting

When a host is blacklisted, openDNS will resolve the name into their IP address, which in turn prevent the client from accessing the real IP.

In your case, looks like you need transparent proxy where you can route all HTTP traffic to your proxy server:

See :

• http://www.howtoforge.com/dansguardian-content-filtering-with-transparent-proxy-on-ubuntu-9.10-karmic

This might not be exactly what you are looking for but take a look at my article "How To Setup A Transparent Content Filtering Proxy" in which I utilize OpenDNS's blacklisting capabilities.

You can do it using two pieces:

1. DNS resolver configured with *. pointing to IP A.B.C.D (wildcard)
2. NGINX reverse proxy listening on A.B.C.D that proxy request to the domain present in the Host header.