DNS over SSH Tunnel – Super User
I want to setup my OSX system such that all network traffic is done through an SSH tunnel.
I’ve written a small script for this purpose, and these are the commands executed by it:
# setup tunnel
ssh -fN -D 1080 -p 22 user@remote
# start up redsocks
sudo redsocks -c /tmp/ -p /tmp/
# forward all tcp traffic to tunnel
sudo ipfw add 0010 \
fwd 127. 0. 1, 12345 \
tcp from me \
to any not dst-port 12345 \
not dst-port 1080 \
not dst-ip REMOTE_IP
I use redsocks to create an proxy to my ssh-tunnel (so that i can forward all tcp traffic to it via ipfw), looks like this:
base {
log_debug = on;
log_info = on;
log = “file:/tmp/”;
redirector = generic;}
redsocks {
local_ip = 127. 1;
local_port = 55660;
ip = 127. 1;
port = 1080;
type = socks4;}
Everything seems to work so far, all TCP traffic on my OSX system is done through the ssh tunnel, but the problem is with UDP traffic and because of that DNS queries are not working.
How can I get DNS on my local machine to work through the SSH tunnel?
asked Aug 19 ’13 at 18:34
2
Your ipfw … line only forwards TCP traffic. Maybe add the following line?
sudo ipfw add 0011 fwd 127. 1, 12345 \
udp from me \
It’s also a good idea to add set -x (for debugging) and set -e (to fail immediately if any of the commands fail).
One should generally use the term ‘SSH tunneling’ to refer to tun/tap with SSH.
Port-forwarding is a specific form of tunneling, but it should be still only be referred to as ‘port forwarding’ in this context.
Do not use SSH tunneling (as in -oTunnel and -oTunnelDevice) except for quick ad-hoc jobs.
TCP over TCP is a very bad idea:
Why TCP Over TCP Is A Bad Idea
Understanding TCP over TCP: Effects of TCP Tunneling on End-to-End Throughput and Latency
UDP over TCP inordinately adds latency to the applications that are normally making use of it. Programs that make use of UDP should have full control over their own reliability and congestion control, such as is the case for RTP.
DNS can use TCP as a transport. It is not restricted to UDP, though that is the preferred transport.
answered Aug 29 ’13 at 14:37
pilonapilona1, 4539 silver badges9 bronze badges
Use sshuttle instead? sshuttle claims to handle DNS and TCP correctly, without this amount of fiddling – just the –dns option.
IME SOCKS seemed a bit old and unloved. And I don’t really understand this use of ipfw and redsocks.
However I would point out that SOCKS4 doesn’t support tunneling DNS, so I’m not surprised you’re having problems. Subsequent versions of SOCKS do support it, so you could look at that. And apparently SSH can support SOCKS5.
answered Aug 29 ’13 at 15:09
sourcejedisourcejedi2, 8422 gold badges19 silver badges31 bronze badges
1
Besides what you are already using, sSH permits tunneling all IP traffic, independet from the employed layer 4 protocol. Your remote server must have PermitTunnel yes and the client must request a tunnel using the Tunnel directive. Then you can use that new link as your default gateway. See detailed instruction for the tunnel here.
answered Aug 25 ’13 at 9:30
user1129682user11296824702 gold badges6 silver badges13 bronze badges
Not the answer you’re looking for? Browse other questions tagged macos networking ssh dns tunnel or ask your own question.
If I am using SSH for a SOCKS proxy, do DNS connections go …
I am using ssh -D 8080 my server to create a SOCKS proxy. I’m then configuring OS X to use localhost:8080 as a SOCKS proxy. I’m using this to access the internet without being monitored.
I’m using Google’s DNS servers (8. 8. 8), but how do I make sure that DNS queries are going through the SSH tunnel?
asked Dec 5 ’11 at 16:22
1
I know the answer is bit late, but for the reference and for those who are still looking for the answer,
Set the property in firefox config (type about:config in address bar) to TRUE (just double click the property to toggle the value) to enable dns lookups over your local/remote socks5 proxy.
PS: I’m not sure about other browsers:(
answered Dec 6 ’13 at 6:53
2
If it’s a SOCKS 5 proxy, and the client program supports it, DNS will go through the proxy. Most browsers support DNS through a Socks 5 proxy, but may require special configuration to do it.
If your goal is privacy on the web, you really should use something like privoxy. Privoxy will cleanse the headers of your web requests and ensures all traffic, including DNS, goes through the Socks 5 proxy. Run privoxy locally, and you can use ssh to tunnel the Socks 5 traffic.
answered Dec 5 ’11 at 19:00
David SchwartzDavid Schwartz30. 8k1 gold badge52 silver badges81 bronze badges
You can’t do that out of the box since the SSH tunnel is for TCP/IP connections only – UDP traffic won’t be able to be cross that tunnel without a special setup. Basically you need to create a fifo to do some trickery with netcat as described here. You can use google’s DNS from the far end box then.
answered Dec 5 ’11 at 16:30
pfopfo5, 61021 silver badges36 bronze badges
As mentioned over there,
your
system wide lookups are not tunnelled.
If you want an SSH based solution, you can get inspiration from
here or use
SSHuttle (e. g. mentioned
here). There is a patch to forward DNS queries easily.
YMMV, but I have had success with the following:
#! /bin/bash
# Taken from DNSSERVERS=$(nmcli d show | grep DNS | awk ‘{print $2}’ | sed -e ‘H;${x;s/\n/, /g;s/^, //;p;};d’)
sshuttle \
-vvv \
–dns-hosts ${DNSSERVERS} \
-r server \
254. 254. 254/32
answered Oct 20 ’16 at 3:22
It depends on your application. Firefox, for example, sends hostname to SOCKS proxy without resolving it. In this case, you do not have to do anything for privacy. You can confirm that by wireshark.
PS. assume you are using a SOCKS5 proxy. SOCKS4 does not support hostname.
answered Jul 4 ’19 at 10:05
petertcpetertc1, 4901 gold badge10 silver badges10 bronze badges
As pfo says, SSH tunnels are only for TCP traffic, and the application has to be aware of SOCKS proxies.
If you want everything to be tunneled you need a proper VPN. Have a look at something like OpenVPN.
answered Dec 5 ’11 at 17:48
James O’GormanJames O’Gorman5, 1592 gold badges22 silver badges28 bronze badges
Not the answer you’re looking for? Browse other questions tagged ssh ssh-tunnel socks or ask your own question.
SSH DNS Tunneling Server – AkunSSH
SSH Over DNS Tunnel Server List
Just choose which server you want.
SSH CA
Host:
Location: Canada
Active: 7 days
4 from 50
SSH DE
Location: Germany
0 from 30
SSH FR
Location: France
7 from 50
SSH ID
Location: Indonesia
24 from 50
About SSH over DNS
SSH (Secure Shell), is the open protocol which is used to
secure network communication which is less expensive &
complex than hardware-based VPN solutions or in other words,
it offers authentication, encryption & data integrity for
securing network communications. By implementing SSH, we get
some of the capabilities like a secure command-shell, secure
file transfer, and remote access to a variety of TCP/IP
applications via a secure tunnel.
A DNS tunnel is one way of circumventing network censorship. A recursive DNS resolver’s purpose is to receive packets and forward them somewhere else—in effect, working as a kind of network proxy. DNS tunnels over plaintext UDP are generally considered easy to detect because of the unusual DNS messages they use.
However DoH and DoT are encrypted—an outside observer can see that you are communicating with a public resolver, but cannot decrypt the raw DNS messages to see that they embed a tunnel protocol. (The resolver itself can still easily tell that you are using a tunnel. )
Keywords: ssh dns,, ssh over dns, free ssh dns account.