Home / server / Questions / 337791
In Process
Jason Marzst
Asked: 2011-12-06 08:22:46 +0800 CST

If I am using SSH for a SOCKS proxy, do DNS connections go through it?

  • 772

I am using ssh -D 8080 my server to create a SOCKS proxy. I'm then configuring OS X to use localhost:8080 as a SOCKS proxy. I'm using this to access the internet without being monitored.

I'm using Google's DNS servers (8.8.8.8), but how do I make sure that DNS queries are going through the SSH tunnel?

ssh ssh-tunnel socks

6 Answers

  1. I know the answer is bit late, but for the reference and for those who are still looking for the answer,

    Set the network.proxy.socks_remote_dns property in firefox config (type about:config in address bar) to TRUE (just double click the property to toggle the value) to enable dns lookups over your local/remote socks5 proxy.

    PS: I'm not sure about other browsers :(

    • 25

  2. If it's a SOCKS 5 proxy, and the client program supports it, DNS will go through the proxy. Most browsers support DNS through a Socks 5 proxy, but may require special configuration to do it.

    If your goal is privacy on the web , you really should use something like privoxy. Privoxy will cleanse the headers of your web requests and ensures all traffic, including DNS, goes through the Socks 5 proxy. Run privoxy locally, and you can use ssh to tunnel the Socks 5 traffic.

    • 9

  3. You can't do that out of the box since the SSH tunnel is for TCP/IP connections only - UDP traffic won't be able to be cross that tunnel without a special setup. Basically you need to create a fifo to do some trickery with netcat as described here. You can use google's DNS from the far end box then.

    • 3

  4. As mentioned over there, your system wide lookups are not tunnelled.

    If you want an SSH based solution, you can get inspiration from here or use SSHuttle (e.g. mentioned here). There is a patch to forward DNS queries easily.

    YMMV, but I have had success with the following:

    #!/bin/bash
# Taken from http://stackoverflow.com/questions/4594319/shell-replace-cr-lf-by-comma
DNSSERVERS=$(nmcli d show | grep DNS | awk '{print $2}' | sed -e 'H;${x;s/\n/,/g;s/^,//;p;};d' )
sshuttle  \
    -vvv                \
     --dns-hosts ${DNSSERVERS}   \
    -r server   \
    254.254.254.254/32
    • 1

  5. It depends on your application. Firefox, for example, sends hostname to SOCKS proxy without resolving it. In this case, you do not have to do anything for privacy. You can confirm that by wireshark.

    PS. assume you are using a SOCKS5 proxy. SOCKS4 does not support hostname.

    • 1

  6. As pfo says, SSH tunnels are only for TCP traffic, and the application has to be aware of SOCKS proxies.

    If you want everything to be tunneled you need a proper VPN. Have a look at something like OpenVPN.

    • 0