19

I am using ssh -D 8080 my server to create a SOCKS proxy. I'm then configuring OS X to use localhost:8080 as a SOCKS proxy. I'm using this to access the internet without being monitored.

I'm using Google's DNS servers (8.8.8.8), but how do I make sure that DNS queries are going through the SSH tunnel?

Jason Marzst
  • 191
  • 1
  • 1
  • 3

6 Answers6

25

I know the answer is bit late, but for the reference and for those who are still looking for the answer,

Set the network.proxy.socks_remote_dns property in firefox config (type about:config in address bar) to TRUE (just double click the property to toggle the value) to enable dns lookups over your local/remote socks5 proxy.

PS: I'm not sure about other browsers :(

Jimson James
  • 409
  • 6
  • 10
  • 4
    For those who prefer the UI, this is in Preferences → Advanced → Network tab → Settings button (for "Connections") → "Proxy DNS when using SOCKS v5". – jwd May 26 '17 at 16:20
  • I've noticed that DNS does NOT go via proxy for HTTP, but it does work for HTTPS. How this can be the case? Is this as designed? (I'm using Firefox) – Eugene D. Gubenkov Sep 19 '18 at 18:18
9

If it's a SOCKS 5 proxy, and the client program supports it, DNS will go through the proxy. Most browsers support DNS through a Socks 5 proxy, but may require special configuration to do it.

If your goal is privacy on the web , you really should use something like privoxy. Privoxy will cleanse the headers of your web requests and ensures all traffic, including DNS, goes through the Socks 5 proxy. Run privoxy locally, and you can use ssh to tunnel the Socks 5 traffic.

David Schwartz
  • 31,215
  • 2
  • 53
  • 82
  • 1
    Many clients can be configured to do DNS lookup either locally, or through the proxy. One common (but not universal) convention for unix applications is that "https_proxy=socks5**h**://localhost:8080" means to send **h**ostname over the proxy and perform DNS lookup remotely, while "https_proxy=socks5://localhost:8080" performs DNS lookup locally. – pavon Aug 09 '21 at 17:43
3

You can't do that out of the box since the SSH tunnel is for TCP/IP connections only - UDP traffic won't be able to be cross that tunnel without a special setup. Basically you need to create a fifo to do some trickery with netcat as described here. You can use google's DNS from the far end box then.

pfo
  • 5,630
  • 23
  • 36
1

As mentioned over there, your system wide lookups are not tunnelled.

If you want an SSH based solution, you can get inspiration from here or use SSHuttle (e.g. mentioned here). There is a patch to forward DNS queries easily.

YMMV, but I have had success with the following:

#!/bin/bash
# Taken from http://stackoverflow.com/questions/4594319/shell-replace-cr-lf-by-comma
DNSSERVERS=$(nmcli d show | grep DNS | awk '{print $2}' | sed -e 'H;${x;s/\n/,/g;s/^,//;p;};d' )
sshuttle  \
    -vvv                \
     --dns-hosts ${DNSSERVERS}   \
    -r server   \
    254.254.254.254/32
Frederick Nord
  • 181
  • 1
  • 8
1

It depends on your application. Firefox, for example, sends hostname to SOCKS proxy without resolving it. In this case, you do not have to do anything for privacy. You can confirm that by wireshark.

PS. assume you are using a SOCKS5 proxy. SOCKS4 does not support hostname.

petertc
  • 2,190
  • 1
  • 13
  • 10
0

As pfo says, SSH tunnels are only for TCP traffic, and the application has to be aware of SOCKS proxies.

If you want everything to be tunneled you need a proper VPN. Have a look at something like OpenVPN.

James O'Gorman
  • 5,249
  • 2
  • 23
  • 28