System-wide DNS lookups over SSH tunnel

2

IT has the lab locked down so I cant do apt-get updates or install any packages on the Ubuntu machine. We have a Windows RDP desktop that has limited internet access. I have an SSH server running on the Windows box and I can SSH tunnel to it from the Ubuntu machine with the following

ssh -CND localhost:1080 me@windowsbox

The problem is I still cant resolve any DNS from the Ubuntu machine. So what I would like to do is also configure DNS to also go through the SSH tunnel. And yes, I have seen many other posts about configuring firefox or whatever browser to do so, but that does not apply here. I am looking for system level DNS or at the very least the ability for apt-get to resolv through the tunnel.

Thanks

omencat

Posted 2015-03-20T01:31:48.950

Reputation: 426

How much control do you have over the Ubuntu box? – Paul – 2015-03-20T01:34:51.090

Hi Paul, root on the ubuntu box. I am also a domain admin, but I have no control of cisco firewall rules. – omencat – 2015-03-20T01:36:29.443

you are going to have to redirect packets for TCP and UDP 53 into the tunnel. DNS is one of the hardest things to get to proxy (which causes the TOR foundation some vexation), because so many applications perform independent queries instead of relying on the systems API for the task. you can probably forward it via IPTables. – Frank Thomas – 2015-03-20T01:37:55.343

You can do it, with netcat and a fifo if you have linux at both ends, but would need to be adapted to use Windows - I am not sure what the equivilent to a fifo is on Windows: http://www.qcnetwork.com/vince/doc/divers/udp_over_ssh_tunnel.html

– Paul – 2015-03-20T02:27:05.947

Ah, both interesting solutions. I might want to try the iptables method. The security team provided a DNS IP to use, but they are now injecting their own SSL certs! This will work for me, but for future google searchers the two solutions above look like they might do the trick. – omencat – 2015-03-20T20:13:43.567

Answers

1

You have full control over the client, that's good. You don't mention how much control you have over the SSH server. If you control the server side, hen you could start a UDP-to-TCP proxy on your client as indicated here:

socat -T15 udp4-recvfrom:53,reuseaddr,fork tcp:localhost:5353

And then forward the TCP connection via SSH to your server where you start a TCP-to-UDP daemon:

socat tcp4-listen:5353,reuseaddr,fork UDP:nameserver:53

there is SSHuttle (e.g. mentioned here). There is a patch to forward DNS queries easily.

YMMV, but I have had success with the following:

#!/bin/bash
# Taken from http://stackoverflow.com/questions/4594319/shell-replace-cr-lf-by-comma
DNSSERVERS=$(nmcli d show | grep DNS | awk '{print $2}' | sed -e 'H;${x;s/\n/,/g;s/^,//;p;};d' )
sshuttle  \
    -vvv                \
     --dns-hosts ${DNSSERVERS}   \
    -r server   \
    254.254.254.254/32

Frederick Nord

Posted 2015-03-20T01:31:48.950

Reputation: 216

Asked: 2015-03-20T01:31:48.950

Viewed: 2 489 times

Active: 2016-10-20T03:53:25.523