6

Is DNS resolution tunneled to the other end when I use a SOCKS proxy created with ssh -D? I have read the manual, searched the Internet, and found no documentation relevant.

Siyuan Ren
  • 1,372
  • 1
    DNS resolution via Socks is up to the client (for example curl does only lookup DNS when specifying socks5h://, not only socks5://), maybe you have to explitly tell the client to lookup DNS via Socks. And yes, it does resolve DNS for me. – try-catch-finally May 04 '15 at 05:01
  • Yes. I use Firefox with it that way on a fedora 19 system – Eric Renouf May 04 '15 at 01:07

3 Answers3

5

Your application can use the SOCKS proxy to resolve names as indicated here.

If you are asking whether system wide lookups are tunnelled, then the answer is no.

If you control the server side, then you could start a UDP-to-TCP proxy on your client as indicated here:

socat -T15 udp4-recvfrom:53,reuseaddr,fork tcp:localhost:5353

And then forward the TCP connection via SSH to your server where you start a TCP-to-UDP daemon:

socat tcp4-listen:5353,reuseaddr,fork UDP:nameserver:53

You might, rightfully, frown upon that. Fortunately, there is SSHuttle (e.g. mentioned here). There is a patch to forward DNS queries easily.

YMMV, but I have had success with the following:

#!/bin/bash
# Taken from http://stackoverflow.com/questions/4594319/shell-replace-cr-lf-by-comma
DNSSERVERS=$(nmcli d show | grep DNS | awk '{print $2}' | sed -e 'H;${x;s/\n/,/g;s/^,//;p;};d' )
sshuttle  \
    -vvv                \
     --dns-hosts ${DNSSERVERS}   \
    -r server   \
    254.254.254.254/32
Community
  • 1
Frederick Nord
  • 285
4

DNS resolution via Socks is up to the client. You have to explicitly tell the application to lookup DNS via Socks.

Name resolution is, just like connecting to a host, done by system calls like gethostbyname() or getaddrinfo().

Unless instructed otherwise, a program may just use this function for name resolution which, of course, does not know about your tunnel.

For example curl does only lookup DNS when specifying socks5h://, not only socks5://.

try-catch-finally
  • 1,207
2

ssh -D works at (via man ssh)

Specifies a local ``dynamic'' application-level port forwarding. This works by allocating a socket to listen to port on the local side

Then what's a socket? via

A socket is just a logical endpoint for communication. They exist on the transport layer. You can send and receive things on a socket, you can bind and listen to a socket. A socket is specific to a protocol, machine, and port, and is addressed as such in the header of a packet.

And

Client have the ability to perform DNS lookups through socket proxy

How-to with firefox mozilla-kb

Community
  • 1
Jiahao D.
  • 181