|
|
DNS tunneling through SSH
|
|
|
|
Forum Regular
Join Date: Feb 2007
Status:
Offline
|
|
Can I tunnel my DNS requests through ssh?
Right now I
ssh -C2qTnN -D 8080 -D 9000 -p 443 [email protected] \ "while true; do sleep 3; echo noop; done
for Adium and Netscape.
Can I also tunnel by DNS through it?
Running Leopard and don't quite see how to do it in network connections.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status:
Offline
|
|
Should work if you simply configure the system to use 127.0.0.1:8080 - or possibly 127.0.0.1:9000, I'm not sure what dual -D options do - as a SOCKS proxy. You need to run the ssh tunnel as root, though, and possibly set the DNS explicitly.
If that won't work, simply open a second regular tunnel to your server on port 12345 or whatever and set the DNS to use 127.0.0.1:12345.
|
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Feb 2007
Status:
Offline
|
|
so I didn't know too much before, so I thought it would be better to run netscape and force the traffic over 8080 and then adium to go over 9000.
It seems to work, but perhaps its not necessary.
But how do you set Mac OS X to use localhost:8080 for DNS?
or even how are you setting DNS to use port 12345
"f that won't work, simply open a second regular tunnel to your server on port 12345 or whatever and set the DNS to use 127.0.0.1:12345"
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
modern versions of BIND use a random UDP port for each outgoing query by default. However, there is also a BIND argument to force using a particular port:
Code:
query-source address * port NNNNN;
The port needs to be between 49160 and 65530, and obviously your firewall needs to permit these outbound requests.
Wouldn't it be easier to setup a VPN between your network and the network with the DNS server you want to use, and then just simply setup the private IP for your private VLAN as the DNS server?
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Actually, a better option is just to enable a local DNS server, no?
I guess I'm not really understanding your objective here.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
Would this not work?
ssh -L 53:localhost:53 user@remotehost
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Feb 2007
Status:
Offline
|
|
Originally Posted by besson3c
Actually, a better option is just to enable a local DNS server, no?
I guess I'm not really understanding your objective here.
I'm on a semi-hostile network (called it corporate whatever)
There are certain things that I don't mind going over the network. There are other things that I would rather not go over the network.
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Feb 2007
Status:
Offline
|
|
Originally Posted by besson3c
modern versions of BIND use a random UDP port for each outgoing query by default. However, there is also a BIND argument to force using a particular port:
Code:
query-source address * port NNNNN;
The port needs to be between 49160 and 65530, and obviously your firewall needs to permit these outbound requests.
Wouldn't it be easier to setup a VPN between your network and the network with the DNS server you want to use, and then just simply setup the private IP for your private VLAN as the DNS server?
#1 the network here sucks. So the firewall drops connections all the time. So I would have to constant reconnect.
#2 I'm just going home and then bouncing back out from home. Home is 20Mbps down but just 768kbps up...so I'd rather not VPN everything over.
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Feb 2007
Status:
Offline
|
|
Originally Posted by Cold Warrior
Would this not work?
ssh -L 53:localhost:53 user@remotehost
i'll have to look at that and try tcpdump and see what happens
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Apr 2000
Location: Los Angeles, CA
Status:
Offline
|
|
SSH only tunnels TCP traffic, and most DNS traffic is sent over UDP. You can build a UDP-to-TCP bridge. See here for examples.
I second besson3c's suggestion about a local DNS server, though. You can always configure your local DNS to forward requests to a particular upstream server. This should work nicely, unless you want to encrypt ALL of your traffic (at which point being on a VPN is your safest bet).
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status:
Offline
|
|
Originally Posted by ginoledesma
SSH only tunnels TCP traffic, and most DNS traffic is sent over UDP. You can build a UDP-to-TCP bridge. See here for examples.
Dämn, I forgot that DNS goes over UDP. You can indeed do the above to get around that though.
Originally Posted by besson3c
modern versions of BIND use a random UDP port for each outgoing query by default.
True, and that's something to consider if you do set up your own DNS, but if you only want to do what the OP asked first - send the requests through the tunnel - that won't matter. The BIND server shifts the outgoing ports around, but the part that should be tunneled is the request from the resolver. That always goes over UDP port 53.
|
The new Mac Pro has up to 30 MB of cache inside the processor itself. That's more than the HD in my first Mac. Somehow I'm still running out of space.
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Feb 2007
Status:
Offline
|
|
a weekend project for me. Thanks much.
One final thing:
If I want to selectively move traffic based on application over a tunneled or private network
then I should use ssh correct?
0-0
If I want to have ALL traffic over a tunnel ori private network,
then I should use a VPN (like OPENVPN)
0-0
Mac OS X specific:
I am running 10.5.7. Any advantage to building my own openssh or am I ok with the Mac build?
Anyone else running OpenVPN on Mac OS X as a client?
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
I use viscosity to connect to an openvpn server hosted on an Ubuntu laptop. Works great. Viscosity isn't free but it has a great, easy GUI with nice options, including the option (in GUI) to tunnel all network traffic over the VPN.
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: Feb 2007
Status:
Offline
|
|
viscosity looks very nice.
how long did it take you to build the openvpn server on ubuntu and get viscocity going on Mac Os X?
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jan 2001
Location: Polwaristan
Status:
Offline
|
|
Originally Posted by chichow
viscosity looks very nice.
how long did it take you to build the openvpn server on ubuntu and get viscocity going on Mac Os X?
A good number of hours since I'd never done it before. Just minutes for Viscosity. Tunnelblick is a free option but IMHO is buggy.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|