[chichow]

Can I tunnel my DNS requests through ssh?

Right now I
ssh -C2qTnN -D 8080 -D 9000 -p 443 [email protected] \ "while true; do sleep 3; echo noop; done

for Adium and Netscape.

Can I also tunnel by DNS through it?

Running Leopard and don't quite see how to do it in network connections.

[P]

Should work if you simply configure the system to use 127.0.0.1:8080 - or possibly 127.0.0.1:9000, I'm not sure what dual -D options do - as a SOCKS proxy. You need to run the ssh tunnel as root, though, and possibly set the DNS explicitly.

If that won't work, simply open a second regular tunnel to your server on port 12345 or whatever and set the DNS to use 127.0.0.1:12345.

[chichow]

so I didn't know too much before, so I thought it would be better to run netscape and force the traffic over 8080 and then adium to go over 9000.

It seems to work, but perhaps its not necessary.

But how do you set Mac OS X to use localhost:8080 for DNS?

or even how are you setting DNS to use port 12345
"f that won't work, simply open a second regular tunnel to your server on port 12345 or whatever and set the DNS to use 127.0.0.1:12345"

[besson3c]

modern versions of BIND use a random UDP port for each outgoing query by default. However, there is also a BIND argument to force using a particular port:

Code:
query-source address * port NNNNN;

The port needs to be between 49160 and 65530, and obviously your firewall needs to permit these outbound requests.

Wouldn't it be easier to setup a VPN between your network and the network with the DNS server you want to use, and then just simply setup the private IP for your private VLAN as the DNS server?

[besson3c]

Actually, a better option is just to enable a local DNS server, no?

I guess I'm not really understanding your objective here.

[Cold Warrior]

Would this not work?
ssh -L 53:localhost:53 user@remotehost

[chichow]

Originally Posted by besson3c 

Actually, a better option is just to enable a local DNS server, no?

I guess I'm not really understanding your objective here.

I'm on a semi-hostile network (called it corporate whatever)

There are certain things that I don't mind going over the network. There are other things that I would rather not go over the network.

[chichow]

Originally Posted by besson3c 

modern versions of BIND use a random UDP port for each outgoing query by default. However, there is also a BIND argument to force using a particular port:

Code:
query-source address * port NNNNN;

The port needs to be between 49160 and 65530, and obviously your firewall needs to permit these outbound requests.

Wouldn't it be easier to setup a VPN between your network and the network with the DNS server you want to use, and then just simply setup the private IP for your private VLAN as the DNS server?

#1 the network here sucks. So the firewall drops connections all the time. So I would have to constant reconnect.

#2 I'm just going home and then bouncing back out from home. Home is 20Mbps down but just 768kbps up...so I'd rather not VPN everything over.

[chichow]

Originally Posted by Cold Warrior 

Would this not work?
ssh -L 53:localhost:53 user@remotehost

i'll have to look at that and try tcpdump and see what happens

[ginoledesma]

SSH only tunnels TCP traffic, and most DNS traffic is sent over UDP. You can build a UDP-to-TCP bridge. See here for examples.

I second besson3c's suggestion about a local DNS server, though. You can always configure your local DNS to forward requests to a particular upstream server. This should work nicely, unless you want to encrypt ALL of your traffic (at which point being on a VPN is your safest bet).

[P]

Originally Posted by ginoledesma 

SSH only tunnels TCP traffic, and most DNS traffic is sent over UDP. You can build a UDP-to-TCP bridge. See here for examples.

Dämn, I forgot that DNS goes over UDP. You can indeed do the above to get around that though.

Originally Posted by besson3c

modern versions of BIND use a random UDP port for each outgoing query by default.

True, and that's something to consider if you do set up your own DNS, but if you only want to do what the OP asked first - send the requests through the tunnel - that won't matter. The BIND server shifts the outgoing ports around, but the part that should be tunneled is the request from the resolver. That always goes over UDP port 53.

[chichow]

a weekend project for me. Thanks much.

One final thing:

If I want to selectively move traffic based on application over a tunneled or private network

then I should use ssh correct?

0-0

If I want to have ALL traffic over a tunnel ori private network,

then I should use a VPN (like OPENVPN)

0-0

Mac OS X specific:

I am running 10.5.7. Any advantage to building my own openssh or am I ok with the Mac build?

Anyone else running OpenVPN on Mac OS X as a client?

[Cold Warrior]

I use viscosity to connect to an openvpn server hosted on an Ubuntu laptop. Works great. Viscosity isn't free but it has a great, easy GUI with nice options, including the option (in GUI) to tunnel all network traffic over the VPN.

[chichow]

viscosity looks very nice.

how long did it take you to build the openvpn server on ubuntu and get viscocity going on Mac Os X?

[Cold Warrior]

Originally Posted by chichow 

viscosity looks very nice.

how long did it take you to build the openvpn server on ubuntu and get viscocity going on Mac Os X?

A good number of hours since I'd never done it before. Just minutes for Viscosity. Tunnelblick is a free option but IMHO is buggy.