As Carthik says, the SSH SOCKS option is a great way to quickly tunnel your web traffic. A word of caution for the deeply paranoid: all your DNS traffic is still in the clear. While the web traffic and URLs aren’t sniffable any more, curious people can still get a sense for what kinds of stuff you’re browsing, based on domain names. (And for the really really paranoid: if you’re on open wireless, your DNS lookups could get hijacked, causing you to browse to look-alike sites ready to phish your login credentials.)
Luckily, with SOCKS5 Firefox can control which side of the proxy handles DNS lookups. By default, it does the lookups locally resulting in the scenario above. To change this, set network.proxy.socks_remote_dns = true in about:config. This makes the SOCKS proxy more like a regular proxy, where DNS is handled by the remote end of the tunnel.
Update: Oops, as the title hints, I was going to talk about Squid. But then I didn’t. It’s pretty cool too. Carry on…
Thank you, thank you. This is awesome. This is also necessary in oppressive nations where they fiddle with DNS servers to block certain content (that is, using SSH SOCKS with local DNS is useless because the DNS lookup itself cannot be trusted). I’m not going to say where this is, but let’s just say they are hosting the 2008 Olympics.
Comment by Oppressed — 7/11/2007 @ 5:56 pm
I’ve been using IPCop and its SSH and Squid to surf through. I am not picking up and DNS ‘leaks’ with a packet sniffer either. However, I would like to know if you could tell me:
A: When my port forwarded traffic goes to localhost:9999 then gets forwarded through the shell to Squid on port 800, does Squid not handle all the DNS?
B: if I use -D in my plink.exe batch file, I am able to use Socks in FF, but otherwise, I’m using an http proxy. Is one method preferred over another?
My overall concern is unfiltered access to sites I need but also privacy. I don’t want anyone snooping on my DNS.
I’m looking at IronKey and other Tor on a stick ideas and am wondering if you have any other suggestions. I’d like to be anonymous, so my ISP isn’t watching all I do either. Thanks.
Comment by SB — 11/27/2007 @ 11:05 am
(In response to SB’s post above)
Answer to Question A: In this situation, Squid is performing the DNS lookups for you. Your computer would resolve ‘localhost’ without a DNS lookup, data for your HTTP traffic is sent over the port forwarding tunnel created by SSH and Squid will attempt to fulfill your HTTP requests by performing its own DNS lookups originating from its location.
Answer to Question B: Both methods accomplish the same amount of encryption and “hiding”, assuming you’ve configured Firefox like the article says (by going to about:config). With Squid, you would have an added layer of caching which may or may not be useful. In an asymmetric Internet connection like consumer-grade cable or DSL, the caching is of no practical use because download bandwidth is so much more than upload bandwidth.
Comment by KC — 12/3/2007 @ 12:00 pm
oh. my. this totally just saved me. thank you a million times for pointing this out, now firefox is working great over my netshare connection ;D
Comment by ian — 9/24/2008 @ 4:51 pm
does anyone have a proper tcpdump filter to verify that dns requests are going over the ssh tunnel?
just to verify that there are no leaks…
Comment by dingo — 10/8/2008 @ 6:32 am
SB here again and I’m bit confused.
You say in A: Squid is handling the DNS. Given that, why would I need to set the 2nd option in about:config, network.proxy.socks_remote_dns = true when I’m not even using socks, I am using an http proxy?
As well, I’ve had another odd problem just start in the last day or two: I had to manually set my DNS for work in WinXP. I could surf, then it stopped serving pages in the browser. It would just say “Waiting for google.ca” and never time out or anything, just nothing. Then it worked for a while, now today it stopped. I set my DNS back to auto obtain and it works now.
SB, thoroughly confused.
Comment by SB — 1/7/2009 @ 10:24 am
“does anyone have a proper tcpdump filter to verify that dns requests are going over the ssh tunnel?”
I was wondering the same thing. It’s one thing to set this all up, but how can we verify what data is/isn’t going over the SSH connection? Can someone suggest any tools or techniques to help with that?
Thanks for the post. I appreciate the info.
Comment by ebdb — 2/3/2009 @ 9:53 am
This is a great setting in Firefox. Thanks for sharing it !
@ebdb : you can just filter tcpdump on port 53: “tcpdump port 53″
Tex
Comment by Tex — 2/23/2009 @ 6:51 am
In reference to testing if you are leaking dns, use wireshark. In the filter box, type UDP.port==53 and hit enter. That will filter so only DNS queries show up. If you start browsing and you see DNS queries going out to your normal ISP, then you’ve got trouble. Instead you shouldn’t see them at all.
Comment by clnl — 4/8/2009 @ 9:50 am
Out standing.. THANKS to all!
Using Adito (now part of openVPN) to tunnel to home
Running putty portable to connect to that tunnel
Setting firefox using the “about:config” access to change
network.proxy.socks_remote_dns to TRUE
Running FoxyProxy addin to firefox
Thanks Tex for the wireshark filter, found portable wireshark and just installed it!!
Running IE I see DNS queries, Running firefox with the tunnel I see no DNS queries.
If I enter (in firefox) an internal IP address at home (http://mylamp) for one of my intranet websites, I see the site here at work!
Now if I could just figure out how to do this with my voip phone in the middle east….. :)
Comment by David VT — 10/23/2009 @ 8:08 am
I was doing a tcpdump on my own traffic while using ssh -D and network.proxy.socks_remote_dns set to TRUE in FF and I noticed that although forward lookups are sent through the proxy reverse lookups are not. This poses no issue for browsing but does likely leave a trace of where you have been in the local side DNS server logs. Food for thought.
Comment by David — 12/5/2009 @ 7:41 pm
Thanks for bringing the reverse DNS issue up. Is there a way to send these through the proxy too?
I’m going to a country which censors Internet and I should resolve this before leaving :)
Comment by seamen — 1/22/2010 @ 1:18 am
This is very good but how do I determine if I am using the remote host’s DNS server and not my ISP’s?
Comment by Fooby — 8/24/2010 @ 11:35 am