Tunnel Web and DNS Traffic Over SSH

By | 2008/06/18

I have been tunneling all of my web traffic over an encrypted SSH connection for some time now. Considering the fact that I travel a lot, I’m very regularly on untrusted, insecure networks. I prefer to secure those connections (web, IM, email, etc) by creating an encrypted SSH connection and pushing the traffic through it. Today I also found a method for also pushing DNS requests through the same tunnel. This ensures total privacy between yourself and the SSH dedicated server.

Step 1: Creating the Tunnel

Creating this private connection you’ll need a remote SSH server to connect to. Mine runs at home in my garage on an old Pentium III 500MHz box (yeah, the kind most people threw away long, long ago!). I connect to this tunnel using:

ssh -D 8080 -fN [email protected]

This creates a SOCKS compatible proxy, which is a requirement of the DNS forwarding. Other methods on the interwebs suggest using ssh -L or similar, which are not SOCKS compatible proxies.

Step 2: Forwarding DNS

If you’d like to also forward your DNS requests (ie; the site addresses you type into your browser), you’ll need to change a setting in Firefox. This can be done by accessing the address about:config, and entering this string into the configuration:

network.proxy.socks_remote_dns

Change this value to “true”.

Step 3: Using the Tunnel

The last step is to configure your browser to use these new settings. In Firefox 3 (I hope you’ve upgraded by now), you can activate/toggle these settings via:

Edit > Preferences > Advanced > Network > Settings

Select “Manual Proxy Configuration” and add localhost to the “SOCKS Host:” field, followed by port 8080 (assuming you’ve used the port in the example above).

configure proxy in firefox

This will then forward your web traffic through the SSH tunnel and DNS requests will also be forwarded.

You may want to check out the FoxyProxy plugin for a simpler way of toggling this on & off.

To deactivate the tunneling and use the local DNS again simply revert Step 3 back to “Direct Connection to the Internet”.

7 thoughts on “Tunnel Web and DNS Traffic Over SSH

  1. Stoffe

    I use a SSH tunnel just like this, but I like to change the GNOME (Ubuntu) settings instead, and Firefox to use System settings. This way everything I use goes that way… It even seems Firefox in Hardy came with this turned on by default which of course is great for integration.

    Especially important now, in Sweden…

    Reply
  2. blue_lizard

    But what if your application is not SOCKS compliant?
    Then you can use -w with ssh and set up an tunnel. Creating an virtual interface has a lot of benefits like transparent networking and routing.
    Of course you need root access on both sides.

    Reply
  3. blink4blog

    Is there any complete tutorial that setup the whole infrastructure, I would like to use SSH connection thru my server at hosting centre wherever i goes.

    Currently my server is SSH enable, do i
    need to setup anything on the server side?

    I assume the command mentioned above:

    ssh -D 8080 -fN [email protected]

    is client connection to server right? Do i have to run this everytime login into system or can it be set at system level so that wherever i connected will go through this setting?

    Thanks

    Reply
  4. max

    I would suggest the modification of changing the setting to “-D 127.0.0.1:8080” to make sure that only the local machine can have access to the tunnel/proxy.

    This requires a somewhat new version of openssh (the version that came w/ redhat EL3 was too old).

    Reply
  5. Radu

    dns tunneling is available only for firefox – anyway to use it for ie for instance?

    Reply
  6. Will Banks

    I can’t seem to get firefox to save the change I made to network.proxy.socks_remote_dns with about:config.
    What am I missing?

    Reply

Leave a Reply