Re: [redsocks] UDP Port 53
- From:
- Ed F.
- Date:
- 2011-10-04 @ 20:28
On Tue, Oct 4, 2011 at 7:03 AM, Leonid Evdokimov <leon@darkk.net.ru> wrote:
> Lars is right, you can't tunnel UDP traffic over SSH, but there are
> two possible DNS-specific workarounds: dnstc and dnsproxy
>
> 1. dnstc server (inside of redsocks) is trivial DNS server that
> replies to every UDP request with "truncated reply" (TC stands for
> truncated - that's what dig(1) shows you).
...
> Unfortunately, many resolvers are not RFC-compatible - e.g. glibc
> resolver seems to be incompatible, powerdns-recursor is not able too
> bootstrap without UDP connectivity too, maybe named from bind package
> is better - I've not tested it yet.
Thanks for explaining the purpose of the dnstc module. With your hints, I was
able to get dnstc working, but it did not seem to help in my case. On
Ubuntu 10.04 LTS, both nslookup and dig resolved names correctly
through dnstc. Applications such as wget that are presumably using
the glibc resolver did not work. On Tiny Core Linux 4.0, dig worked
but nslookup from the bind package, nslookup from busybox, and wget
failed to resolve names.
> Can you test bind ?
I have never (knowingly) used bind. It is easy for me to boot a Tiny
Core system in a virtual machine and install bind, but I have no
experience about how to configure and test. If you can tell me what
to do, I will.
> 2. dnsproxy (still to-be-done solution) - you can rewrite any DNS/UDP
> request into DNS/TCP transparently, but I've not implemented this
> workaround yet.
That would be the ideal solution.
In the interim, it appears that I can also use pdnsd, which can be
configured to only use TCP for DNS queries.
(Netcat and socat can also be used to transport UDP over TCP.)
> By the way what's your use-case for routing DNS traffic through SSH ?
> Is it privacy or anything else?
I have frequently used an OpenSSH SOCKS proxy for web browsing when I
must use public Wi-Fi. When I discovered redsocks, I felt that using
it to implement a transparent proxy would be much better than using
tsocks or torsocks to wrap network programs. For my personal use,
keeping DNS traffic private is not a high priority. However I am
planning to build a redsocks package for the Tiny Core Linux
distribution. I would like to include as an example a script that
creates a transparent OpenSSH proxy; there may be other Tiny Core
users for which DNS privacy is important. I was hoping that it would
be practical to protect DNS traffic, but it does not seem to be so at
this time unless I recommend that my script be used with pdnsd.
Ed
Re: [redsocks] UDP Port 53
- From:
- Leonid Evdokimov
- Date:
- 2011-10-13 @ 10:21
On Wed, Oct 5, 2011 at 00:28, Ed F. <third07@gmail.com> wrote:
>> Can you test bind ?
>
> I have never (knowingly) used bind. It is easy for me to boot a Tiny
> Core system in a virtual machine and install bind, but I have no
> experience about how to configure and test. If you can tell me what
> to do, I will.
I've tested bind9 in forwarding mode, it works correctly with dnstc
but name resolution is painfully slow because of recursion (e.g. 10
seconds to resolve lime.darkk.net.ru fallbacking to TCP on every
request). It becomes better when cache is populated, but dnsproxy
(e.g. pdnsd-based) solution gives 0.5s latency instead of 10 seconds
in my environment.
named.conf:
options { forwarders { 8.8.8.8; }; };
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner bind -m udp
--dport 53 -j REDIRECT --to-ports 5300
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner bind -j REDIRECT
--to-ports 12345
>> 2. dnsproxy (still to-be-done solution)
[...]
> In the interim, it appears that I can also use pdnsd, which can be
> configured to only use TCP for DNS queries.
That's great - does it solution work for you? Are you speaking about
pdnsd or about powerdns?
Leonid.
Re: [redsocks] UDP Port 53
- From:
- Ed F.
- Date:
- 2011-10-13 @ 13:55
On Thu, Oct 13, 2011 at 5:21 AM, Leonid Evdokimov <leon@darkk.net.ru> wrote:
>> In the interim, it appears that I can also use pdnsd, which can be
>> configured to only use TCP for DNS queries.
>
> That's great - does it solution work for you? Are you speaking about
> pdnsd or about powerdns?
I am using pdnsd, which seems to work quite well.
I configured pdnsd to listen on 127.0.0.1:53 and started it with the
"query_method = tcp_only" parameter in its configuration file or with
"-mto" on its command line.. I then configured /etc/resolv.conf to
have 127.0.0.1 as the only name server. I also added an iptables rule
to block all non-local UDP traffic on port 53.
I have examined the debug output from redsocks and pdnsd, and it
appears that DNS requests are being sent via TCP instead of UDP.
Ed
Re: [redsocks] UDP Port 53
- From:
- Leonid Evdokimov
- Date:
- 2011-10-13 @ 14:29
On Thu, Oct 13, 2011 at 17:55, Ed F. <third07@gmail.com> wrote:
> I am using pdnsd, which seems to work quite well.
I'm glad to hear that - pdnsd may be better solution than dns-proxy
inside of redsocks as soon as I'm not going to implement DNS caching
inside of redsocks. The only thing that MAY be cached inside of
redsocks is TCP connection to parent DNS server - to avoid
SYN/SYN-ACK/ACK hassle on every DNS request.
Leonid.
Re: [redsocks] UDP Port 53
- From:
- Lars Merke
- Date:
- 2011-10-13 @ 15:03
Hi,
regarding the modification of /etc/resolv.conf. You can completely
avoid this by using iptables. This is how I tested it:
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner <my_uid> --dport
53 -j REDIRECT --to-ports 53
This way, all dns queries to any dns servers are redirected to the
local pdnsd server, which in my case knows how to handle the requests.
Re: [redsocks] UDP Port 53
- From:
- Leonid Evdokimov
- Date:
- 2011-10-13 @ 19:25
On Thu, Oct 13, 2011 at 19:03, Lars Merke <larsmerke@googlemail.com> wrote:
> This way, all dns queries to any dns servers are redirected to the
> local pdnsd server, which in my case knows how to handle the requests.
Also, if you don't need cache for some reason, you can use ttdnsd[1]
to convert UDP/DNS to TCP/DNS. It's poll-based, so it should be
lightweight enough to run on router.
[1] https://gitweb.torproject.org/ioerror/ttdnsd.git
--
WBRBW, Leonid Evdokimov
xmpp:leon@darkk.net.ru && http://darkk.net.ru
tel:+79816800702 && tel:+79050965222
Re: [redsocks] UDP Port 53
- From:
- Liangent
- Date:
- 2011-10-31 @ 12:55
Hi,
I'm trying to use DNS over TCP now and do recursive queries with
pdnsd. However I met some issues that I cannot load some contents.
After more investigation I found most of those sites are using
akamai's service and those domain names are finally CNAME'd to
*.akamai.net. Is it true that akamai's name servers cannot handle DNS
over TCP correctly?
-Liangent
On Fri, Oct 14, 2011 at 3:25 AM, Leonid Evdokimov <leon@darkk.net.ru> wrote:
> On Thu, Oct 13, 2011 at 19:03, Lars Merke <larsmerke@googlemail.com> wrote:
>> This way, all dns queries to any dns servers are redirected to the
>> local pdnsd server, which in my case knows how to handle the requests.
>
> Also, if you don't need cache for some reason, you can use ttdnsd[1]
> to convert UDP/DNS to TCP/DNS. It's poll-based, so it should be
> lightweight enough to run on router.
>
> [1] https://gitweb.torproject.org/ioerror/ttdnsd.git
>
> --
> WBRBW, Leonid Evdokimov
> xmpp:leon@darkk.net.ru && http://darkk.net.ru
> tel:+79816800702 && tel:+79050965222
>
Re: [redsocks] UDP Port 53
- From:
- Leonid Evdokimov
- Date:
- 2011-10-31 @ 14:54
On Mon, Oct 31, 2011 at 16:55, Liangent <liangent@gmail.com> wrote:
> Is it true that akamai's name servers cannot handle DNS
> over TCP correctly?
You're probably right. I can suggest using some public DNS recursor in
this case - like google's 8.8.8.8 & 8.8.4.4.
$ dig www.akamai.com
; <<>> DiG 9.7.3 <<>> www.akamai.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47095
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 10, ADDITIONAL: 10
;; QUESTION SECTION:
;www.akamai.com. IN A
;; ANSWER SECTION:
www.akamai.com. 746 IN CNAME www-main.akamai.com.edgesuite.net.
www-main.akamai.com.edgesuite.net. 746 IN CNAME a152.g.akamai.net.
a152.g.akamai.net. 20 IN A 87.245.209.223
a152.g.akamai.net. 20 IN A 87.245.209.246
;; AUTHORITY SECTION:
g.akamai.net. 1790 IN NS n7g.akamai.net.
[...]
;; ADDITIONAL SECTION:
n7g.akamai.net. 1921 IN A 87.245.209.235
[...]
$ dig +tcp -t a a152.g.akamai.net. @n7g.akamai.net.
;; Connection to 87.245.209.235#53(87.245.209.235) for
a152.g.akamai.net. failed: connection refused.
--
WBRBW, Leonid Evdokimov
xmpp:leon@darkk.net.ru && http://darkk.net.ru
tel:+79816800702 && tel:+79050965222
Re: [redsocks] UDP Port 53
- From:
- Lars Merke
- Date:
- 2011-10-05 @ 06:43
2011/10/4 Leonid Evdokimov <leon@darkk.net.ru>
>
> Ed,
>
> Lars is right, you can't tunnel UDP traffic over SSH, but there are
> two possible DNS-specific workarounds: dnstc and dnsproxy
>
> 1. dnstc server (inside of redsocks) is trivial DNS server that
> replies to every UDP request with "truncated reply" (TC stands for
> truncated - that's what dig(1) shows you).
>
> you can configure it like
> dnstc {
> local_ip = 0.0.0.0;
> local_port = 5300;
> }
> and redirect all UDP traffic to it
> iptables -t nat -p udp --dport 53 -j REDIRECT --to-ports 5300
>
> in this case your resolver will get "truncated reply" and will make
> request once again via TCP. It works with dig(1) perfectly.
>
> Unfortunately, many resolvers are not RFC-compatible - e.g. glibc
> resolver seems to be incompatible, powerdns-recursor is not able too
> bootstrap without UDP connectivity too, maybe named from bind package
> is better - I've not tested it yet.
>
> Can you test bind ?
>
> 2. dnsproxy (still to-be-done solution) - you can rewrite any DNS/UDP
> request into DNS/TCP transparently, but I've not implemented this
> workaround yet.
I think you will find a solution here: http://sourceforge.net/projects/dnsproxy/
This is a perl based dns proxy, that can redirect dns request (tcp and
udp) to any remote dns server depending on matching rules. We use this
in my company to make remote dns servers available through ssh.
>
> By the way what's your use-case for routing DNS traffic through SSH ?
> Is it privacy or anything else?
>
> --
> WBRBW, Leonid Evdokimov
> xmpp:leon@darkk.net.ru && http://darkk.net.ru
> tel:+79816800702 && tel:+79050965222
Re: [redsocks] UDP Port 53
- From:
- Leonid Evdokimov
- Date:
- 2011-10-13 @ 09:46
On Wed, Oct 5, 2011 at 10:43, Lars Merke <larsmerke@googlemail.com> wrote:
>> 2. dnsproxy (still to-be-done solution) - you can rewrite any DNS/UDP
>> request into DNS/TCP transparently, but I've not implemented this
>> workaround yet.
>
> I think you will find a solution here: http://sourceforge.net/projects/dnsproxy/
> This is a perl based dns proxy, that can redirect dns request (tcp and
> udp) to any remote dns server depending on matching rules. We use this
> in my company to make remote dns servers available through ssh.
I looked at dnsproxy - seems it does not provide solution for this
specific case. On the other hand - it's just using Net::DNS - maybe
Net::DNS is RFC-compliant recursor, so it's correctly falling back to
TCP when UDP is not functional.
--
WBRBW, Leonid Evdokimov
xmpp:leon@darkk.net.ru && http://darkk.net.ru
tel:+79816800702 && tel:+79050965222