How to Route DNS Queries Through SSH SOCKS Proxy (SSH -D Tunnel)


1 views

When setting up a SOCKS proxy via ssh -D 8080 user@server, many developers don't realize that DNS resolution often bypasses the tunnel by default. This creates a serious privacy leak where:

  • Your web traffic goes through the encrypted tunnel
  • But DNS queries reveal your browsing intentions to local network observers

Even if you configure Google DNS (8.8.8.8) in your network settings, most applications will:

# Typical DNS resolution path (leaks outside tunnel):
1. Application → System DNS → Public DNS Server
2. Web traffic → SOCKS Proxy → Destination

Here are three technical approaches to solve this:

Method 1: Using Firefox's Proxy DNS Setting

The most reliable solution for web browsing:

1. Type about:config in Firefox address bar
2. Search for network.proxy.socks_remote_dns
3. Set to true

Method 2: Terminal-level Solution (Mac/Linux)

For command-line tools, prepend commands with:

export ALL_PROXY=socks5h://127.0.0.1:8080
# The 'h' in socks5h forces DNS through proxy
curl ifconfig.me  # Will now resolve via tunnel

Method 3: System-wide Tunneling (Advanced)

For comprehensive coverage, create a VPN-like setup:

ssh -D 8080 -o ProxyCommand='nc -x 127.0.0.1:8080 %h %p' \ 
-C -N user@server

Test your setup with:

dig +short myip.opendns.com @resolver1.opendns.com
# Should return your proxy server's IP
# If it shows your local IP, DNS is leaking

Remember that some applications (like ping) will always bypass SOCKS proxies due to using raw ICMP packets rather than TCP.

When you set up an SSH SOCKS proxy using ssh -D 8080 user@server, many developers assume all traffic including DNS gets tunneled automatically. Unfortunately, this isn't true by default on most operating systems.

Here's what actually happens:

  • Your HTTP/HTTPS traffic routes through the proxy
  • DNS queries typically bypass the tunnel and go directly to your configured resolvers (like 8.8.8.8)

To verify if your DNS is leaking:

curl --socks5 localhost:8080 ifconfig.me
# Then compare with:
nslookup example.com
# Or on Linux:
dig +short example.com

If the IPs differ, your DNS isn't being tunneled.

Here are the most effective solutions:

Method 1: Proxy-Aware Applications

Many modern apps respect the proxy settings for DNS:

# In Firefox about:config
network.proxy.socks_remote_dns = true

Method 2: System-Level DNS Redirection

On Linux/macOS, use dnsmasq:

# Install dnsmasq
brew install dnsmasq # macOS
sudo apt install dnsmasq # Ubuntu

# Configure (/usr/local/etc/dnsmasq.conf)
listen-address=127.0.0.1
proxy-dnssec
server=/8.8.8.8
server=/8.8.4.4

Method 3: SSHuttle (Recommended)

This creates a full VPN-like tunnel including DNS:

pip install sshuttle
sshuttle --dns -r user@server 0.0.0.0/0

For programmers needing scriptable solutions:

import socket
import socks

socks.set_default_proxy(socks.SOCKS5, "localhost", 8080)
socket.socket = socks.socksocket

# Now all traffic including DNS gets tunneled
import requests
response = requests.get('https://api.ipify.org')

Remember to verify your setup with DNS leak test websites or the CLI tools mentioned earlier.