Tunneling Opera's DNS requests over SSH

Opera won't tunnel DNS requests over a socks5 proxy if you have one set. This is an example of how I used system wide changes to get Opera (and everything else) to use an ssh tunnel for DNS using a remote virtual private server, socat, dnsmasq, ssh, and resolv.conf. Both home and server are ubuntu 10.04.

(If you're on windows try: dns2socks.)

## In examples,
## vps.yourhost.com is remote VPS
## I use 'username' as my account on both the VPS and the my home machine. So I don't specify user in the commands below.
## Normally with ssh you can specify user with -l, like -l username

## Setup http tunnel, set Opera to use socks5 proxy 8080
ssh -C2qTnN -D 8080 vps.yourhost.com

## Setup DNS tunnel... the scheme is:
## Opera-> system dns on 127.0.0.1-> socat listens on port 53 redirects to 5353->
## ssh forwards port 5353 from 127.0.0.1 to vps.yourhost.com VPS->
## On the VPS another instance of socat takes port 5353 from the ssh tunnel and redirects to 53 local to VPS->
## VPS is running dnsmasq DNS proxy listening on 53, it proxies the DNS request to it's DNS server->
## VPS's DNS server sends back answer and it goes back through the established chain-> Opera

# local machine
# has primary DNS set to 127.0.0.1 , secondary to router's DNS.
sudo socat tcp4-listen:5353,reuseaddr,fork UDP:127.0.0.1:53
ssh -N -L 5353:127.0.0.1:5353 vps.yourhost.com

# remote machine
# with dnsmasq DNS proxy running on port 53,
# as root do;
socat -T15 udp4-recvfrom:53,reuseaddr,fork tcp:localhost:5353

Set /etc/resolv.conf to use localhost for DNS with the router as backup (for before you start the tunnel).

#search namecoin-suffix.dot-bit.org # check .bit address first
nameserver 127.0.0.1 # VPS SSH DNS tunnel (no .bit resolver)
nameserver 192.168.1.1 # Router based DNSmasq .bit resolver and normal DNS fallback

If you leave a backup nameserver Opera will still leak DNS and use it when the latency of answers from the tunneled DNS becomes high. For example, when I load a 300+ tab Opera session more than half of the DNS requests are sent unencrypted to 192.168.1.1. So, disable the backup nameserver by commenting it out once you've set up the tunnel.

## So... after doing all this after every reboot ( I made scripts ) Opera will now browse "securely".
## Opera->127.0.0.1:53->127.0.0.1:5353->ssh->(vps.yourhost.com:5353)->vps.yourhost.com:53->dns proxy->(real DNS server)->SUCCESS


## firefox makes things so much fucking easier.
## For Firefox you can just set it to use socks5 proxy for DNS requests ## network.proxy.socks_remote_dns = true , and,
ssh -C2qTnN -D 8080 vps.yourhost.com
# SUCCESS

Interests

Other

Good Books

Type, "/@say/Your message here." after the end of any URL on my site and hit enter to leave a comment. You can view them here. An example would be, http://superkuh.com/rtlsdr.html/@say/Your message here.

Member of The Internet Defense League

Legal Bullshit

DMCA Requests

Terms of Use:

You may not access or use the site superkuh.com if you are under 90 years of age. If you do not agree then you must leave now.

The US Dept. of Justice has determined that violating a website's terms of service is a felony under CFAA 1030(a)2(c). Under this same law I can declare that you may only use one IP address to access this site; circumvention is a felony. Absurd, isn't it?

It is my policy to regularly delete server logs. I don't log at all for the tor hidden service.

bellcop.