Posted in DNS Howto Wifi

Howto : setting up dns2tcp

April 24, 2009 - 4 comments

The following article has been tested on Debian Etch (server) and Debian Lenny and Mac OS X (clients).

I’m not gonna explain what dns2tcp is, just how to get it running in less than 30 minutes.

You need :
- a public server, reachable from anywhere, its UDP/53 port must be available (no DNS service running) and reachable (not filtered)
- a domain name or subdomain dedicated for dns2tcp
- a client computer, your laptop usually
- a “restricted” network (captive portal, firewalled network, paying hotspot)

Considerations :
dns2tcp server public IP : 1.2.3.4
dns2tcp domain : example.org
dns2tcp resources : SSH on TCP/22 at 1.2.3.4 (same machine as dns2tcp), SSH on TCP/22 at 4.3.2.1

DNS :
Create a NS record for the domain example.org pointing to IP 1.2.3.4, obviously you just can’t replace your current NS on your current domain :-)
The NS you specify is NOT a DNS server, it’s the dns2tcp server IP address ! This means that you won’t be able to host a website or anything else at example.org.
As a result and only if your control panel allows it or if you have CLI access to your DNS, I recommend using a subdomain of example.org, for example : dns2tcp.example.org.
This way you don’t reserve a whole domain name for the only dns2tcp application.

Hint : everyDNS allows to create NS records for subdomains. Not all control panels do.

Server :
Install dns2tcp on the machine (apt-get install dns2tcp on Debian)
Edit the file /etc/dns2tcpd.conf like this :

listen = 0.0.0.0
port = 53
user = nobody
chroot = /some/directory/
domain = example.org
ressources = ssh-home:127.0.0.1:22 , ssh-work:4.3.2.1:22

Start dns2tcp server with /etc/init.d/dns2tcp start

Client :
Don’t forget the client must already be installed on your computer when you are on the restricted network :-)
Install it right now : apt-get install dns2tcp on Debian or build it through macports on Mac OS X.

Connect to the restricted network.

Run the command :
dns2tcpc -z example.org 4.2.2.4

If the system is working you should see :
Available connection(s) :
ssh-home
ssh-work

Run the full command now :
dns2tcpc -z example.org -l 8888 -r ssh-home 4.2.2.4

4.2.2.4 is the DNS that will relay the actual DNS requests.
If the network restricts the use of external DNS servers, check your /etc/resolv.conf to get the DNS servers on the local network.

Now dns2tcp will listen on port TCP/8888 and will give you access to the resource “ssh-home” through that port.

Now connect to your SSH server through dns2tcp on port TCP/8888 :
ssh user@localhost -p 8888 -D 1080

You should connect to your home server !

The -D 1080 option will create a SOCKS proxy on your local machine on port TCP/1080.

Now set up your browser or any other program (like Pidgin if you want to chat) to use the SOCKS proxy at address 127.0.0.1 and port 1080.
You can also set the systemwide parameter for SOCKS proxy from the preferences panel of your OS.

You should now be able to browse the internet.

You can store a config file on the client computer if you don’t want to type the command everytime.. this is the config corresponding to the command :

/home/USER/.dns2tcprc :

domain = example.org
ressource = ssh-home
local_port = 8888
server = 4.2.2.4

This way, you just need to run dns2tcpc without argument.
If you store the config file somewhere else, run dns2tcpc -f /where/the/config/resides/dns2tcp.conf

Please note :
Your traffic is encapsulated inside small DNS packets (some firewalls can drop unusually large DNS packets), is encrypted because of SSH, etc.
This adds overhead, which makes browsing the web a bit slow but still convenient.
I’ve been able to reach 25 KB/s down and 20 KB/s BUT I haven’t been able to transfer large files though, it was taking forever to attach a 3 MB pictures to a mail in Gmail (wifi + UDP + small packets is a terrible mix)
A good idea is to use mobile versions of websites, they load faster.
To give you an idea, it can take up to a minute to display maps on Google Maps.
Since you are going through the SOCKS proxy created by the SSH connection, your traffic is encrypted and wifi users can’t snoop on you.
Obviously you can define anything as a resource in dns2tcp, for example you can point to a public web proxy but your traffic wouldn’t be encrypted !
The owner of the restricted network may notice unusually high DNS traffic while you are surfing (especially if you’re the only person using the wifi network in the hotel).

Comments

Anonymous

November 29, 2009 - 12:09

Thanks for this howto. After reading it, switching from ozymandns to dns2tcp took me about 10min. The performance is much better (about 10KB/sec), web-browsing (with a ziproxy installed on the my server) is surprisingly fast. In fact, I’ve seen regular hotel WLAN access with inferior performance. The tunnel is stable enough to transfer files of several MB (I managed to transfer a 4.7MB file with an average data rate of 10KB/sec).

A few hints for improvement:
- use screen for starting the tunnel and a ssh connection from one script
- use ziproxy server side (make sure it only can be accessed from localhost!). I also experimented with a client side Polipo installation, which in some situations can be useful.
- make sure that your web browser tunnels DNS request through your proxy (much better privacy, no negative impact on performance).
- when the connection is idle, the tunnel fails frequently. I use public key authentication and a script to re-start the connection.

I use the following script for re-start (1080 is the client side port for socks and 8080 the client or server side port for my server side (zi-)proxy):

#! /bin/bash
echo $$ > ~/.ss.pid
while [[ -e ~/.ss.pid ]] ; do
echo Restart: `date`
ssh -C -p 8888 -D 1080 -L 8080:localhost:8080 tunneluser@localhost
done

Sébastien Wains

December 7, 2009 - 19:12

Thanks a lot for your feedback !

zitstif

February 16, 2010 - 9:01

Thank you very much Sebastien! On my blog post which is: http://zitstif.no-ip.org/?p=205 I make reference to your page and some changes that I had to do.

Sébastien Wains

February 16, 2010 - 22:33

Thanks for the notice and the mention. If only everybody did so instead of shamelessly stealing content.. :)

Trackback URI Comments RSS

Leave Comment

Please consider visiting the partners below if you enjoyed this article :

If this post saved you time and money, please consider checking my Amazon wishlist.

Before submitting, some rules :
- Is your comment related to the article ?
- You're having a problem ? Have you checked Google, other howtos, docs, manpages ?
- You're still having the problem ? Have you raised log verbosity, checked traces, ran tcpdump ?
- Have you checked your configuratoin for typo ?
Unless your comment is providing additional info or respect the rules above, DON'T comment.
If you don't understand what you are doing, I urge you to read the documentation, I'm not your free Level 1 helpdesk guy.