DNS over SSH the Modern Way with DoHoSoSSH
DNS over HTTPS, Socks, and SSH
Tunneling DNS through SSH using socat or nc with named pipes is a finicky approach to a not-so-common problem. In my experience it can be incredibly unreliable when you need it most and constantly leads to hung requests which require process restarts. No wonder though; wrapping a connectionless protocol in a connection-oriented one almost seems like its bound to break somewhere. To address this we are going to set our systems up to use DNS over HTTPS… over SOCKS… over SSH… (DoHoSoSSH anyone?)
I want it now
Ok ok, here’s the link to my DoHoSoSSH Docker container repository:
Tell me more…
Thankfully, getting this set up is super simple, with cloudflared:
Now, at first glance, cloudflared may not seem like the right tool for the job, but it actually has a built in proxy-dns feature which will spin up a local DNS server on UDP/53 and forward it to a DoH server of your choosing. And guess what else? Yup, its also proxy-aware, meaning we can tunnel those DoH requests over a SOCKS Proxy.
Thankfully OpenSSH’s DynamicForward allows for SOCKS4 and SOCKS5 connections, meaning we can use this option to proxy cloudflared's HTTPS requests to a DoH Server! To do this, I’m going to use autossh to ensure that my tunnel persists, as the normal ssh client may die after a period of inactivity.
_> autossh -M0 -N -vvv -D 8080 remoteuser@remotehostThis configures a tunnel to open a Dynamic Port Forward (-D) on port 8080 of my local system. -M0 tells autossh not to configure a Monitoring Port, and -N ensures that no command is executed on the remote server (the default being your login shell).
Now that we have our SSH tunnel with Dynamic Port Forwarding configured, we can start up cloudflared with most of the default settings:
_> export HTTPS_PROXY=socks5://localhost:8080/
_> cloudflared proxy-dns --address 0.0.0.0
2022-08-09T20:05:27Z INF Adding DNS upstream url=https://1.1.1.1/dns-query
2022-08-09T20:05:27Z INF Adding DNS upstream url=https://1.0.0.1/dns-query
2022-08-09T20:05:27Z INF Starting DNS over HTTPS proxy server address=dns://0.0.0.0:53
2022-08-09T20:05:27Z INF Starting metrics server on 127.0.0.1:35423/metricsI first configure my HTTPS_PROXY environment variable to point to the SOCKS proxy set up via my earlier SSH tunnel. Next I start up cloudflared with --address 0.0.0.0 so that it binds to all interfaces on my local system. You don’t have to use the default DoH servers (1.1.1.1 and 1.0.0.1) shipped with cloudflared by the way; these are easily configured with the --upstream flag.
Finally, I can use dig to do some DNS queries and tcpdump to monitor for outbound DNS requests to validate it works!
Why though…
If you are on a network which inspects DNS traffic, and also does TLS decryption on HTTPS traffic, this may be a great setup for you. You can hide your DNS queries securely with DoH, but DoH won’t stop that pesky TLS inspection. That is where the SSH tunnel comes in. Plus, now you have a nice SOCKS proxy for tunneling the rest of your HTTP/S traffic. Double whammy!
Whats Next?
Get setup quickly with my DoHoSoSSH Docker container!
Don’t forget to configure your systems to use your new DoHoSoSSH server as its primary DNS server! By using cloudflared, we were able to successfully tunnel DNS requests through an SSH tunnel without any hacky UDP tunneling. Overall, I’ve found this configuration to be much more stable, and while all my other UDP tunneling will still be the same, at least I know moving forward that my network isn’t bottlenecked by my strange desire to tunnel DNS through SSH.
Maveris is an IT and cybersecurity company committed to helping organizations create secure digital solutions to accelerate their mission. We are Veteran-owned and proud to serve customers across the Federal Government and private sector. Maveris Labs is a space for employees and customers to ask and explore answers to their burning “what if…” questions and to expand the limits of what is possible in IT and cybersecurity. To learn more, go to maveris.com/#maveris-labs.
