For reasons only known to my shrink, I wanted Firefox to use a tunnel from a Windows XP machine to a OpenSuse linux host resolving via OpenDNS and squid to make things complete.Funny stuff, that I do just because I can.
It is all really easy to get it up and running, nice to have your own tools on a sticky and funnel your wild browsing behavior encrypted to a known end point where you set it free into the world wild web. But trust is good, a functional test is better, but checking is better, as my audit teacher taught me. So the first thing I did was monitoring for data leakage on my local [windows host's] interface: nada. Schade.
Then I went to the remote's host interface to see what showed there: horor, nice! What I saw was part of the resolve queries going to my old and reliable [and we all hate reliable, right?] colocate DNS and part of the queries to OpenDNS. Hmm, makes you wonder. So checking the resolve file showed that I had correctly added the two opendns entries, and correctly removed the entries passed to the file via DHCP. I flushed the DNS cache, still no joy. Hmm, makes you wonder. Turned out it was squid not nicely obeying the new entries in the resolver file. Naughty squid!
My setup in more detail:
Firefox [2.0.14 on winXP SP2] well, actually it is FireFoxPortable on a 16Gb Flash Voyager.
putty [version 0.60] for a tunnel to an external host, listening on 127.0.0.1:8888, talking to 127.0.0.1:3128 where squid [Version 2.5.STABLE10] on Suse [2.6.13-15.18 i386]
I have added a boolean option into the URL "about:config" page in Firefox named "network.proxy.socks_remote_dns" and set it to true.
The resolver file on the remote host contains:
cat /etc/resolve
### BEGIN INFO
# # Modified_by: dhcpcd
# Backup: /etc/resolv.conf.saved.by.dhcpcd.eth0
# Process: dhcpcd
# Process_id: 4326
# Script: /sbin/modify_resolvconf
# Saveto:
# Info: This is a temporary resolv.conf created by service dhcpcd.
# The previous file has been saved and will be restored later.
# # If you don't like your resolv.conf to be changed, you
# can set MODIFY_{RESOLV,NAMED}_CONF_DYNAMICALLY=no. This # variables are placed in /etc/sysconfig/network/config.
# # You can also configure service dhcpcd not to modify it.
# # If you don't like dhcpcd to change your nameserver # settings
# then either set DHCLIENT_MODIFY_RESOLV_CONF=no
# in /etc/sysconfig/network/dhcp, or
# set MODIFY_RESOLV_CONF_DYNAMICALLY=no in
# /etc/sysconfig/network/config or (manually) use dhcpcd
# with -R. If you only want to keep your searchlist, set
# DHCLIENT_KEEP_SEARCHLIST=yes in /etc/sysconfig/network/dhcp or
# (manually) use the -K option.
# ### END INFO
nameserver 208.67.222.222
nameserver 208.67.220.220
And yes, I have set both options to 'no'
To clear the dns 'cache' I used:
/etc/init.d/nscd restart
What puzzled me is the following output when I use my local browser [that tunnels it's requests to the remote host] and monitor the DNS queries on the remote host's interface [the remote host being my-host.xxx, my provider's dns server being lookup2.colo.xxx]:
tcpdump -p -i eth0 port 53
15:52:19.525862 IP my-host.xxx.33278 > lookup2.colo.xxx.domain: 28225+ A? mokumvonamsterdam.blogspot.com. (48)
15:52:19.526356 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 28417+ PTR? 188.250.202.213.in-addr.arpa. (46)
15:52:19.542138 IP lookup2.colo.xxx.domain > my-host.xxx.33278: 28225 2/7/7[|domain]
15:52:19.739094 IP resolver1.opendns.com.domain > my-host.xxx.39176: 28417 1/0/0 (75)
15:52:19.739459 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 17259+ PTR? 81.240.202.213.in-addr.arpa. (45)
15:52:19.949697 IP resolver1.opendns.com.domain > my-host.xxx.39176: 17259 1/0/0 (67)
15:52:19.950334 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 48705+ PTR? 222.222.67.208.in-addr.arpa. (45)
15:52:19.973525 IP resolver1.opendns.com.domain > my-host.xxx.39176: 48705 1/0/0 (80)
15:52:20.698247 IP my-host.xxx.33278 > lookup2.colo.xxx.domain: 63234+ A? www.blogger.com. (33)
15:52:21.028751 IP lookup2.colo.xxx.domain > my-host.xxx.33278: 63234 2/7/7[|domain]
15:52:23.133656 IP my-host.xxx.33278 > lookup2.colo.xxx.domain: 57393+ A? www.youtube.com. (33)
15:52:23.134089 IP lookup2.colo.xxx.domain > my-host.xxx.33278: 57393 3/3/3 A youtube.com,[|domain]
15:52:23.134563 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 51875+ PTR? 253.153.65.208.in-addr.arpa. (45)
15:52:23.157911 IP resolver1.opendns.com.domain > my-host.xxx.39176: 51875 1/0/0 (70)
15:52:24.315674 IP my-host.xxx.33278 > lookup2.colo.xxx.domain: 48709+ A? twitter.com. (29)
15:52:24.502987 IP lookup2.colo.xxx.domain > my-host.xxx.33278: 48709 1/5/5 A[|domain]
15:52:25.981131 IP my-host.xxx.33278 > lookup2.colo.xxx.domain: 25981+ A? www.google.com. (32)
15:52:25.981560 IP lookup2.colo.xxx.domain > my-host.xxx.33278: 25981 5/7/7 CNAME www.l.google.com.,[|domain]
15:52:28.057148 IP my-host.xxx.33278 > lookup2.colo.xxx.domain: 20445+ A? www.google-analytics.com. (42)
15:52:28.057758 IP lookup2.colo.xxx.domain > my-host.xxx.33278: 20445 5/7/7 CNAME[|domain]
15:52:29.280144 IP my-host.xxx.33278 > lookup2.colo.xxx.domain: 59181+ A? toolbarqueries.google.com. (43)
15:52:29.408904 IP lookup2.colo.xxx.domain > my-host.xxx.33278: 59181 5/7/7[|domain]
Turned out that I had to restart squid [/etc/init.d/squid restart] to make the resolving act nicely and forward _all_ lookups to opendns.com
16:12:04.543848 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 8407+ A? mokumvonamsterdam.blogspot.com. (48)
16:12:04.567414 IP resolver1.opendns.com.domain > my-host.xxx.39176: 8407 2/0/0[|domain]
16:12:05.282740 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 58294+ A? www.blogger.com. (33)
16:12:05.306651 IP resolver1.opendns.com.domain > my-host.xxx.39176: 58294 2/0/0 CNAME[|domain]
16:12:08.624282 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 59333+ A? central.ujcfedweb.org. (39)
16:12:08.843032 IP resolver1.opendns.com.domain > my-host.xxx.39176: 59333 2/0/0 CNAME[|domain]
16:12:10.189203 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 58807+ A? twitter.com. (29)
16:12:10.212537 IP resolver1.opendns.com.domain > my-host.xxx.39176: 58807 1/0/0 A 128.121.146.100 (45)
16:12:10.213033 IP my-host.xxx.39177 > resolver1.opendns.com.domain: 18146+ PTR? 100.146.121.128.in-addr.arpa. (46)
16:12:10.236480 IP resolver1.opendns.com.domain > my-host.xxx.39177: 18146 NXDomain 0/0/0 (46)
16:12:12.703541 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 11197+ A? www.google.com. (32)
16:12:12.727000 IP resolver1.opendns.com.domain > my-host.xxx.39176: 11197 3/0/0 CNAME[|domain]
16:12:13.629888 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 24465+ A? www.justsayhi.com. (35)
16:12:13.738147 IP resolver1.opendns.com.domain > my-host.xxx.39176: 24465 1/0/0 A 4.78.241.72 (51)
16:12:13.738702 IP my-host.xxx.39177 > resolver1.opendns.com.domain: 42572+ PTR? 72.241.78.4.in-addr.arpa. (42)
16:12:14.273047 IP resolver1.opendns.com.domain > my-host.xxx.39177: 42572 NXDomain 1/0/0 CNAME[|domain]
16:12:15.706642 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 54172+ A? www.google-analytics.com. (42)
16:12:15.730274 IP resolver1.opendns.com.domain > my-host.xxx.39176: 54172 5/0/0 CNAME[|domain]
16:12:18.673145 IP my-host.xxx.39176 > resolver1.opendns.com.domain: 40629+ A? toolbarqueries.google.com. (43)
16:12:18.696662 IP resolver1.opendns.com.domain > my-host.xxx.39176: 40629 5/0/0[|domain]
Hope this helps someone trying to use opendns.com too.
Geen opmerkingen:
Een reactie posten