[CentOS] CentOS-6 : DNS resolver for ssh chrooted accounts.

Mon Jan 11 17:59:43 UTC 2016
Warren Young <wyml at etr-usa.com>

On Jan 11, 2016, at 10:25 AM, James B. Byrne <byrnejb at harte-lyne.ca> wrote:
> 
> Our firm uses a dedicated virtual host to provide ssh tunnels for
> remote employee access to various internal services and for http/s
> access to the outside world.  For security reasons I would like to
> have the remote users forward their dns lookups over the tunnel as
> well.

If by “ssh tunnel” you mean -L and -R, then you can’t do this.  Those only support TCP, but you need UDP for DNS.

DNS can also run over TCP, but it’s basically only done for bulk transfers, like zone updates between DNS servers.  There may be a way to force your client OS’s DNS resolver to TCP-only, but you’ll miss out on third-party resolvers like the ones in Firefox and Chrome.  (Yup!  They don’t use the OS’s DNS resolver!)

Another option with SSH is SOCKS5, which *does* support UDP, but requires that all the programs that use it speak SOCKS, which has been a dying protocol since NAT routers became common.

FreeBSD and Mac OS X have OS-level SOCKS support that can force *most* application traffic across the configured SOCKS link, but as far as I can tell, such an OS-level SOCKS setting does not exist on Windows and Linux.  Some Windows apps obey IE’s proxy settings, but it’s not universal, and on Linux, it’s pretty much every app for itself.

SOCKS and SSH tunnels are fine for ad hoc VPN-like behavior, but if you really need to force all traffic through the tunnel, John’s right: a proper VPN is the correct solution.