codeblog code is freedom — patching my itch

December 7, 2006

paranoid browsing with squid

Filed under: Security,Ubuntu — kees @ 11:40 pm

As Carthik says, the SSH SOCKS option is a great way to quickly tunnel your web traffic. A word of caution for the deeply paranoid: all your DNS traffic is still in the clear. While the web traffic and URLs aren’t sniffable any more, curious people can still get a sense for what kinds of stuff you’re browsing, based on domain names. (And for the really really paranoid: if you’re on open wireless, your DNS lookups could get hijacked, causing you to browse to look-alike sites ready to phish your login credentials.)

Luckily, with SOCKS5 Firefox can control which side of the proxy handles DNS lookups. By default, it does the lookups locally resulting in the scenario above. To change this, set network.proxy.socks_remote_dns = true in about:config. This makes the SOCKS proxy more like a regular proxy, where DNS is handled by the remote end of the tunnel.

Update: Oops, as the title hints, I was going to talk about Squid. But then I didn’t. It’s pretty cool too. Carry on…

© 2006 – 2016, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0


  1. Thank you, thank you. This is awesome. This is also necessary in oppressive nations where they fiddle with DNS servers to block certain content (that is, using SSH SOCKS with local DNS is useless because the DNS lookup itself cannot be trusted). I’m not going to say where this is, but let’s just say they are hosting the 2008 Olympics.

    Comment by Oppressed — July 11, 2007 @ 5:56 pm

  2. I’ve been using IPCop and its SSH and Squid to surf through. I am not picking up and DNS ‘leaks’ with a packet sniffer either. However, I would like to know if you could tell me:
    A: When my port forwarded traffic goes to localhost:9999 then gets forwarded through the shell to Squid on port 800, does Squid not handle all the DNS?
    B: if I use -D in my plink.exe batch file, I am able to use Socks in FF, but otherwise, I’m using an http proxy. Is one method preferred over another?

    My overall concern is unfiltered access to sites I need but also privacy. I don’t want anyone snooping on my DNS.

    I’m looking at IronKey and other Tor on a stick ideas and am wondering if you have any other suggestions. I’d like to be anonymous, so my ISP isn’t watching all I do either. Thanks.

    Comment by SB — November 27, 2007 @ 11:05 am

  3. (In response to SB’s post above)

    Answer to Question A: In this situation, Squid is performing the DNS lookups for you. Your computer would resolve ‘localhost’ without a DNS lookup, data for your HTTP traffic is sent over the port forwarding tunnel created by SSH and Squid will attempt to fulfill your HTTP requests by performing its own DNS lookups originating from its location.

    Answer to Question B: Both methods accomplish the same amount of encryption and “hiding”, assuming you’ve configured Firefox like the article says (by going to about:config). With Squid, you would have an added layer of caching which may or may not be useful. In an asymmetric Internet connection like consumer-grade cable or DSL, the caching is of no practical use because download bandwidth is so much more than upload bandwidth.

    Comment by KC — December 3, 2007 @ 12:00 pm

  4. oh. my. this totally just saved me. thank you a million times for pointing this out, now firefox is working great over my netshare connection ;D

    Comment by ian — September 24, 2008 @ 4:51 pm

  5. does anyone have a proper tcpdump filter to verify that dns requests are going over the ssh tunnel?

    just to verify that there are no leaks…

    Comment by dingo — October 8, 2008 @ 6:32 am

  6. SB here again and I’m bit confused.

    You say in A: Squid is handling the DNS. Given that, why would I need to set the 2nd option in about:config, network.proxy.socks_remote_dns = true when I’m not even using socks, I am using an http proxy?

    As well, I’ve had another odd problem just start in the last day or two: I had to manually set my DNS for work in WinXP. I could surf, then it stopped serving pages in the browser. It would just say “Waiting for” and never time out or anything, just nothing. Then it worked for a while, now today it stopped. I set my DNS back to auto obtain and it works now.
    SB, thoroughly confused.

    Comment by SB — January 7, 2009 @ 10:24 am

  7. “does anyone have a proper tcpdump filter to verify that dns requests are going over the ssh tunnel?”

    I was wondering the same thing. It’s one thing to set this all up, but how can we verify what data is/isn’t going over the SSH connection? Can someone suggest any tools or techniques to help with that?

    Thanks for the post. I appreciate the info.

    Comment by ebdb — February 3, 2009 @ 9:53 am

  8. This is a great setting in Firefox. Thanks for sharing it !

    @ebdb : you can just filter tcpdump on port 53: “tcpdump port 53”


    Comment by Tex — February 23, 2009 @ 6:51 am

  9. In reference to testing if you are leaking dns, use wireshark. In the filter box, type UDP.port==53 and hit enter. That will filter so only DNS queries show up. If you start browsing and you see DNS queries going out to your normal ISP, then you’ve got trouble. Instead you shouldn’t see them at all.

    Comment by clnl — April 8, 2009 @ 9:50 am

  10. Out standing.. THANKS to all!
    Using Adito (now part of openVPN) to tunnel to home
    Running putty portable to connect to that tunnel
    Setting firefox using the “about:config” access to change
    network.proxy.socks_remote_dns to TRUE
    Running FoxyProxy addin to firefox

    Thanks Tex for the wireshark filter, found portable wireshark and just installed it!!
    Running IE I see DNS queries, Running firefox with the tunnel I see no DNS queries.

    If I enter (in firefox) an internal IP address at home (http://mylamp) for one of my intranet websites, I see the site here at work!

    Now if I could just figure out how to do this with my voip phone in the middle east….. :)

    Comment by David VT — October 23, 2009 @ 8:08 am

  11. I was doing a tcpdump on my own traffic while using ssh -D and network.proxy.socks_remote_dns set to TRUE in FF and I noticed that although forward lookups are sent through the proxy reverse lookups are not. This poses no issue for browsing but does likely leave a trace of where you have been in the local side DNS server logs. Food for thought.

    Comment by David — December 5, 2009 @ 7:41 pm

  12. Thanks for bringing the reverse DNS issue up. Is there a way to send these through the proxy too?

    I’m going to a country which censors Internet and I should resolve this before leaving :)

    Comment by seamen — January 22, 2010 @ 1:18 am

  13. This is very good but how do I determine if I am using the remote host’s DNS server and not my ISP’s?

    Comment by Fooby — August 24, 2010 @ 11:35 am

  14. ‘This is very good but how do I determine if I am using the remote host’s DNS server and not my ISP’s?’

    Just comment every line in your resolv.conf, and see if you can browse.

    ‘I was doing a tcpdump on my own traffic while using ssh -D and network.proxy.socks_remote_dns set to TRUE in FF and I noticed that although forward lookups are sent through the proxy reverse lookups are not’

    I’ve just tried and it in fact leaks DNS reverse lookups for every site you visit.. any ideas on how to get rid of this?

    BTW, great post!

    Comment by slak — September 6, 2010 @ 3:29 pm

  15. FYI, I was trying to configure the same for the chromium-browser. It seems all I needed to do was start my ssh-tunneled proxy, configure ProxySwitchy, and make sure that DNS prefetching was turned off. Seemed like this was a good place to mention that ;-)


    Comment by Dustin Kirkland — December 1, 2010 @ 9:18 am

  16. I’m using the following script to start a Firefox session using a SSH tunnel:

    start /D “C:\Program Files\Mozilla Firefox\firefox.exe” -no-remote -P myprofile
    plink -load mysession

    Saved in “mytunnel.cmd” for example.

    * “myprofile” is a valid profile in firefox (starting Firefox with a non-existing profile after the -P parameter will let you create one)
    * “mysession” is a valid saved Putty session

    Firefox configuration for the profile “myprofile”:
    * Choose Manual proxy configuration
    * In Socks host, enter
    * In Socks host port, enter any number greater than 1024 (say: 1234). DO NOT enter anything else, leave other fields empty. Save the settings.
    * In about:config set “network.proxy.socks_remote_dns = true” as stated in this article

    Putty configuration for the session “mysession”:
    * hostname or IP address: your server hostname (say
    * port: 22 (the default)
    * (optional) Connection > Data > login details > auto-login username: enter a valid username for so that you do not have to specify the username on login
    * (optional) Connection > SSH > Auth > Private Key for authentication: choose a valid private key file for so that you do not have to specify the password on login
    * Connection > Tunnels > Source port: enter 1234
    * Connection > Tunnels > Destination: click on Dynamic then click the Add button. “D1234” will appear in the Forwarded Ports section
    * Session > Saved sessions: enter mysession then click on the Save button.

    Now if everything has been done correctly, you should be able to start a SSH tunnel and launch Firefox by running the mytunnel.cmd script.

    Hope it will help someone someday!

    Comment by gbrl — December 22, 2011 @ 9:57 pm

  17. network.proxy.socks_remote_dns = true doesn’t appear in FF57’s about:config file

    Comment by Oscar — January 14, 2018 @ 11:50 am

Powered by WordPress