CentOS-6 : DNS Resolver For SSH Chrooted Accounts.
Our firm uses a dedicated virtual host to provide SSH tunnels for remote employee access to various internal services and for http/s access to the outside world. For security reasons I would like to have the remote users forward their dns lookups over the tunnel as well. However, we recently chrooted a number of SSH users and these accounts cannot resolve dns queries passed over the tunnel.
I infer from previous experience that the necessary libraries/binaries are not installed in the chroot home. I can install whatever is missing using yum –installroot=[path/to/chroot/home] but what I
cannot determine is exactly what package(s) is/are required.
What is the minimal package set needed to enable chrooted users to perform dns lookups on CentOS-6?
2 thoughts on - CentOS-6 : DNS Resolver For SSH Chrooted Accounts.
use a proper VPN, like OpenVPN. SSH tunnels have way too many limitations.
If by “ssh tunnel” you mean -L and -R, then you can’t do this. Those only support TCP, but you need UDP for DNS.
DNS can also run over TCP, but it’s basically only done for bulk transfers, like zone updates between DNS servers. There may be a way to force your client OS’s DNS resolver to TCP-only, but you’ll miss out on third-party resolvers like the ones in Firefox and Chrome. (Yup! They don’t use the OS’s DNS resolver!)
Another option with SSH is SOCKS5, which *does* support UDP, but requires that all the programs that use it speak SOCKS, which has been a dying protocol since NAT routers became common.
FreeBSD and Mac OS X have OS-level SOCKS support that can force *most* application traffic across the configured SOCKS link, but as far as I can tell, such an OS-level SOCKS setting does not exist on Windows and Linux. Some Windows apps obey IE’s proxy settings, but it’s not universal, and on Linux, it’s pretty much every app for itself.
SOCKS and SSH tunnels are fine for ad hoc VPN-like behavior, but if you really need to force all traffic through the tunnel, John’s right: a proper VPN is the correct solution.