dns interceptors

Steve Bertrand steve at ibctech.ca
Sat Feb 13 00:15:25 UTC 2010

Jim Richardson wrote:
> On Fri, Feb 12, 2010 at 2:15 PM, Randy Bush <randy at psg.com> wrote:
>> i just lost ten minutes debugging what i thought was a server problem
>> which turned out to be a dns trapper on the wireless in the changi sats
>> lounge.  this is not the first time i have been caught by this.
>> what are other roaming folk doing about this?
>> randy
> ssh tunnels to IP address

I sent this directly to Randy, but perhaps there are others who are
interested in doing this as well. For the archives (and my own

My DNS server doesn't listen on localhost (a prereq), so I'll use submit
port instead:

# on the roaming laptop (hereinafter 'client')

# -f == run in background
# steve at host is the submit server
# -L means map this port "587:" to "remote-host:port"
# -N means do not execute remote command

client# ssh -f steve at -L 587: -N

...now I tell my local resolver (or in this case, my MUA) to use
localhost instead of the normal remote host. Note that I generally use
the standard ports on my localhost for this mapping. Doing so will not
work for things like HTTP etc, as we are focused squarely on accessing
resources located on our own equipment...

...SSH tunnelling even works over v6. The colon-separated address isn't
handled well within the port-mapping portion of the command, so we'll
use names instead:

pearl# dig aaaa smtp.ibctech.ca
smtp.ibctech.ca.        3598    IN      AAAA    2607:f118::b6


client# ssh -6 -f steve at smtp.ibctech.ca -L 587:smtp.ibctech.ca:587 -N

server# tcpdump -n -i lo0 port 587

client# telnet ::1 587
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 smtp.ibctech.ca ESMTP

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 96 bytes
19:01:20.529444 IP6 2607:f118::b6.59842 > 2607:f118::b6.587: S
4152936854:4152936854(0) win 65535 <mss 1440,nop,wscale
3,sackOK,timestamp 3135691171 0>
19:01:20.529497 IP6 2607:f118::b6.587 > 2607:f118::b6.59842: S
3425118408:3425118408(0) ack 4152936855 win 65535 <mss 1440,nop,wscale
3,sackOK,timestamp 322067125 3135691171>
19:01:20.529532 IP6 2607:f118::b6.59842 > 2607:f118::b6.587: . ack 1 win
8211 <nop,nop,timestamp 3135691171 322067125>
19:01:20.535727 IP6 2607:f118::b6.587 > 2607:f118::b6.59842: P 1:28(27)
ack 1 win 8211 <nop,nop,timestamp 322067131 3135691171>
19:01:20.635335 IP6 2607:f118::b6.59842 > 2607:f118::b6.587: . ack 28
win 8211 <nop,nop,timestamp 3135691277 322067131>

...I love easy workarounds. I got sick and tired of fscking around a
long time ago with troubleshooting blocked/hijacked ports, so I thought
I'd bypass the problem by hijacking and re-routing the ports myself.
Port tunnelling like this is my default whenever I'm not at home. Even
on Windows its easy...all my apps are portable.


More information about the NANOG mailing list