If you are using a public/open wireless access point (like, in an Internet Cafe), or if you live in a country where people are not all that happy or concerned about it’s citizens’ freedom, you sometimes find yourself in the position that you want to hide your browsing behaviour from others.
I will describe a setup which allows you to run your browser traffic through an encrypted tunnel. And using Firefox, even your DNS lookups will use that tunnel instead of talking to the local (possibly monitored) DNS server. There is one catch: you have to have a shell account on a remote SSH server.
This article uses a less-known feature of OpenSSH which is that the ssh client can create a SOCKS proxy.
Suppose you have a shell account “alien” on a remote server “safehaven.net”. Using ssh you can quickly setup a local SOCKS proxy using the following command (assuming you are running this command as non-root, you can only make your SOCKS proxy listen on non-privileged ports – anything higher than port 1024 is unprivileged):
$ ssh -D 8888 alien@safehaven.net
Once your ssh client connects to that remote server, your local computer’s port 8888 will now act as a SOCKS proxy which enables encrypted traffic to the Internet for all applications that can use SOCKS proxies.
You then configure Firefox to use a SOCKS proxy; the proxy’s hostname will be “127.0.0.1” and the port is of course “8888“.
This is enough to hide your browsing (the URLs you access as well as the data you retrieve in your browser) from any 3rd party. But… your computer is still consulting a local DNS server for the hostname lookups. Anyone can still sniff that traffic and guess what you are doing. Even if your computer uses one of the many “free” DNS services on the Internet (like Google’s public DNS addresses 8.8.8.8 and 8.8.4.4), your DNS lookups can possibly be monitored on the local network.
So, there is one more setting in Firefox which you have to to change in order to alter its DNS lookup behaviour. In your Firefox entry bar, type “about:config” which will show the low-level configuration options for the browser, most of which are not accessible through its “normal” GUI. Look for the entry:
network.proxy.socks_remote_dns
which will have the value of “false” by default. Change its value to “true” by double-clicking it. From then on, Firefox will use the DNS server at the remote end of the SOCKS proxy instead of the locally configured DNS server, thereby effectively hiding your browsing from anyone. If you happen to be in a situation where you know that DNS lookups are being filtered or spoofed, this is your secure way out of this ugliness.
Eric
thank you a lot for the nice tip 🙂
That’s a useful tip, thanks Eric.
Thanks for the information
It is really very helpful.
I was usinga chrome extension called proxy switchy to do this same thing in Chrome. Unfortunately the developer has removed the built in functionality and is instead relying on the OS. In KDE netowrk settings I do not see socks as an available proxy type. Is there a workaround for that?
I’ve been using this trick for quit awhile, but only recently do I get a “bind: Cannot assign requested” error. Does this having something to do with the remote server into which I am logging? Can one configure sshd to prohibit “-D”? thanks & happy Easter
I just figured out, courtesy this StackExchange posting, that I need to force IPv4 with “-4”.