Hi, I have successfully set up an SSH tunnel connection using Putty and my OpenSSH server at home. I am simply forwarding TCP/FTP traffic through the encrypted port 22. I recently discovered that although all traffic is encrypted through the tunnel DNS requests are not. The work around is to turn on the flag option in Firefox and Thunderbird called network.proxy.socks_remote_dns to true. When I turn this flag on I get the following error from my SSH server: Forwarded connection refused by server: Administratively prohibited [open failed].

I know this is a DNS issue however I'm not sure were the problem exists, is it my SSH server, my putty SOCKS client or possibly my home firewall?

Below is the configuration of my sshd_config file. Any direction or help will be much appreciated.

#Port 22
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
MaxAuthTries 3

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

#now ssh is only used by rsync ==> auth by passwd file of rsync server
#AuthPassFile /etc/rsyncd.secrets

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

#DenyUsers admin

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server

Might try SOCKS first. With ssh you supply "-D localhost:$localport", in PuTTY set the "dynamic" option, for dynamic tunnelling.

Thanks Unspawn yes I have already tried the dynamic option in putty, I simply set a high dynamic port number in the Source port in putty and add it. I then set the proxy server configuration in Firefox to point to that SOCKS host in the manual proxy configuration options of Firefox. That is what I have been doing so far but it's not helping.

Any other ideas of why DNS resolution is failing?

Your sshd_config AllowTcpForwarding is default so it must be Something Else. Only thing I can think of is a restrictive firewall on the SSH server or you calling the SSH server by its domain name (try IP address instead?).

I'm pretty sure that on my box AllowTcpForwarding was set to no by default. Is it possible that you just changed this value but forgot to uncomment the line (remove the leading #)?

You might want to try that just for fun.

Thanks unSpawn I have no firewall on the SSH server I only have a physical firewall which is allowing TCP port 22 inbound. I am calling the SSH server by a domain name that I own which resolves to the public IP address assigned to the external interface of my firewall nothing fancy. The SSH server is behind the firewall.

Thanks jlamothe I tried removing the leading # for AllowTcpForwarding however it made no difference, keep in mind here that TCP forwarding is working no problem its just DNS that's failing, keep the ideas flowing any help is appreciated.

Hope I understang what you ask.

You want to use remote DNS, isn't that?

If so, an SSH tunnel does not permit UDP packets forward. There are people who found some workaround for it [http://www.wains.be/index.php/2007/0...-through-ssh/] but they are using linux ssh clients.

Another workaround that I use is to use openvpn. And here I choose between use only openvpn or if I can use only the ssh port, I set the tunnel with ssh and over it I forward openvpn traffic on that tunnel.

Hope this helps
Caveman