CentOS - Jan 2016 - CentOS-6 : DNS resolver for ssh chrooted accounts.

Our firm uses a dedicated virtual host to provide ssh tunnels for
remote employee access to various internal services and for http/s
access to the outside world.  For security reasons I would like to
have the remote users forward their dns lookups over the tunnel as
well.  However, we recently chrooted a number of ssh users and these
accounts cannot resolve dns queries passed over the tunnel.

I infer from previous experience that the necessary libraries/binaries
are not installed in the chroot home. I can install whatever is
missing using yum  --installroot=[path/to/chroot/home] but what I
cannot determine is exactly what package(s) is/are required.

What is the minimal package set needed to enable chrooted users to
perform dns lookups on CentOS-6?


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

On 1/11/2016 9:25 AM, James B. Byrne wrote:
> Our firm uses a dedicated virtual host to provide ssh tunnels for
> remote employee access to various internal services and for http/s
> access to the outside world.  For security reasons I would like to
> have the remote users forward their dns lookups over the tunnel as
> well.  However, we recently chrooted a number of ssh users and these
> accounts cannot resolve dns queries passed over the tunnel.
use a proper VPN, like OpenVPN.   ssh tunnels have way too many limitations.

-- 
john r pierce, recycling bits in santa cruz

On Jan 11, 2016, at 10:25 AM, James B. Byrne <byrnejb at harte-lyne.ca>
wrote:
> 
> Our firm uses a dedicated virtual host to provide ssh tunnels for
> remote employee access to various internal services and for http/s
> access to the outside world.  For security reasons I would like to
> have the remote users forward their dns lookups over the tunnel as
> well.
If by ?ssh tunnel? you mean -L and -R, then you can?t do this.  Those only
support TCP, but you need UDP for DNS.

DNS can also run over TCP, but it?s basically only done for bulk transfers, like
zone updates between DNS servers.  There may be a way to force your client OS?s
DNS resolver to TCP-only, but you?ll miss out on third-party resolvers like the
ones in Firefox and Chrome.  (Yup!  They don?t use the OS?s DNS resolver!)

Another option with SSH is SOCKS5, which *does* support UDP, but requires that
all the programs that use it speak SOCKS, which has been a dying protocol since
NAT routers became common.

FreeBSD and Mac OS X have OS-level SOCKS support that can force *most*
application traffic across the configured SOCKS link, but as far as I can tell,
such an OS-level SOCKS setting does not exist on Windows and Linux.  Some
Windows apps obey IE?s proxy settings, but it?s not universal, and on Linux,
it?s pretty much every app for itself.

SOCKS and SSH tunnels are fine for ad hoc VPN-like behavior, but if you really
need to force all traffic through the tunnel, John?s right: a proper VPN is the
correct solution.