Solved!
on August 22, 2010, 05:57 PM UTC — from
yliu ( 4,089 views )
I managed to get a version of proxychains running on OS X 10.6, after fixing all of its weird library load errors (due to hard-coded library paths in proxychains/proxyresolv's wrapper scripts). Unfortunately, though it correctly connects to an external DNS server via my SOCKS 5 server and reports data OK, it ends up reporting that no websites actually exist:
|DNS-request| yimingliu.com
|S-chain|-<>-169.254.161.1:40000-<><>-4.2.2.2:53-<><>-OK
|DNS-response|: google.com is not exist
google.com: Address family for nodename not supported
Not sure which universe you live in, proxychains, but there is no way that google.com "is not exist".
- yliu on August 22, 2010, 05:57 PM UTC
As of the time of this writing, the so-called "DNS tunneling" in proxyresolv is nothing more than an exec() call to the popular DNS tool dig. It doesn't actually use SOCKS 5's domain name resolution feature.
Proxyresolv is basically hard-coded to exec() to dig, using the public DNS server 4.2.2.2, and scraping the dig output via awk. It manages to do this very badly.
Here's the dig output:
; <<>> DiG 9.6.0-APPLE-P2 <<>> google.com @4.2.2.2 +tcp
;;;...blah blah...
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 247 IN A 66.249.89.104
google.com. 247 IN A 66.249.89.99
;; ...blah blah...
And here's the awk invocation in the proxyresolv shell script:
dig $1 @$DNS_SERVER +tcp | awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'
See, the problem is that by trying to pick up any numeric sequences after an occurrence of "A" (and blatantly including the semicolon'ed lines, which denote comment lines rather than output), it actually picks up the first line of dig output on OS X. You know, where the "A" appears in "APPLE-P2"...
And here's the output from that awk:
<<>>
66.249.89.104
66.249.89.99
Instead, if you changed that line into something more reasonable by excluding comment lines:
dig $1 @$DNS_SERVER +tcp | awk '/^[^;].+A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'
It should no longer fail so horribly. Remember, this only works for the current version of dig on OS X 10.6. If dig changes its output format, in the worst case that whole expression would have to be rewritten.
In the long run, hard-coding parsing expressions and presuming dig output will never change is a rather unfortunate idea. I don't think you can get away with not resolving hostnames via SOCKS 5's built-in capability. Further, hard-coding the DNS server to use is a pretty terrible idea too.
Comments
Although it's two years later, there's now a better solution to this since proxychains is still having DNS resolving issues. Try proxychains4: https://github.com/haad/proxychains
Best part: works on OS X right off the bat.
— szero on April 04, 2012, 07:55 PM UTC