Hey @blechschmidt :)

I’m curious if tun2proxy can be used similarly to Proxifier. Specifically, I’m looking to route traffic for a specific list of domains through a SOCKS proxy. The domains I want to route through the tun interface can only be resolved internally through a private DNS server that isn’t exposed to the internet, so basic iptables rules won’t work. My goal is to ensure these domains are resolved via the SOCKS proxy and that only their associated traffic is routed through the tun interface. All other traffic should flow normally without passing through the tun interface.

Would this be feasible with tun2proxy as it currently stands, or would it require additional functionality? Any guidance or suggestions you can provide would be greatly appreciated.

Thank you for your hard work on this project. It’s made a significant difference in my networking toolkit.

Best regards,

Dvir

Hi @dvir101,

thank you for your kind words. Unfortunately, this is not possible with the current feature set. To resolve DNS names through the proxy, tun2proxy's built-in DNS resolver has to be used. This is what virtual DNS does. Whenever it sees a DNS query, it replies with an IP address from 198.18.0.0/15 (currently hardcoded) and remembers an IP address to name mapping for the queried DNS name. Whenever we see a connection to that IP address, we then ask the proxy to connect to the DNS name instead of the IP address.

However, we currently lack the functionality to forward DNS queries to the configured system resolver (which could be obtained by reading the corresponding system configuration, e.g. /etc/resolv.conf on Linux) and we lack the functionality to tell the DNS proxy to differentiate between specific domains.

Logically, implementing that functionality would be quite straightforward:

1. Implement some data structure (e.g. a domain trie or hash set) that is filled with the domains that should be resolved through the proxy.
2. If a domain should be resolved through the proxy, just use virtual DNS.
3. Otherwise, forward the query to the system's DNS resolver.

What would be crucial here is to not make use of --setup which would automatically set up a route for 0.0.0.0/0 through the tunnel interface. Instead, only 198.18.0.0/15 should be configured to be routed through the tunnel interface. Then, virtual DNS would return IP address from that space and connections would always go through the tunnel. Other connections not destined to an IP from that space would not be routed through the tunnel.

EDIT: If the installation of additional software is acceptable, the following should work.

1. Use tun2proxy without --setup, but with virtual DNS.
2. Set up the following routes to go through the tunnel interface: 1.2.3.4 and 198.18.0.0/15
3. Install PowerDNS recursor and configure foward zones for the names you wish to route through the proxy as described at https://doc.powerdns.com/recursor/settings.html#forward-zones. The forward zones should use 1.2.3.4 as DNS server.
4. Make sure your system is configured to use PowerDNS recursor.

Kind regads,
Birk

Perhaps this script can help.