DNS not working when transparent proxy is active

Question

I started a ShadowSocks(Socks5) tproxy and configured iptable to route all the traffic towards it. It is working and listenning to traffic, I can access webpages by directly typing in the ip address; However it's not resolving any domain/dns requests. I tested the network by the following commands, which supposably means that the network is working and it's just the dns not working. Note that everything is perfectly fine if I just use the normal proxy of ShadowSocks. I started the tproxy with this command model ss-redir -s ServerIP -p ServerPort -m EncryptionMethod -k MyPasswd -b 127.0.0.1 -l 60080 --no-delay -u -T -v, and I'm using Ubuntu 24.04 Noble on gen 6+ kernel

$ nc -vz 172.217.163.46 80
Connection to 172.217.163.46 80 port [tcp/http] succeeded!

$ nc -vz 172.217.163.46 443
Connection to 172.217.163.46 443 port [tcp/https] succeeded!

$ nc -v -u 127.0.0.1 60080
Connection to 127.0.0.1 60080 port [udp/*] succeeded!

$ nc -zvu 8.8.8.8 53
Connection to 8.8.8.8 53 port [udp/domain] succeeded!

$ wget 172.217.163.46
--2024-11-06 18:05:45--  http://172.217.163.46/
Connecting to 172.217.163.46:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.google.com/ [following]
--2024-11-06 18:05:45--  http://www.google.com/
Resolving www.google.com (www.google.com)... failed: Temporary failure in name resolution.
wget: unable to resolve host address ‘www.google.com’

$ dig google.com @1.1.1.1
;; communications error to 1.1.1.1#53: timed out

Here is the ip tables config

    ##################### SSREDIR #####################
    iptables -t mangle -N SSREDIR

    # connection-mark -> packet-mark
    iptables -t mangle -A SSREDIR -j CONNMARK --restore-mark
    iptables -t mangle -A SSREDIR -m mark --mark 0x2333 -j RETURN

    # ignore traffic sent to ss-server
    iptables -t mangle -A SSREDIR -p tcp -d ServerIP --dport ServerPort -j RETURN
    iptables -t mangle -A SSREDIR -p udp -d ServerIP --dport ServerPort -j RETURN

    # ignore traffic sent to reserved addresses
    iptables -t mangle -A SSREDIR -d 0.0.0.0/8          -j RETURN
    iptables -t mangle -A SSREDIR -d 10.0.0.0/8         -j RETURN
    iptables -t mangle -A SSREDIR -d 100.64.0.0/10      -j RETURN
    iptables -t mangle -A SSREDIR -d 127.0.0.0/8        -j RETURN
    iptables -t mangle -A SSREDIR -d 169.254.0.0/16     -j RETURN
    iptables -t mangle -A SSREDIR -d 172.16.0.0/12      -j RETURN
    iptables -t mangle -A SSREDIR -d 192.0.0.0/24       -j RETURN
    iptables -t mangle -A SSREDIR -d 192.0.2.0/24       -j RETURN
    iptables -t mangle -A SSREDIR -d 192.88.99.0/24     -j RETURN
    iptables -t mangle -A SSREDIR -d 192.168.0.0/16     -j RETURN
    iptables -t mangle -A SSREDIR -d 198.18.0.0/15      -j RETURN
    iptables -t mangle -A SSREDIR -d 198.51.100.0/24    -j RETURN
    iptables -t mangle -A SSREDIR -d 203.0.113.0/24     -j RETURN
    iptables -t mangle -A SSREDIR -d 224.0.0.0/4        -j RETURN
    iptables -t mangle -A SSREDIR -d 240.0.0.0/4        -j RETURN
    iptables -t mangle -A SSREDIR -d 255.255.255.255/32 -j RETURN

    # mark the first packet of the connection
    iptables -t mangle -A SSREDIR -p tcp --syn                      -j MARK --set-mark 0x2333
    iptables -t mangle -A SSREDIR -p udp -m conntrack --ctstate NEW -j MARK --set-mark 0x2333

    # packet-mark -> connection-mark
    iptables -t mangle -A SSREDIR -j CONNMARK --save-mark

    ##################### OUTPUT #####################
    # proxy the outgoing traffic from this machine
    iptables -t mangle -A OUTPUT -p tcp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j SSREDIR
    iptables -t mangle -A OUTPUT -p udp -m addrtype --src-type LOCAL ! --dst-type LOCAL -j SSREDIR

    ##################### PREROUTING #####################
    # proxy traffic passing through this machine (other->other)
    iptables -t mangle -A PREROUTING -p tcp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j SSREDIR
    iptables -t mangle -A PREROUTING -p udp -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j SSREDIR

    # hand over the marked package to TPROXY for processing
    iptables -t mangle -A PREROUTING -p tcp -m mark --mark 0x2333 -j TPROXY --on-ip 127.0.0.1 --on-port 60080
    iptables -t mangle -A PREROUTING -p udp -m mark --mark 0x2333 -j TPROXY --on-ip 127.0.0.1 --on-port 60080

    ip route add local default dev lo table 100
    ip rule  add fwmark 0x2333        table 100
    ip rule  del   table 100 &>/dev/null
    ip route flush table 100 &>/dev/null

Answer 1

Because neither ShadowSocks nor the server provides a DNS service, as I said, you’ll probably have to configure a local DNS forwarder to handle DNS requests and route them through ShadowSocks.

I would probably use dnsmasq, because it's simple and lightweight, and does the job.

---

1. First, install it with apt or whatever packet manager you use.
2. Configure dnsmasq:

• Configuer dnsmasq to use your preferred DNS servers (e.g., 1.1.1.1 or 8.8.8.8). Edit /etc/dnsmasq.conf:

server=1.1.1.1
server=8.8.8.8

• Set dnsmasq to listen on a specific local IP and port, like 127.0.0.1:5353, by adding:

listen-address=127.0.0.1
port=5353

3. Redirect DNS Requests to ShadowSocks:

• Update /etc/resolv.conf to point DNS queries to dnsmasq:

nameserver 127.0.0.1

• Modify your iptables rules (something I only recently learnt how to do), to redirect DNS traffic (port 53) to 127.0.0.1:60080 (ShadowSocks’ TProxy):

iptables -t mangle -A PREROUTING -p udp --dport 53 -j TPROXY --on-ip 127.0.0.1 --on-port 60080

3. Restart dnsmasq and test it (might need sudo priviledges, mind you.):

systemctl restart dnsmasq

---