Surfing Economically: Adding a Local DNS Server to OS X Tiger & Hooking up a Caching Proxy

I first came across the idea of running a local DNS server while running Debian and reading what Ubuntu heads were doing to speed up their navigation. I never gave it much thought, until I had to configure a custom Debian install to surf via a 3G mobile modem. I spent the a day investigating how to do it manually, only to find out it really is pretty easy –if you know what you’re doing. This Debian article is coming (it’s here!).

Anyway onto this OS X article, I thought to myself, considering the lousy service that VTR has given me over the years, I don’t know why I hadn’t done this on my Macs running OS X before. It’s even more imperative considering that surfing has always been slow on Macs, in my experience and that of others. So, I looked into the matter.

Some enthusiasts might (and do) protest the opinion that surfing on a Mac is slow, assuring it’s quite fast, despite anecdotal evidence to the contrary. They might also point this article out. If what that article says is true, OS X might not benefit all that much from having a local DNS server, Even so, I had a go at it.

The confusing bit about installing a local DNS server on OS X is that most articles are not even Tiger related (yes, I do run one computer on Tiger), and when they are Tiger specific they’re related to BIND, which is not all that great unless you never plan to turn you computer off; BIND does not retain its records after a reboot.

Luckily, there is another option. It’s called pdnsd, and it’s what I’ve used on Debian. Make sure you have Apple’s developer tools installed before attempting to compile it, though.

The general scheme proposed is as follows.

browser –> Polipo –> local DNS server

The browser communicates with Polipo (that caches, improving speed on commonly browsed pages, rather than wasting bandwidth downloading the same elements over and over again), which sends DNS requests locally (improving speed, rather than wasting time sending requests to remote [taking time] and slow/over worked servers [creating further lag]).

A side benefit is that you’re less likely to be tracked through DNS server requests, something that even “democratic” governments are reported to perform. In any case, surfing under the radar is not the topic herein.

(This article assumes you have a DSL style modem.)

Note: Although it’s not the subject at hand, I should warn that running a local DNS server is not recommended for Tor use. It poses a security threat.

Install pdnsd

Download and decompress the source pdnsd package from <http://www.phys.uu.nl/~rombouts/pdnsd/dl.html>.

cd /pdnsd-1.2.8

./configure –sysconfdir=/etc –with-target=BSD –with-random-device=/dev/urandom

make

sudo make install

Select & write a /etc/pdnsd.conf file

sudo nano /etc/pdnsd.conf

In the next file, you need to insert the chosen pdnsd.conf set-up in the editor/file below. There are various .conf file configurations at http://web.mac.com/brianwells/main/pdnsd.html>, you can use a template (they list a different cache), but they don’t work with my ADSL set-up. And so I created the following.

global {
        perm_cache=2048;
        cache_dir="/var/cache/pdnsd";
        max_ttl=604800;
        run_as="pdnsd";
        paranoid=on;
        server_port=53;
        server_ip="127.0.0.1";
        run_as = nobody;
}

server {
        label=OpenDNS;
        ip=208.67.222.222;
        ip=208.67.220.220;
        timeout=30;
        interval=30;
        uptest=ping;
        ping_timeout=50;
        purge_cache=off;
}

For a more configurable set-up, the following should allow the selective use of root (external) DNS servers, by replacing .mybank.com with what ever site you want to call up on an external DNS search. This is considered a safer practise, than doing security sensitive searches locally. The problem is, my DNS server refuses to allow my proxy to connect with this sort of configuration (see the /etc/pdnsd.conf file below). There may be a very good reason for this, so attempt at your own risk.

global {
        perm_cache=2048;
        cache_dir="/var/cache/pdnsd";
        max_ttl=604800;
        run_as="pdnsd";
        paranoid=on;
        server_port=53;
        server_ip="127.0.0.1";
        run_as = nobody;
}

server {
        label=OpenDNS;
        ip=208.67.222.222;
        ip=208.67.220.220;
        timeout=30;
        interval=30;
        uptest=ping;
        ping_timeout=50;
        purge_cache=off;
        ;
        uptest = none;
        timeout = 5;
        purge_cache = off;
        preset = off;
        root_server = on;
        randomize_servers = on;
        policy = excluded;
        include = ".mybank.com";
}
If you want to improve the security of the standard install, and perhaps safely do banking with the standard /etc/pdnsd.conf file (see above), you might want to consider the always informative Arch Linux wiki on the matter.

 

Create the service

You need to set a daemon up to get the service to auto-magically start running on boot-up.

Create a file for the daemon.

sudo nano /Library/LaunchDaemons/pdnsd.plist

Include the following contents.

xml version="1.0" encoding="UTF-8"?>
DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

Label
pdnsd
OnDemand

Program
/usr/local/sbin/pdnsd
ServiceDescription
pdnsd - a proxy DNS server with permanent caching
Permissions

Make sure your permissions are correct.

sudo chown root /etc/pdnsd/pdnsd.conf

sudo chown nobody /var/cache/pdnsd/

sudo chown root /Library/LaunchDaemons/pdnsd.plist

chmod 644 /Library/LaunchDaemons/pdnsd.plist

Start the daemon

sudo launchctl load /Library/LaunchDaemons/pdnsd.plist

System Preferences settings

Go to System Preferences/Network and under “DNS Servers” insert your local server (127.0.0.1). Then hit “Apply Now”.

OS X System Preferences-local DNS server

OS X System Preferences-local DNS server setting (127.0.0.1)

Confirm pdnsd is working

Perform the following command twice. The second time around should illustrate a shorter dig time.

dig google.ca

dig google.ca

Make sure you get a “status: NOERROR”, rather than a “status: SERVFAIL”, which suggests a misconfiguration (unless the target web-site server is down). In the misconfiguration case –if you’re still getting connectivity– the requests are getting passed onto an external DNS server.

Ordinarily, if a “status: SERVFAIL” message appears, suspect the /etc/pdnsd.conf file. In this case, load and unload the service between editing, using the following commands.

sudo launchctl load /Library/LaunchDaemons/pdnsd.plist

sudo launchctl unload /Library/LaunchDaemons/pdnsd.plist

Other considerations

Hooking a proxy into the equation

As suggested in the intro, many people on the go using wireless hotspots with thin bandwidth try to improve browsing experience by running a local DNS server. And they may actually be benefiting, as it saves on needless transactions enquiring external DNS servers for target IP addresses.

In addition, some people like to pair a local DNS with a local caching proxy, despite browser caches (and that OS X does some local DNS caching of its own, as previously mentioned). A fully cached simple web-page with Squid (a caching proxy, see below) using pdnsd will load almost instantaneously –in my experience. Note that with Squid alone, some claim a 2-5 time improvement over regular set-ups. So we should expect that having both a local DNS server and a local caching proxy, will further improve performance.

Two of the best proxies (I’ve found) and easiest to configure on OS X follow. In addition, they are free of cost.

Dolipo: a front-end to Polipo. It’s temperamental (seemingly crashes, needing a restart), but it offers ad blocking via a default list (further saving bandwidth), pipelining (by default, which speeds answers to requests) and (the sometimes unreliable) PMM to further speed up requests. Perhaps most importantly, Polipo maintains a cache of your surfing.

SquidMan: a front-end to Squid. It’s reliable, but takes up memory (I find a minimum of a 2 gigs is needed to run well on a workstation) and it’s difficult to set-up with a fine tuned configuration (necessitating the editing of a text file), but basic configurations (without ad blocking) are easy, through the SquidMan interface.

As suggested, Squid can (go beyond D/Polipo functions, and) be set up to block ads, cookies, withhold other means of tracking (aka, stealth-mode/anonymizing mode), but this requires getting your hands dirty. Squid, like Dolipo/Polipo, keeps a cache.

Read source documentation on installation and use.

Polipo (Dolipo’s parent project) seems to be the way to go. Everything you’d want in addition to caching (for regular browsing, notwithstanding a lack of stealth mode) is either already implemented (such as pipelining, PMM, ad blocking) or easier to configure via the browser accessible interface (see below). Furthermore, the ad blocking seems to work as well as the heavy duty filtering I’ve set up with SquidMan (using regex, domain name, and IP address lists).

Unfortunately on the Mac side of things, I find Dolipo somewhat unstable. Polipo (Dolipo internals) seemingly crashes while Dolipo starts, or perhaps doesn’t start at all. It hasn’t received development since 2008, either. The solution is to use a later version of Polipo, but if you don’t have MacPorts or any of the other OS X package managers (I don’t think any of them support Tiger anymore), you can get a Tiger compatible port of Polipo from the portable Tor project (Tor Browser Bundle). Just open the package (“Show Package Contents”) and go to /Contents/MacOS/Polipo and drag the contained Polipo into a directory. You can start it from line command (once inside the Polipo containing directory) with

./polipo

Options are configured via a browser (while Polipo runs) at

http://localhost:8123/polipo/config?

Upgrading Dolipo yourself with your retrieved Polipo

If you want to take advantage of the Dolipo GUI wrapper, that’s all Dolipo is, you can place the above Polipo into Dolipo and thus update it yourself. Make sure you haven’t started Dolpo in the session yet, though, or else you might get an endless spinning beach ball.

Updating Dolipo with Polipo binary from Tor Browser Bundle

Of course, you need to create a location for each proxy via the System Preferences/Network/Location/New Location. From there go to the Proxies tab, and insert “localhost” (without quotes) and write out the proxy port (Squid’s is 3129, and Polipo’s is 8123, although Dolipo changes this, but you can change it back). Lastly, check off the protocols that each supports (Squid does FTP, HTTP, HTTPS, Gopher, and perhaps (if compiled in) SOCKS5 (but not normally) –while Polipo supports HTTP, SOCKS4a and SOCKS5, and can tunnel HTTPS). You can insert exceptions (pages that you want to connect to directly) in this tab, too (with “Bypass proxy settings for these Hosts and Domains”). Normally, this would be for problematical or “critical” sites such as Facebook and banking sites.

You needn’t bother with the system settings, if you run Firefox/Iceweasel, SeaMonkey/Iceape and want to selectively take advantage of the proxy/DNS server set-up. They have their own settings under Advanced/Network/Settings. Connect to localhost (or 127.0.0.1) using the appropriate proxy port (8123), for all protocols. You should also insert 127.0.0.1 into the under Preferences/Advanced/Proxies/No Proxy for in the browser settings, as well as any services that don’t like being passed through a local proxy (such as Facebook).

Thoughts on Dolipo & SquidMan Proxies

Finally on OS X, you don’t need Dolipo (or Polipo) because you can set SquidMan up to do everything Dolipo can and more, with the exception of PMM, but remember Squid is resource hungry and detailed set-ups necessitate extensive editing of a text file.

I find Dolipo snappier than Squid, but I don’t think Dolipo/Polipo offers as fine tuned stealth mode navigation (while Squid does), so –to take advantage of both– you could chain link both (browser –> Squid –> Polipo), but I find that a little slower than just using one local proxy. (Keep in mind I haven’t tried fine tuning this dual proxy set-up.) For instance, Squid’s ad blocking could be withdrawn in favour of Polipo. Regardless of the advantages of using multiple proxies, I fear this set-up might be beyond the capabilities of old computers or net-books.

Afterthoughts

Lastly, I can’t believe how much of a hassle it was to implement these things on OS X (but once it is set-up, it’s rock solid). The other thing I can’t fathom is why notebooks/laptops, associated Gnu-Linux distros, and the “It Just Works” people, Apple, don’t have portables pre-configured for economical browsing –or, why they don’t allow easy configurability. On second thought, I assume manufacturers rather have your computer feel sluggish after a year, about when they want to sell you yet another latest and greatest computer.

Maurice Cepeda

All rights reserved on the article, defined as the text and any original material and medium –including photographs when specifically mentioned in at least one of the following corresponding elements: caption, alternate text, or title. Quoted texts, and other material not copyrighted by Maurice Cepeda, are used under the concept of fair use and are the properties of their respective owners –including photographs, audio recordings, videos, or any other products in any form or fashion– as are all brands mentioned. If copyrighted videos and/or audio recordings should make themselves into articles, note that they are not hosted herein; if you are the copyright holder of any such material (and have a problem with fair use), approach the appropriate hosting site. Note that any audio or visual material incorporated under fair use, either hosted locally (if that should come to be) or otherwise, will most likely be of lesser quality, thus, “fair use”. By reading this article, the reader forgoes any accountability of the writer. The reading of this article implies acceptance of the above stipulations.

Primary Sources (pdnsd)

Other
For mobile local problems see

Some non-Tiger related articles

Jaguar

BIND

Proxies

Dolipo
SquidMan
Advertisements

One thought on “Surfing Economically: Adding a Local DNS Server to OS X Tiger & Hooking up a Caching Proxy

  1. Pingback: Surfing Economically: Adding a Local DNS Server to Debian Gnu/Linux & Hooking up a Caching Proxy « Le Blog de Maurice

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s