This document covers browser configuration and the features specific to DNS management. There are some advanced features, mainly intended for website hacking, which are only documented in the main Kraker manual.
Instruction manual for the Kraker Local Proxy Server
The
Addendum (August 1, 2022) -- upgrade from version 4b to version 4c (no changes from v4a to v4b)
I have addressed two security vulnerabilities:
1) Previously, a failed DNS request would default to the system DNS just in case the domain name happened to be something that could only be resolved at the system level. This is an issue due to the fact that an attacker may attempt to locate the user's DNS host by forcing arbitrary DNS lookups which feed back to the attacker's server. This is fine as long as the DNS resolves but, otherwise, it is not fine since the user's default DNS service (likely the ISP) would be exposed. The new policy is to block any domain which does not resolve. Users who have local domains installed may flag them as "LOCAL" in the settings file (dotless domain names and domain names ending with ".localhost" are flagged automatically).
2) The "reload" command allows the user to load DNS settings from a file other than the default. The vulnerability is that it is possible for an attacker to create an arbitrary file in the Kraker home directory and then load that file with the "reload" command, thus effectively taking over the user's DNS. The new policy is to block any file names which are not pre-declared (see the section on Option Flags).
Alternative Internet services - One of my goals with the Kraker Local Proxy Server is to provide a single point of access to alternative Internet services (Tor Network being the first offering). I have investigated a number of candidates but, so far, there isn't much to get excited about. Here is what Kraker supports at this point (I have also tried Freenet but it has performance issues like IPFS).
I2P (Invisible Internet Project) - The proxy server will automatically route ".i2p" domains to your local I2P server if you have one installed and running. This feature expects the I2P server to be available at localhost port 4444. I have found the I2P server to be very efficient and reliable. However, many I2P sites tend to be down most of the time and I haven't found any to be worth my time. Still, it is something to keep an eye on.
IPFS (Inter Planetary File System) - The IPFS local server installs at "localhost:8080" which is in conflict with Kraker. Co-existence requires that the IPFS server be configured for port 8089. Kraker will detect URL paths beginning with "/ipfs/" or "/ipns/" and automatically reroute such a request to "localhost:8089" so that IPFS links directed to "localhost:8080" will work correctly. My experience with IPFS has been disappointing. There are serious performance issues (with both the local server and the Internet gateways). In particular, the local server overloads my router with too many open sockets and that takes down my Internet access. I have tried every possible configuration but performance remains an issue.
Lokinet - The ".loki" and ".snode" domains are automatically flagged as "LOCAL" for users who may be running the Lokinet server which installs at the level of the system DNS. I do not recommend Lokinet and have not seen any use case for it. It has a tendency to go into a never-ending loop thus forcing a shutdown. I'm also leery about the fact that it installs as a virtual network card and that it takes over the system DNS. This is overkill. Besides that, I'm not seeing much enthusiasm from the developers. Maybe it's a dead project.
Addendum (May 15, 2022) -- upgrade from version 3b to version 4a
This version is a major upgrade but there isn't much that affects this document. The HTTP (8080), HTTPS (8081) and Socks5 (8088) server ports have been integrated. The HTTP and HTTPS ports route through the Socks5 port so all of the DNS settings (including TOR) fully apply. Wildcard domains are now supported. The new "shadow port" feature allows connections through Socks5 to be routed through the HTTP and HTTPS ports.
You can now access I2P websites without a special browser configuration. The Socks5 proxy server will detect the ".i2p" top-level domain and route the request to "localhost:4444" which is where the I2P server is normally located.
Addendum (November 19, 2021) -- upgrade from version 3a to version 3b
This is a premature release due to an incompatibility that I discovered. Version 3a is not compatible with Node.js version 16 which was initially released in April. I'm not in the habit of testing every version of Node.js to make sure that something like this doesn't happen. Also, nobody talks to me to let me know about stuff like this. Oh well.
Anyway, there is one small change which is pertinent to the Socks5 proxy. A new flag has been added to enable the monitoring of the DoH/DNS activity. The flag is meant to be used with the console output disabled. If it is enabled, then socket activity will be displayed. This is pretty much useless at this point so I won't bother describing it. I used it to fix the memory leak problem when sockets were not being closed correctly.
Addendum (May 8, 2021) -- upgrade from version 2c to version 3a
This is the final version of the Socks5 proxy server. The DNS lookup function has been extended to support up to four simultaneous lookups. I discovered that there can be a delay of 5 to 6 seconds in a DNS response. I don't understand the cause of this but got some interesting results with a search on "dns delay 5 seconds". Also, I have included support for "DNS over HTTPS" but only in the JSON format (which is not widely available). It is simply not worth the effort to support the standard format which is a binary format. The DoH lookup is not used for the "dnslookup" command.
I uncovered another memory leak, this time in the original port 8080 server for Alleycat Player. This is interesting because I followed the standard procedure for handling an HTTP/HTTPS connection. Nowhere, not even in the official documentation, is it mentioned that the connection should be "destroyed" to avoid a memory leak. This is the same thing which led to a memory leak in the Socks5 proxy. That was fixed by called the "destroy" function when either the incoming or outgoing connection is closed. The issue with the port 8080 server was uncovered by seeking through a proxied mp4 video. If the browser closes the connection while buffered data is still in the server's memory, the memory is not properly released. The normal memory footprint for Node.js is under 15 megabytes and sometimes as little as 8 megabytes. Memory usage goes up when the server is buffering content but then should drop quickly once the content is consumed or the connection is closed.
Addendum (April 8, 2021) -- upgrade from version 2b to version 2c
Two major issues have been fixed. First, there was a memory leak due to the failure to destroy spent sockets (not a serious problem but up to 20 megabytes of memory was being wasted). Second, a custom DNS lookup procedure has been implemented. It turns out that Node.js performs an internal DNS lookup via the operating system. Thus, the DNS server settings in your settings file did not apply though they do apply to the "dnslookup" command. The new DNS lookup procedure applies the following policies:
The remainder of this document has been updated to reflect the above changes.
The Kraker Socks5 server is referred to as a "Tunnel Proxy" because all it does (or can do) is apply a custom DNS lookup and then route the connection to the required destination. It is not possible to sniff the connection to see or modify any part of the data stream (which is the purpose of the original proxy). Actually, HTTP streams can potentially be sniffed but not HTTPS because it is encrypted.
There are a few reasons for using this proxy. The default DNS service supplied by your ISP may be unreliable or it could be blocking certain domains. A site could also be blocked by taking down the DNS entry (to censor information that the powers-that-be don't want you to see). However, bypassing the DNS service won't help if a site has been deplatformed (banned by its ISP). There is only so much that we can do in the fight against censorship.
Of course, you could accomplish roughly the same thing by modifying your system DNS setting or the "hosts" file. That approach is cumbersome and prone to error. The new Kraker proxy makes your changes much easier to set up and modify on the fly. You will need to configure your web browser to work through the proxy. You can also do the same for other applications that you use (if they support this).
Check "Manual proxy configuration"
Uncheck "Also use this proxy for FTP and HTTPS"
Type "localhost" in "SOCKS Host"
Type "8088" in the next field and Check "SOCKS v5"
Check "Proxy DNS when using SOCKS v5"
Ignore "No proxy for" unless you have an issue
All other fields should be left blank or unchecked
Alternative: you can install the extension indicated for Chrome-based browsers below.
Check "Manual proxy configuration"
Check "Use this proxy server for all protocols"
Type "localhost" in "SOCKS Host"
Type "8088" in the next field and Check "SOCKS v5"
Check "Use proxy to perform DNS queries"
Ignore "No proxy for" unless you have an issue
All other fields should be left blank or unchecked
Check "Manual proxy configuration"
Check "Use this proxy server for all protocols"
Type "localhost" in "SOCKS Host"
Type "8088" in the next field and Check "SOCKS v5"
Check "Proxy DNS when using SOCKS v5"
Ignore "No proxy for" unless you have an issue
All other fields should be left blank or unchecked
There are versions of the extension for Chrome, Firefox, Opera and Edge. Even though you don't need it for Firefox, I recommend it because it is easier to manage. Select the "Manual" tab once you have installed the extension. Enter a profile name and fill all three proxy name fields with "localhost" and set the port number to "8088". Check "SOCKS v5" and check "Remote DNS" (for Firefox only). Press the green checkmark symbol and you are done.
Kraker supports accessing the Tor Network either for specific domains or globally. Also, "onion" links will automatically be routed to a Tor server. There are two ways to get a Tor server running: open the Tor Browser or run the stand-alone Tor server. The two cannot run together and the port number differs. It is port 9150 with the Tor Browser and port 9050 with the stand-alone. Go here to download. The browser is available for Windows, Linux, Mac and Android but the stand-alone is only available for Windows.
Extract the zip file for the stand-alone Tor server. Find "tor.exe" in the "Tor" folder and run it. That's all. Personally, I don't like having another console alongside Kraker so I'll be looking for a way to run the Tor server invisibly. For now, this works fine.
New information: you can start the Tor server in a hidden window if you have the Tor Browser installed. This is the same server that starts up with the browser but it defaults to port 9050 instead of 9150. Find the Tor server in the folder where you installed the browser:
You can set up Tor as your proxy if you like. Just use port 9050 or 9150 (instead of 8088 for Kraker). Everything will then be routed directly through the Tor network. I'm not recommending this. While your IP address will be rendered anonymous, there are still potential privacy issues. If you want to roam the "Darknet" then use the Tor Browser. Also, your IP address will change routinely, usually every 15 minutes. This will mess up any login or verification credentials that may be based on your IP address. Certainly not good for online banking unless you can get it done swiftly.
The file is named "_settings.txt" and you should have copied it to your Kraker folder. If not, go back and get it.
There are four data types: 1) Option Flag, 2) DNS Service, 3) Domain Lookup and 4) IP Address List.
| fmodify | If enabled then the other flags may be modified when the settings file is reloaded. The flags are initialized on startup. |
| console | If enabled then each connection opened in the proxy will be reported in the console (name, port, IP address). |
| showdns | If enabled then DoH/DNS activity will be displayed on the console. If console output is enabled, then socket activity will be displayed. |
| altport | If enabled then the proxy will invoke the Tor server at port 9150 (Tor Browser) else 9050 (stand-alone). |
| tor4all | If enabled then all connections will be passed through the Tor server (except for domains flagged as "LOCAL"). |
| $end$ | Special flag that marks the end of your settings. |
| $shadow_secret= | Secret password for some restricted shadow port management options (added in v4a). |
| $settings= | List of allowed settings file names separated by a vertical bar (added in v4c). |
The special IP address "0.0.0.0" may be used to block a domain. The special value "FETCH" will invoke a DNS pre-fetch. The special value "LOCAL" forces the DNS lookup to default to the system DNS (this is automatic for a dotless domain name or a domain name ending with ".localhost"). The special values "TOR" or "VPN" may be used to route the connection through a Socks5 proxy server. In the case of "TOR", the server address is local (the Tor server is running on the user's machine). For the "VPN" option, you need to use the "vpn" command to specify the server address (see the next section). In general, it is recommended that the DNS lookup be left to the proxy server but the following options are available:
You can send commands to the proxy server on port 8080 as follows:
New for version 4c: only pre-approved file names are allowed (see $settings$ option above). This fixes a security vulnerability.