In this post we will be discussing the DNS protocol and how to tunnel traffic over DNS. DNS is a protocol which is considered relatively harmless as a result a lot of access points and firewalls allow DNS traffic without blinking once, this makes it ideal to use when you need to tunnel traffic. We will specifically be exploring a tool specifically made tunneling over DNS called 'iodine'.
How does DNS work? DNS is the Domain Name System is allows us to translate easily memorized names to a numerical IP which the computer understands. To facilitate this service there are a few known servers called 'root servers' who are at the top of the DNS hierarchy, there are currently 13 root servers. These root servers know the authorative name server for the top-domains (.com, .eu, .nl, .be, .net). An authorative name server is responsible for one or more (sub)domains. When someone purchases a domain name, it's considered a subdomain of the top domain and as said, every subdomain can have it's own authorative nameserver. For instance if you have example.com, example is actually a subdomain of .com, the IPs for example.com are configured on another name server than the one who is responsible for example.com, we call this the authorative name server for example.com. Now example.com can have another subdomain which can also have its own subdomain, for instance, www.example.com, but also test.example.com and so on. Do not that not every subdomain has its own authorative name server, one server can be responsible for multiple domains. The design is hierarchical:
Normally a computer has a DNS server configured, reachable from its network, to which it can ask to resolve an IP (recursive name server). If the recursive name server doesn't know the IP, it will ask another DNS server. So to resolve a name to an IP this is happening
Iodine is a piece of software that allows us to set up DNS tunnels:
iodine lets you tunnel IPv4 data through a DNS server. This can be usable in different situations where internet access is firewalled, but DNS queries are allowed. It runs on Linux, Mac OS X, FreeBSD, NetBSD, OpenBSD and Windows and needs a TUN/TAP device. The bandwidth is asymmetrical with limited upstream and up to 1 Mbit/s downstream.So what do you need?
./iodined -fP MySuperSecretP4ssw0rd 10.150.150.1 route53.tunnel.example.com
On the client:
./iodine -fP MySuperSecretP4ssw0rd 10.150.150.1 route53.tunnel.example.com
Your client will then get an IP assigned on a new interface, execute the command:
You should so an interface called dnsX (where X is a number). The IP for that entry is your client's IP. Now you can connect to the IP of your server (10.150.150.1). SSH and set up a proxy:
ssh [email protected] -D 5555
Most applications support SOCKS5 tunneling and otherwise I would like to refer you to one of my previous posts. So now you know how you can circumvent network restrictions and use DNS to create a covert channel.