Graham Edgecombe

IP over DNS with Iodine

Introduction

If there are any two services your school or workplace allows through their firewall, you can be almost sure they are HTTP and DNS. Unfortunately, HTTP access is usually filtered, and if your network admins are anything like mine, lots of useful, legitimate websites get blocked for no reason. I used to abuse the CONNECT method to establish a TCP connection to my SSH server and from there would tunnel traffic using SOCKS over the SSH connection to be able to browse properly again.

Unfortunately, recently they changed the firewall software and it now checks to see if traffic over CONNECT is using SSL, and if it is, it checks to see if there is a non self-signed certificate in use. If those conditions fail, the connection is blocked. This means that I could no longer connect to my SSH server. Running SSH over SSL using something like stunnel was also out, since I don’t own a signed certificate.

DNS Tunneling

I wasn’t going to be beaten that easily. After remembering a few old Slashdot posts about DNS tunneling, I decided to look into it and compared a few pieces of software. The one I found to be most suitable was Iodine.

There’s a few drawbacks: it’s quite slow and it doesn’t seem to be able to co-exist with a real DNS server. But it works!

The first thing you need to do is to add an NS record to a subdomain of your main domain. Apparently it’s a good idea to make this as short as possible to give extra space for the data itself, so I chose t.grahamedgecombe.com. The NS record should point to the address of the server you’re running Iodine on. For me that was simply grahamedgecombe.com.

On the server, I ran these commands to install and start Iodine:

sudo apt-get install iodine
sudo iodined 10.0.0.1 t.grahamedgecombe.com

The apt-get may need to be substituted with another package manager if you’re not on something Debian-based.

The second command starts Iodine in the background, using the subdomain t.grahamedgecombe.com. Iodine creates a virtual network, so you also need to select an IP address for the server - 10.0.0.1 in this case. The client’s IP address will be the next following the server’s - 10.0.0.2 in this case. You should select an IP address within the private IPv4 network ranges that doesn’t conflict with any private networks your server and client is connected to.

On the client, I used these commands to install and start Iodine:

sudo apt-get install iodine
sudo iodine t.grahamedgecombe.com

Once this is complete, you’ll be able to connect to the server using the IP address you specified on the server. So to set up my SOCKS SSH tunnel, I ran the following command:

ssh -D1080 10.0.0.1

With luck, it should all be working!

If not I’d recommend checking the following things:

Comments

Post a comment

Tim's Gravatar

:P

Tim

1 July 2011

V1R4N64R's Gravatar

hello & thanx for the toturial
/*
can you introduce a free hosting which gives us that service ?
thanx
*/

V1R4N64R

31 May 2012

Graham Edgecombe's Gravatar

I don't have the bandwidth to offer such a service, nor would I want to become involved in it due to the legal aspects (illegal content passing through it.)

Graham Edgecombe

11 June 2012

Alexandre Fenyo's Gravatar

The question you asked, "free hosting which gives us that service", does not seem to get an answer with Iodine, but some other IP over DNS implementations like Element53 and VPN-over-DNS are provided with a courtesy tunnel terminator. To get more informations about Element53 and VPN-over-DNS, just look at the IP over DNS forums on http://www.ipoverdns.com

Alexandre Fenyo

18 August 2012

Thomas's Gravatar

Hey I'm having a bit of trouble when connecting to the iodine server. The server im running is a raspberry pi with the raspbian wheezy latest distro. I can make and connect to the iodined server fine with the windows binaries on my local network but when trying to use iodine on linux mint 15 it connects but i cannot use ssh or putty to connect to the 172.16.0.0 tunnel. after a while the connection just times out. I it would seem putty on linux is being blocked from connecting through the tunnel

Thomas

14 August 2013

Name's Gravatar

Try and connect to 172.16.0.1 instead of 0.0 ?

Name

15 September 2013

Graham Edgecombe's Gravatar

Unfortunately the syntax highlighting script turns 10.0.0.1 into 10.0 for some reason, which I guess caused some confusion...

Graham Edgecombe

15 September 2013

Graham Edgecombe's Gravatar

The new syntax highlighting script doesn't mess up the IP addresses :)

Graham Edgecombe

28 January 2014