DNS Tunneling via iodine: really free cheese
There is:
- disabled for non-payment of the Internet (adsl, lan, etc)
or
- unencrypted wi-fi network with closed Internet, but working dns
or
- very strict firewall with open dns
I want to:
full Internet, even if very slowly
Before answering the question "how?" - a few comments.
1. This article is a practical guide, not a theoretical course “introduction to the specifics of the work of DNS services” (there is enough written about this topic already).
')
2. All examples are given for the windows platform, as the most popular on desktops. On the other hand, all the above methods work as well as in the unix environment (google will easily suggest alternatives where I mention windows-only solutions).
3. In order for the described method to work, you will need as a server a constantly working and Internet-connected computer with a “white” IP (whether static or dynamic, but addresses like 192.168. *. * Or 10. *. *. * Will not work) ).
4. Hey, provider guys! NSTX , which uses a similar method, has been known for about 7 years , but still this trick still works on most networks. Now, even under Windows, there is a turnkey solution. Take care dns'y :)
In all cases listed at the beginning of the article, there remains one loophole - the dns-server, to which you can usually “get through”. What gives us dns server? Theoretically, the ability to send a request for arbitrary content to an arbitrary other dns-server (already outside the "closed / disabled" zone), and get an arbitrary answer. In theory, this allows access to the network by encapsulating IP packets in dns requests and responses. Now I will tell you how to do this in practice.
PS It is under maemo , and under win mobile .
PPS A smart reader will guess that in order for everything to work well, you still need to correct the MTU in the registry.
UPD: link for those who want to participate in the development of iodine
- disabled for non-payment of the Internet (adsl, lan, etc)
or
- unencrypted wi-fi network with closed Internet, but working dns
or
- very strict firewall with open dns
I want to:
full Internet, even if very slowly
Before answering the question "how?" - a few comments.
1. This article is a practical guide, not a theoretical course “introduction to the specifics of the work of DNS services” (there is enough written about this topic already).
')
2. All examples are given for the windows platform, as the most popular on desktops. On the other hand, all the above methods work as well as in the unix environment (google will easily suggest alternatives where I mention windows-only solutions).
3. In order for the described method to work, you will need as a server a constantly working and Internet-connected computer with a “white” IP (whether static or dynamic, but addresses like 192.168. *. * Or 10. *. *. * Will not work) ).
4. Hey, provider guys! NSTX , which uses a similar method, has been known for about 7 years , but still this trick still works on most networks. Now, even under Windows, there is a turnkey solution. Take care dns'y :)
Introduction
In all cases listed at the beginning of the article, there remains one loophole - the dns-server, to which you can usually “get through”. What gives us dns server? Theoretically, the ability to send a request for arbitrary content to an arbitrary other dns-server (already outside the "closed / disabled" zone), and get an arbitrary answer. In theory, this allows access to the network by encapsulating IP packets in dns requests and responses. Now I will tell you how to do this in practice.
Part 1. Registration
- Register on dyndns.com service.
- Set up a dynamic dns, choose the address (say, dnstun.dyndns.org)
- Registering on co.cc service
- We register a free domain for them (say, dnstun.co.cc), and specify the dns server for it, our dyndns-name, dnstun.dyndns.org (if this method does not work, you can add to the domain an nx-record for its subdomain, referring to our dyndns-domain, this is done in Zone Records, for example, host: tunnel.dnstun.co.cc, type: NS, Value: dnstun.dyndns.org ", and later instead of dnstun.co.cc everywhere use tunnel.dnstun.co.cc)
- We are waiting for domain delegation and its appearance on all dns servers (up to 48 hours)
Part 2. Server (i.e. the computer that is on the “big” Internet, without any firewall, etc.)
- Download and install dyndns updater:
www.dyndns.com/support/clients - Download and install the TAP driver from the OpenVPN package:
openvpn.net/release/openvpn-2.0.9-install.exe - Download the latest build iodine:
code.kryo.se/iodine/iodine-latest-win32.zip - Start iodine server:
iodined -f 10.0.0.1 dnstun.co.cc - Using kerio or the built-in windows, we create a shared Internet access for the newly appeared network connection (via the virtual TAP-Win32 Adapter V8 adapter)
Part 3. Client (the computer that only dns is available from all over the Internet)
- Download and install the TAP driver from the OpenVPN package:
openvpn.net/release/openvpn-2.0.9-install.exe - Download the latest build iodine:
code.kryo.se/iodine/iodine-latest-win32.zip - We start the client:
iodine -f 92.162.2.72 dnstun.co.cc
Here 92.162.2.72 is the IP address of any available dns server
(ip, i can't write ns1.provider.ru - it won't work).
You can find out the IP dns of servers installed in the system by command
ipconfig / all - It now remains to configure the routing so that all packets, except those that go to the dns server, are wrapped around the newly raised virtual interface. This is homework. Hint.
PS It is under maemo , and under win mobile .
PPS A smart reader will guess that in order for everything to work well, you still need to correct the MTU in the registry.
UPD: link for those who want to participate in the development of iodine
Source: https://habr.com/ru/post/65322/
All Articles