Proxying Traffic through a DNS relay

There are cases in which the connection you have to the internet only allows DNS packets or traffic needs to be concealed. In those cases when an Internet connection is really required, one way to do that is through DNS relays.

How it works?

What essentially is going on is that instead of sending normal packets to the internet you are encoding your packets in DNS requests and sending those instead. You do need a special kind of DNS server that understands these modified DNS requests and responds appropriately. Of course owning a domain name is an absolute requirement for this and the shorter the domain is, the more space you have for channelling data. This is so because a full domain name cannot exceed 253 characters and thus your request cannot contain more that 253 - length(domain). There are some additional limitations to that, though.


Iodine is a very powerful utility that enables you to tunnel IPv4 data through a DNS server. Iodine runs on Linux, Mac OS X, FreeBSD, NetBSD, OpenBSD and Windows.

To try it out you will need to set up an iodined server. First you need to set up a domain name to use with iodine. It has to be as short as possible for example: Set up two DNS records. An A record pointing to your server and an NS record pointing to your A record, like this:

A             7200
NS  7200

Once you are ready you will need to set up the iodined (Iodine Daemon) on your server. This is done with the following command:

iodined -f -c -P secretpassword

Not that is the local address on which the server will appear when connecting through the tunnel.

Once you are ready it is simply a matter of running iodine and giving it your server domain name to create the tunnel:

iodine -f -P secretpassword

At this point of time you have a tunnel with DNS packets to your target server. This means that you will be able to access you server but nothing else. But if you want to use it as an Internet relay you could simply set up a proxy and use the tunnel for all kinds of data.

There are several methods to do this. You can either set up a VPN and route your traffic through the VPN or use an SSH proxy. Or even though not recommended, since your traffic won't be sent over a secure channel, but still worth mentioning are setting up an HTTP proxy on your server or setting up a route through your tunnel and configuring your server to do NAT.

After all the easiest (and secure) way to send your traffic over the tunnel is setting up an SSH proxy. This actually is pretty straight forward. All you need to do is run the following command and login to your server:

ssh user@ -D 1234

This will create a SOCKS proxy listening on localhost:1234 and you can configure either your computer to use it from the network settings or just your browser. There are plenty of tutorials on how to do that.

I definitely advise you to experiment with the -T, -L and -M arguments to establish the most efficient configuration and get lower latency and higher bandwidth. See the man page for details.

It does not provide a very high speed. Actually the speed of the connection can sometimes be really slow, depending on the network and the ping to your server, but iodine is a really powerful tool that can connect you to the internet even when there is no other way.


Hacktag iodined server

Now we give you the #hacktag iodined server available for free. You can connect to it with the following command:

iodine -f -P strongholdfreefallmonkey
ssh -n ihacktag@ -D 1234 # The password is the same

If you like it and/or use it often and you would like this service to stay online and be 99.9% available, please consider donating a small amount so we can get a proper server to host our iodined.

This entire article was created and uploaded using iodine.

Last updated
DownloadPlain text