Feb 09 2008

DNS Tunneling (on Mac OS X)

Published by tim at 2:02 pm under coding

The instructions were spread about and a bit unclear in some circumstances… so a simple step by step guide to using DNS tunneling under Mac OS X:

What You Need

  • A server for which you have sudo access and control over the DNS records
  • A client on which you have sudo access

Setting Up The Server

If you’re using Red Hat/Centos, the iodine stuff is already in the Dag repositories, and it can be installed with “sudo yum install iodine”. Otherwise, you’ll have to pull a source package of iodine down and build it with the typical “make; make install”.

Now you need to set up the DNS. You’ll need to add two records to your DNS entry:

tunnelhost    IN    A    your.ip.goes.here
tunnel        IN    NS   tunnelhost.yourdomain.com.

Finally, run it on the server with:

sudo iodined -P yourpassword 10.0.0.1 tunnel.yourdomain.com

The 10.0.0.1 should be any used IP range that is available (192.168.* is also a good pick). This IP will be the IP that the client uses to talk to the server.

Setting Up The Client

Install iodine. Note that on Mac OS X you’ll need to download and install the tun/tap drivers first. After iodine is built, run it with:

sudo iodine -P password tunnel.yourdomain.com

If everything is working correctly, you’ll see something like:

Opened /dev/tun0
Opened UDP socket
Version ok, both running 0x00000402. You are user #1
Setting IP of tun0 to 10.0.0.3
Adding route 10.0.0.3/24 to 10.0.0.3
add net 10.0.0.3: gateway 10.0.0.3
Setting MTU of tun0 to 1024
Sending queries for tunnel.brool.com to 68.87.76.178

Now, from your client machine you can access the server by going to 10.0.0.1 (that is, the IP that the server reported), and you can access the client by going to 10.0.0.3 (that is, the IP that the client reported).

It’s possible to use the route command to set it up so all traffic goes through the gateway, but I didn’t do that; instead, you can SSH into it with:

ssh yourname@10.0.0.1

or, if you have squid running on it, you can use it as a proxy by specifying 10.0.0.1 port 3128 as the proxy address, or you can pipe everything through the SSH tunnel.

Note: If you use Comcast, you should be aware that Comcast is doing some filtering on packets that are going out, so DNS tunneling is so slow as almost to be useless.

5 responses so far

5 Responses to “DNS Tunneling (on Mac OS X)”

  1. # Christoffer Sawickion 30 Apr 2008 at 1:09 pm

    Instead of setting up Squid on the server one can use the built-in SOCKS proxy functionality in OpenSSH. (See the -D option for ssh.)

  2. # krzeeon 10 May 2008 at 11:20 am

    I automated running the client side and changing the routes. Once you have NAT setup on the server side you can just use my script at: http://dev.kryo.se/iodine/wiki/TipsAndTricks
    It will setup and tear-down the routes that must be changed.

  3. # Usos no convencionales del servicio DNS | zoia.orgon 05 Jan 2009 at 6:02 am

    [...] iodine. Hace lo mismo que NSTX pero funciona en MacOs. AquĆ­ un tutorial sobre iodine. [...]

  4. # Edvinon 08 Jun 2009 at 1:26 pm

    Does anyone supply prebuilt binaries for mac os x? Not everyone have make/gcc installed/available :)

  5. # Iodineon 24 Oct 2009 at 10:57 pm

    [...] I forgot to install xtools before I left, and followed this tutorial on installing on FreeBSD and this. In no time I had free internet at the cost of their name server. If they charged a decent rate, I [...]

Trackback URI | Comments RSS

Leave a Reply