The instructions were spread about and a bit unclear in some circumstances… so a simple step by step guide to using DNS tunneling under Mac OS X:What You Need
- A server for which you have sudo access and control over the DNS records
- A client on which you have sudo access
If you’re using Red Hat/Centos, the iodine stuff is already in the Dag repositories, and it can be installed with “sudo yum install iodine”. Otherwise, you’ll have to pull a source package of iodine down and build it with the typical “make; make install”.
Now you need to set up the DNS. You’ll need to add two records to your DNS entry:
tunnelhost IN A your.ip.goes.here tunnel IN NS tunnelhost.yourdomain.com.
Finally, run it on the server with:
sudo iodined -P yourpassword 10.0.0.1 tunnel.yourdomain.com
The 10.0.0.1 should be any used IP range that is available (192.168.* is also a good pick). This IP will be the IP that the client uses to talk to the server.Setting Up The Client
Install iodine. Note that on Mac OS X you’ll need to download and install the tun/tap drivers first. After iodine is built, run it with:
sudo iodine -P password tunnel.yourdomain.com
If everything is working correctly, you’ll see something like:
Opened /dev/tun0 Opened UDP socket Version ok, both running 0x00000402. You are user #1 Setting IP of tun0 to 10.0.0.3 Adding route 10.0.0.3/24 to 10.0.0.3 add net 10.0.0.3: gateway 10.0.0.3 Setting MTU of tun0 to 1024 Sending queries for tunnel.brool.com to 22.214.171.124
Now, from your client machine you can access the server by going to 10.0.0.1 (that is, the IP that the server reported), and you can access the client by going to 10.0.0.3 (that is, the IP that the client reported).
It’s possible to use the route command to set it up so all traffic goes through the gateway, but I didn’t do that; instead, you can SSH into it with:
or, if you have squid running on it, you can use it as a proxy by specifying 10.0.0.1 port 3128 as the proxy address, or you can pipe everything through the SSH tunnel.
Note: If you use Comcast, you should be aware that Comcast is doing some filtering on packets that are going out, so DNS tunneling is so slow as almost to be useless.