Brool brool (n.) : a low roar; a deep murmur or humming

DNS Tunneling (on Mac OS X)

| coding

The instructions were spread about and a bit unclear in some circumstances… so a simple step by step guide to using DNS tunneling under Mac OS X:

What You Need

Setting Up The Server

If you’re using Red Hat/Centos, the iodine stuff is already in the Dag repositories, and it can be installed with “sudo yum install iodine”. Otherwise, you’ll have to pull a source package of iodine down and build it with the typical “make; make install”.

Now you need to set up the DNS. You’ll need to add two records to your DNS entry:

tunnelhost    IN    A
tunnel        IN    NS

Finally, run it on the server with:

sudo iodined -P yourpassword

The should be any used IP range that is available (192.168.* is also a good pick). This IP will be the IP that the client uses to talk to the server.

Setting Up The Client

Install iodine. Note that on Mac OS X you’ll need to download and install the tun/tap drivers first. After iodine is built, run it with:

sudo iodine -P password

If everything is working correctly, you’ll see something like:

Opened /dev/tun0
Opened UDP socket
Version ok, both running 0x00000402. You are user #1
Setting IP of tun0 to
Adding route to
add net gateway
Setting MTU of tun0 to 1024
Sending queries for to

Now, from your client machine you can access the server by going to (that is, the IP that the server reported), and you can access the client by going to (that is, the IP that the client reported).

It’s possible to use the route command to set it up so all traffic goes through the gateway, but I didn’t do that; instead, you can SSH into it with:

ssh yourname@

or, if you have squid running on it, you can use it as a proxy by specifying port 3128 as the proxy address, or you can pipe everything through the SSH tunnel.

Note: If you use Comcast, you should be aware that Comcast is doing some filtering on packets that are going out, so DNS tunneling is so slow as almost to be useless.


Comments are moderated whenever I remember that I have a blog.

Christoffer Sawicki | April 30, 2008
Instead of setting up Squid on the server one can use the built-in SOCKS proxy functionality in OpenSSH. (See the -D option for ssh.)
krzee | May 10, 2008
I automated running the client side and changing the routes. Once you have NAT setup on the server side you can just use my script at: It will setup and tear-down the routes that must be changed.
Edvin | June 08, 2009
Does anyone supply prebuilt binaries for mac os x? Not everyone have make/gcc installed/available :)
SomniusX | September 07, 2010
Greetz Tim.. I'm trying about a week now to build for the darwin arch to use the client or daemon on iDevices, like iPhone/iPodT/iPad. I've experimented with the toolchain on so i can build with llvm for arm even tried on the iphone it self (libc6 etc. all ported by Saurik), but with no luck and i'm getting frustrated.. Have you, or someone you have been in contact, had any luck on building iodine (if i'm asking too much for v6 maybe v5) for iDevices? If there are some can you share some info and maybe a binary to test it, or maybe someone i can contact with. I've created a google code project for it iodine-idevice to gather up info and sources.. anyways, if you can help in any way, i'd be very grateful cause i'm stuck.. :-/ p.s. keep up the good work!
madamdadam | March 07, 2011
i'am a little bit confuse about having control over the DNS records, what does it mean? where can i edit and setup the following : tunnelhost IN A tunnel IN NS thanks
Bob | April 27, 2011
I have posted a Windows guide of about using Iodine:
Add a comment