Brool brool (n.) : a low roar; a deep murmur or humming

DNS Tunneling (on Mac OS X)

| coding

The instructions were spread about and a bit unclear in some circumstances… so a simple step by step guide to using DNS tunneling under Mac OS X:

What You Need

Setting Up The Server

If you’re using Red Hat/Centos, the iodine stuff is already in the Dag repositories, and it can be installed with “sudo yum install iodine”. Otherwise, you’ll have to pull a source package of iodine down and build it with the typical “make; make install”.

Now you need to set up the DNS. You’ll need to add two records to your DNS entry:

tunnelhost    IN    A    your.ip.goes.here
tunnel        IN    NS   tunnelhost.yourdomain.com.

Finally, run it on the server with:

sudo iodined -P yourpassword 10.0.0.1 tunnel.yourdomain.com

The 10.0.0.1 should be any used IP range that is available (192.168.* is also a good pick). This IP will be the IP that the client uses to talk to the server.

Setting Up The Client

Install iodine. Note that on Mac OS X you’ll need to download and install the tun/tap drivers first. After iodine is built, run it with:

sudo iodine -P password tunnel.yourdomain.com

If everything is working correctly, you’ll see something like:

Opened /dev/tun0
Opened UDP socket
Version ok, both running 0x00000402. You are user #1
Setting IP of tun0 to 10.0.0.3
Adding route 10.0.0.3/24 to 10.0.0.3
add net 10.0.0.3: gateway 10.0.0.3
Setting MTU of tun0 to 1024
Sending queries for tunnel.brool.com to 68.87.76.178

Now, from your client machine you can access the server by going to 10.0.0.1 (that is, the IP that the server reported), and you can access the client by going to 10.0.0.3 (that is, the IP that the client reported).

It’s possible to use the route command to set it up so all traffic goes through the gateway, but I didn’t do that; instead, you can SSH into it with:

ssh yourname@10.0.0.1

or, if you have squid running on it, you can use it as a proxy by specifying 10.0.0.1 port 3128 as the proxy address, or you can pipe everything through the SSH tunnel.

Note: If you use Comcast, you should be aware that Comcast is doing some filtering on packets that are going out, so DNS tunneling is so slow as almost to be useless.

Discussion

Comments are moderated whenever I remember that I have a blog.

Christoffer Sawicki | April 30, 2008
Instead of setting up Squid on the server one can use the built-in SOCKS proxy functionality in OpenSSH. (See the -D option for ssh.)
Reply
krzee | May 10, 2008
I automated running the client side and changing the routes. Once you have NAT setup on the server side you can just use my script at: http://dev.kryo.se/iodine/wiki/TipsAndTricks It will setup and tear-down the routes that must be changed.
Reply
Edvin | June 08, 2009
Does anyone supply prebuilt binaries for mac os x? Not everyone have make/gcc installed/available :)
Reply
SomniusX | September 07, 2010
Greetz Tim.. I'm trying about a week now to build for the darwin arch to use the client or daemon on iDevices, like iPhone/iPodT/iPad. I've experimented with the toolchain on so i can build with llvm for arm even tried on the iphone it self (libc6 etc. all ported by Saurik), but with no luck and i'm getting frustrated.. Have you, or someone you have been in contact, had any luck on building iodine (if i'm asking too much for v6 maybe v5) for iDevices? If there are some can you share some info and maybe a binary to test it, or maybe someone i can contact with. I've created a google code project for it iodine-idevice http://iodine-idevice.googlecode.com/ to gather up info and sources.. anyways, if you can help in any way, i'd be very grateful cause i'm stuck.. :-/ p.s. keep up the good work!
Reply
madamdadam | March 07, 2011
i'am a little bit confuse about having control over the DNS records, what does it mean? where can i edit and setup the following : tunnelhost IN A your.ip.goes.here tunnel IN NS tunnelhost.yourdomain.com. thanks
Reply
Bob | April 27, 2011
I have posted a Windows guide of about using Iodine: http://www.putdispenserhere.com/2011/bypassing-captive-portalsairport-pay-restrictions-with-iodine-on-a-debian-vps-guide/
Reply
Add a comment