Principle and Practice of DNS tunnel

What is DNS tunnel?

DNS tunnel is the DNS tunnel. The DNS query process is used to establish a tunnel and transmit data.

Why use DNS tunnel?

When you are in a hotel, airport or other public place, there is usually a Wi-Fi signal, but when you visit a website, such as _______ (this technology is generally transparent http proxy, not covered in this article, ). In this case, you cannot access the Internet without an account. But sometimes you will find that the obtained DNS address is valid and can be used for DNS queries. Then you can use the DNS tunnel technology to achieve free Internet access!

DNS tunnel Principle

First, you need to know how the DNS system works. For details, refer to []. When you perform a DNS query, if the queried domain name does not exist in the cache of the local DNS server, it will go to the Internet for query and finally return the result to you. If you have a custom server on the Internet. As long as you rely on this layer of DNS conventions, you can switch data packets. From the DNS protocol, you query a specific domain name and obtain the resolution result again and again. But in fact, you are communicating with the outside. You are not directly connected to a machine outside the LAN, because the gateway will not forward your IP packets. However, the DNS server on the LAN helps you transfer data. This is the DNS Tunnel.

 

This section briefly introduces the principle of DNS tunnel. After you connect to wifi, you can use the DNS server to send data to port 53 of the server and request a domain name, such as B .xxx.org. This DNS server does not have B .xxx.org, so it will request to the root, that is, the root domain name server. As soon as the root user sees it as the. org domain name, it will be handed over to the. org domain name server for resolution .. If the Domain Name Server of org is .xxx.org, you will go to the Domain Name Server of .xxxi.org (f1g1ns1.dnspod.net) to check whether this record exists .. The Domain Name Server of xxx.org is B .xxx.org. If it has this A record, it will return the address of B .xxx.org.

However, if not, you can set an NS recorder on the guanwei.org Domain Name Server, for example, xxx.org NS 111.222.333.444 (generally, it is not recommended to set it as an address here, you can first add A record on the DNS server, such as ns.xxx.org 111.222.333.444, and then add the NS record: guanwei.org NS ns.xxx.org). Here, you can specify an internet server, that is, A green server, this server runs the DNS tunnel server and is a fake DNS server. It will not return the B .xxx.org address, but it will forward your request to the configured port, for example, port 22 of SSH and data returned from port 22 will be forwarded to port 53 and returned to the client (that is, your computer ). Now, you can use the resources of this public network server. If it is an http or sock proxy, you can use this proxy to access the Internet for free.

Tools for implementing DNS tunnel

There are many tools for implementing DNS tunnel, such as ozymanns, tcp-over-dns, heyoka, iodine, and dns2tcp. Because BT4 and 5 systems provide dns2tcp tools. This section only describes how to use dns2tcp.

DNS2TCP DNS tunnel Experiment

Environment preparation

For a public domain name that has been applied for, here I use the domain name of this blog xxx.org. Specify a DNS server for this domain name (which can be seen on the domain name Management Console). The server in this environment is DNSpod: f1g1ns1.dnspod.net. An Internet server (running the BT4 system, mainly using the dns2tcpd V4 program ). Here, we use a PC in the LAN to map the UDP port 53 on the firewall. The public IP address is a client named 111.222.333.444 (running the BT4 system, mainly using the dns2tcpc V4 program ). Simulate the environment at the airport, connect to the LAN (not in the same LAN as the above server, but another LAN connected to the public network), and obtain the DNS server, such as 202.96.64.68 of Liaoning Netcom, you can also use it to perform DNS queries (the test method is nslookup 202.96.64.68. Replace the Domain Name Server with the actual one ).

Preliminary Configuration

The client can use the Domain Name server to query the domain name. The domain name is set to dnstunnel.xxx.org (this domain name cannot have any records on the dnspod Domain Name server, because this record is responded by the server)

Create two DNS records on the Domain Name Server of xxx.org

Ns.xxx.org A 111.222.333.444, so you need to add this record)

Xxx.org NS ns.xxx.org (an NS record is created here. This means that if the DNS server does not have a domain name (dnstunnel.xxx.org) queried by the client, go to ns.xxx.org (111.222.333.444)

Enable the SSH service on the server. For testing. If a DNS tunnel is created, the client can connect to the server using SSH.

Detailed configuration method

Server:

Edit the/etc/dns2tcpd. conf file with the following content:

Listen = 192.168.10.88 (IP address of the Linux Server)
Port = 53
User = nobody
Chroot =/var/empty/dns2tcp/
Domain = dnstunnel.xxx.org (forward requests for this domain name and encapsulate the returned data packets)
Resources = ssh: 127.0.0.1: 22 (the service that can be provided for the client or http: 127.0.0.1: 3128. If the server has enabled the http Proxy Service)

Then run the dns2tcpd server program: #./dns2tcpd-F-d 1-f/etc/dns2tcpd. conf

========================================================== ==========

Client: #./dns2tcpc-z dnstunnel.xxx.org ns.xxx.org

If ns.xxx.org takes effect, you can connect to the server. The following message is displayed:

Available connection (s ):
Ssh

However, if ns.xxx.org does not take effect, the system prompts no response from dnsserver. In this case, you can first use: #./dns2tcpc -zdnstunnel.xxx.org 202.96.64.68

If the connection to the server is successful, the dnstunnel can be successfully established. If not, test whether the obtained dns server address is available and whether the ns record of xxx.org takes effect. Test method: Map 111.222.333.444 to another real dns server and add A record, for example, test.xxx.org A 192.168.10.254. Use nslookup test.xxx.org 202.96.64.68 to check whether the resolution is successful. If it cannot be resolved, check the configuration of dnspod and the effectiveness of dns records.

After successfully connecting to the server, use #./dns2tcpc-r ssh-l 4430-z dnstunnel.xxx.org 202.96.64.68 to listen to a port locally, similar to a bounce Trojan. Use ssh 127.0.0.1-p 4430 to successfully connect to port 22 of the server. If the server provides the http proxy service, you can set the http Proxy server to access the Internet for free.