Recently met a domestic Daniel, heard a call DNS tunnel technology, after a study, found very interesting, record.
what is DNS tunnel.
DNS tunnel is the DNS tunnel. From the name point of view is to use the DNS query process to establish tunnels, transfer data.
Why use DNS tunnel.
When you are in the hotel, airport and other public places, usually have WiFi signal, but when you visit a website, such as www.guanwei.org, may pop up a window, let you enter user name, password, log in before you can continue to the Internet (the technology is generally transparent HTTP agent, not in the scope of this article discussed , later). At this time, you do not have an account, you can not access the Internet. But sometimes you will find that you get the DNS address is valid, and can be used for DNS queries, then you can use DNS tunnel technology to achieve free Internet.
the principle of DNS tunnel
First, to understand how the DNS system works, see: [DNS System (server) Working principle and attack protection methodology]. When you do DNS query, if the domain name in the DNS server is not in the cache, it will go to the Internet query, and finally return the results to you. If you have a custom server on the Internet. As long as you rely on this layer of DNS conventions, you can exchange packets. From the DNS protocol, you are querying a specific domain name over and over again, and getting the result resolved. But in fact, you're communicating with the outside. You do not connect directly to the LAN outside the machine, because the gateway will not forward your IP packet out. But the DNS server on the LAN helps you to do the relay. This is the DNS tunnel.
The diagram above briefly introduces the principle of DNS tunnel. When you connect to WiFi, you can use a DNS server to send data to 53 ports on this server, requesting a domain name, such as b.guanwei.org. This DNS server does not have b.guanwei.org, then it will be to root, that is, root domain server request, see Root know not. The root is the. org domain name, which is given to the. org DNS server for resolution. org's domain name server one look is. guanwei.org then we'll go and find. guanwei.org's domain name server (f1g1ns1.dnspod.net), See if it has this record. guanwei.org's domain name server is B.guanwei.og, and if it has this a record, it will return the b.guanwei.org address.
However, if not, you can then set an NS type of recorder on the guanwei.org domain name server, such as: guanwei.org NS 111.222.333.444 (usually not here to address, so it's OK, You can first add a record on a DNS server, such as Ns.guanwei.org 111.222.333.444, and then add the NS record: guanwei.org NS ns.guanwei.org, which specifies a public network server, That is, the green server above, this server running DNS tunnel server side, is a fake DNS servers, He will not return the address of b.guanwei.org, but it will forward your request to the already configured port, such as SSH 22 Port, 22 port returned data it will be forwarded to the 53 port to return to the client (that is, your computer). At this point, you can use the Public network server resources, if it is an HTTP or sock agent, then you can use this agent for free Internet.
DNS Tunnel Implementation Tools
DNS Tunnel implements a number of tools, such as: Ozymandns, Tcp-over-dns, Heyoka, iodine, dns2tcp. Since the BT4, 5 system with dns2tcp tools. This article only describes how to use DNS2TCP.
DNS2TCP's DNS tunnel experiment
Environment to prepare a already applied for a good public network domain name, here I use the domain name of this blog guanwei.org. Assign a DNS server to this domain name (visible in the control Panel of domain name management), the Dnspod server: F1g1ns1.dnspod.net. A public network server (running the BT4 system, mainly using the inside of the DNS2TCPD V4 program). Here, using a PC in the LAN, do port mapping on the firewall, mapping UDP's 53 ports. Public network IP for 111.222.333.444 client (running the BT4 system, the main use of the DNS2TCPC V4 program inside). Here simulate the environment in the airport, can connect LAN (with the above server is not a local area network, is another LAN connected to the public network), can obtain DNS server, such as Liaoning Netcom 202.96.64.68, and can be DNS query (test method: nslookup Www.guanwei.org 202.96.64.68, the following domain name server please replace according to the actual situation.
Previous configuration
Client clients can use the domain name server to query the domain name, where the domain name is dnstunnel.guanwei.org (the domain name cannot have any records on the dnspod domain name server, because this record is answered by the server)
Establish two DNS records on the guanwei.org domain name server
Ns.guanwei.org a 111.222.333.444 (the goal here is to set a domain name for the DNS server, according to the principle can be shed, but the NS record can not be configured as IP, can only be configured as domain name, so you need to add this record)
guanwei.org NS ns.guanwei.org (this creates an NS record, meaning that if there is no client-queried domain name (dnstunnel.guanwei.org) on this DNS server, go to ns.guanwei.org ( That is 111.222.333.444) go up to inquire)
Open the SSH service on the server. For testing, if the DNS tunnel is established, the client can connect to the server using SSH.
Detailed Configuration method
Server End:
Edit the/etc/dns2tcpd.conf file as follows:
Listen = 192.168.10.88 (IP of Linux server)
Port = 53
user = Nobody
Chroot =/var/empty/dns2tcp/
Domain = dnstunnel.guanwei.org (forwarding the request for the domain name and wrapping the packet back)
resources = ssh:127.0.0.1:22 (services that can be provided to clients or http:127.0.0.1:3128 if the HTTP proxy service is enabled on the server)
Then, run the DNS2TCPD server program: #./dns2tcpd-f-D 1-f/etc/dns2tcpd.conf
================================================
Client side: #./dns2tcpc-z dnstunnel.guanwei.org ns.guanwei.org
If the ns.guanwei.org is in effect, you can connect to the server, prompting:
Available connection (s):
Ssh
However, if ns.guanwei.org is not yet in effect, it prompts: No response from DNS server. This can be used first: #./dns2tcpc-z dnstunnel.guanwei.org 202.96.64.68
If the server is successfully connected, the Dnstunnel can be successfully established, and if not, test that the DNS server address you obtained is available and that the NS record for guanwei.org is in effect. Test method: Map 111.222.333.444 to another real DNS server, plus a record of a, such as: Test.guanwei.org a 192.168.10.254. Then use nslookup test.guanwei.org 202.96.64.68 to see if it can be resolved successfully. If this cannot be resolved, check the configuration of the dnspod and the validity of the DNS records.
After the test can successfully connect to the server, use the #./dns2tcpc-r ssh-l 4430-z dnstunnel.guanwei.org 202.96.64.68 will then listen to a port locally, similar to a bounce Trojan. Using SSH 127.0.0.1-p 4430, you can successfully connect to the server's 22 port. If the server provides the HTTP proxy service, then you can set up the HTTP proxy server for free internet access.
PS: I found that the client is listening on the 4430 port is listening to the 127.0.0.1:4430 port, only the local access, other machines can not connect, if the cow found the solution to the problem, please contact me, thank you.