DNS Tunneling

I spent the last couple of days playing around with DNS tunneling. Yes, I know, DNS tunneling is old hat, but nevertheless it’s still the number one way to get web access when

  • on the road where only WLANs with costs are available (most of them allow recursive DNS resolving)
  • at a customer’s site that only allows web access for authenticated proxy users

So last week I decided to set up a DNS tunnel I could use when I’m on the road. I chose OzymanDNS, because I like the concept: You need no more than two small perl scripts (one for server and one for the client) and using it together with an SSH-server and client gets you an authenticated SSH-VPN over DNS.

You can get OzymanDNS (by Dan Kaminsky, presented among others at BlackHat Europe 2005) from here. There’s a couple of pages online that show you what you need to do to get it running (e.g. here or here). You can even use it in Windows together with Putty, if you use the latest version. The required settings can be found here (the page is in German, but the screenshots are English; Niki Hammler, the author of the article even compiled the client Perl script to a windows executable, which can be downloaded from here).

When I installed it on my computers, I had to overcome a couple of gotchas, I’ll describe here. The first is an easy one: The newest version of Net::DNS::Nameserver requires you to explicitly define the local IP address on which the nameserver should bind. So all I did was scroll to the end of nomde.pl and chance the Net::DNS::Nameserver->new call to

my $ns = Net::DNS::Nameserver->new(
LocalPort => 53,
ReplyHandler => \&reply_handler,
Verbose => 2,
LocalAddr => $opts{ip}
) || die "couldn't create nameserver object\n";

I marked the line I added in red.

The second gotcha was the proxy command that needs to be entered in Putty. I have no idea why, but the command called needs to be within a directory in the PATH (absolute paths are not possible). With ActivePerl installed this is easy anyway, as the perl executable is within the PATH. The command should like this:

perl c:/dnstunnel/droute.pl sshdns.<dnstunnel.domain.tld>

<dnstunnel.domain.tld> is simply the domain name of your DNS server (you’ll need an IN NS record for that; EveryDNS allows to create such records for your domains for example (another gotcha is that you can only create records with IE in EveryDNS)).

Once you have all required CPAN modules installed, it should work. At least it worked for me. I got about 2.1 KB/s over the tunnel. It’s not very beautiful, because Putty crashes every couple of minutes. Thankfully the server stays alive, so you can just reconnect. Still, 2.1 KB/s is about 17 kbit/s, just over half of what you get from a 36kb modem.

In my next postings, I’ll try to improve performance and stability of OzymanDNS a little bit. More will be posted next week.

Picture of (improperly) fast tunnel by Éole

Advertisements

Tags: , , , , , , ,

4 Responses to “DNS Tunneling”

  1. Jason Rakowski Says:

    I found your site on technorati and read a few of your other posts. Keep up the good work. I just added your RSS feed to my Google News Reader. Looking forward to reading more from you.

    Jason Rakowski

  2. cyberphob1a Says:

    Thanks for your nice words. I only started blogging very recently and think it’s suprisingly funny and interesting. It’s good to know that people are actually reading what I write, even though I do it more for myself than anyone else 🙂

  3. Speeding up DNS Tunneling « Cyberphobia Says:

    […] Cyberphobia Reasons to Fear the Matrix « DNS Tunneling […]

  4. John Says:

    Can you zip up all the server files you used? Also, since you have used puTTy for the client side, can you break down the connection line we see in the German picture?

    “droute.exe -r 123.123.123.123 sshdns.domain.here”

    I am not sure where i should put my SSH info as it is running on another box. When i connect with some basic settings i am never promoted for a password and the server makes a new connection every half a second. I dont think that is normal.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: