dns2tcp: How to bypass firewalls or captive portals?

Imagine, you are in your hotel room in a foreign country, your laptop detects a wireless access. You open your browser and get a nice login screen asking you a credit card number (a captive portal). What’s next? Make your choice: fill the form with the magic numbers or try to bypass this security mechanism.

This tutorial is provided “as is” for who are interested in encapsulating TCP into DNS traffic. I could not be held responsible for any misusage of this tutorial!

Classic wireless hot spots commonly allow two protocols: ICMP and DNS (UDP/53). ICMP (Internet Control Message Protocol) is used to report errors and warning to the client and DNS is mandatory to resolve hostnames. While ICMP can also be used as a transport protocol (see PTunnel), firewalls may block unusual ICMP packets (ex: suspicious big packets). On the other side, there are often less restriction regarding DNS traffic.

In the following tutorial, we will use the tool dns2tcp written by two guys working for HSC, a French security company.

Required components

• An official registered domain name. Example: mydomain.net
• A server with a public IP address not running any DNS service. The server must run UNIX[1]. Example: my.public.server.isp.com

[1] I successfully tested dns2tcp on Linux and OpenBSD.

Domain name zone configuration

Choose a subdomain name for your domain. In this example, we will use a subdomain dnstunnel.mydomain.net. Add the following line in your zone file:

dnstunnel    IN     NS your.public.server.isp.com.

Don’t forget to increase the serial and to reload the zone. If you don’t manage the zone yourself, ask you ISP or hoster to do this for you.

Server configuration

(these operations are performed on your public server)
Download the tarball and compile the binaries:

# cd /tmp
# tar xzvf dns2tcp-0.3.tar.gz
# cd dns2tcp-0.3
# configure
# make install

This will create two binaries (dns2tcpd and dns2tcpc) and their respective manpages. Now, we will create a configuration file /etc/dns2tcpd.conf:

# cat >/etc/dns2tcpd.conf <<EOF
listen = w.x.y.z
port = 53
user=nobody
chroot = /var/empty/dns2tcp/
domain = dnstunnel.mydomain.net
ressources = ssh:127.0.0.1:22
EOF
#

Be sure to replace the domain and the IP address with your own values! The port must be 53!
Now, start the daemon:

# ./dns2tcpd -F -d 1 -c dns2tcpd.conf

“-F” means to run in foreground and “-d 1” enables debugging.

Client configuration

Perform the same operations as on the server side. (configure && make install). Then create the client configuration file/etc/dns2tcpc.conf:

# cat >/etc/dns2tcpc.conf <<EOF
domain = dnstunnel.mydomain.net
ressource = ssh
local_port = 2222
debug_level=1
EOF
#

Be sure to replace the domain and the IP address with your own values! The local port must be free and above 1024 to be binded by a non-root user!
Now, check if we can communicate with the server:

# ./dns2tcpc -z dnstunnel.mydomain.net <dns_server>
Available connection(s) :
	        ssh

The dns_server can be your public server or, if you are forced, the local DNS.

Start a SSH session

Now, we are ready to start a tunnel with encapsulated SSH packet:

# ./dns2tcpd -c -f dns2tcpc.conf
listening on port 2222
...

Now, start your SSH session:

# ssh -p 2222 user@127.0.0.1
...

Here we go! You’ve a session on your public server!
If you start your SSH as a socks proxy with the “-D” and configure your browser to surf thru this tunnel.
You can create as mush resources as you want on the server but packets send thru the DNS tunnel are not encrypted so SSH is recommanded as the best solution.
Enjoy!