Imagine, you are in your hotel room in a foreign country, your laptop detects a wireless access. You open your browser and get a nice login screen asking you a credit card number (a captive portal). What’s next? Make your choice: fill the form with the magic numbers or try to bypass this security mechanism.
This tutorial is provided “as is” for who are interested in encapsulating TCP into DNS traffic. I could not be held responsible for any misusage of this tutorial!
Classic wireless hot spots commonly allow two protocols: ICMP and DNS (UDP/53). ICMP (Internet Control Message Protocol) is used to report errors and warning to the client and DNS is mandatory to resolve hostnames. While ICMP can also be used as a transport protocol (see PTunnel), firewalls may block unusual ICMP packets (ex: suspicious big packets). On the other side, there are often less restriction regarding DNS traffic.
In the following tutorial, we will use the tool dns2tcp written by two guys working for HSC, a French security company.
- An official registered domain name. Example: mydomain.net
- A server with a public IP address not running any DNS service. The server must run UNIX. Example: my.public.server.isp.com
 I successfully tested dns2tcp on Linux and OpenBSD.
Domain name zone configuration
Choose a subdomain name for your domain. In this example, we will use a subdomain dnstunnel.mydomain.net. Add the following line in your zone file:
dnstunnel IN NS your.public.server.isp.com.
Don’t forget to increase the serial and to reload the zone. If you don’t manage the zone yourself, ask you ISP or hoster to do this for you.
(these operations are performed on your public server)
Download the tarball and compile the binaries:
# cd /tmp # tar xzvf dns2tcp-0.3.tar.gz # cd dns2tcp-0.3 # configure # make install
This will create two binaries (dns2tcpd and dns2tcpc) and their respective manpages. Now, we will create a configuration file /etc/dns2tcpd.conf:
# cat >/etc/dns2tcpd.conf <<EOF listen = w.x.y.z port = 53 user=nobody chroot = /var/empty/dns2tcp/ domain = dnstunnel.mydomain.net ressources = ssh:127.0.0.1:22 EOF #
Be sure to replace the domain and the IP address with your own values! The port must be 53!
Now, start the daemon:
# ./dns2tcpd -F -d 1 -c dns2tcpd.conf
“-F” means to run in foreground and “-d 1” enables debugging.
Perform the same operations as on the server side. (configure && make install). Then create the client configuration file/etc/dns2tcpc.conf:
# cat >/etc/dns2tcpc.conf <<EOF domain = dnstunnel.mydomain.net ressource = ssh local_port = 2222 debug_level=1 EOF #
Be sure to replace the domain and the IP address with your own values! The local port must be free and above 1024 to be binded by a non-root user!
Now, check if we can communicate with the server:
# ./dns2tcpc -z dnstunnel.mydomain.net <dns_server> Available connection(s) : ssh
The dns_server can be your public server or, if you are forced, the local DNS.
Start a SSH session
Now, we are ready to start a tunnel with encapsulated SSH packet:
# ./dns2tcpd -c -f dns2tcpc.conf listening on port 2222 ...
Now, start your SSH session:
# ssh -p 2222 firstname.lastname@example.org ...
Here we go! You’ve a session on your public server!
If you start your SSH as a socks proxy with the “-D” and configure your browser to surf thru this tunnel.
You can create as mush resources as you want on the server but packets send thru the DNS tunnel are not encrypted so SSH is recommanded as the best solution.
“I could not be held responsible for any misusage of this tutorial”
I suggest that should be “misuse of this tutorial”.
ssh: connect to host 127.0.0.1 port 2222: Connection refused
what is the problem with mine
There exists a Wintel client of dns2tcp. Have a look here: http://azertyfab.free.fr/dns2tcp/
Hey man can you tell me a way to do this on windows 7. Please i have a captive portal but have to pay darn 400 bugs for a month. Please help.
Here is the windows 32 bits binary dns2tcp client : http://azertyfab.free.fr/dns2tcp/
You’re right! Fixed.
Thanks for the feedback.
there is an error i think in this line :
# ./dns2tcpcd -F -d 1 -c dns2tcpd.conf
it should be dns2tcpd and not dsn2tcpcd
Indeed! Thanks for the report.
In the link to the tarball there is a quote (“) at the end. By chance Apache handles it.