iodine lets you tunnel IPv4 data through a DNS server. This can be usable in different situations where internet access is firewalled, but DNS queries are allowed.
iodine [-v] [-h] [-f] [-r] [-u user] [-t chrootdir] [-d device] [-P password] [-m maxfragsize] [-M maxlen] [-T type] [-O enc] [-L 0|1] [-I sec] [-z context] [-F pidfile] [nameserver] topdomain
-T force dns type: NULL, TXT, SRV, MX, CNAME, A (default: autodetect) -O force downstream encoding for -T other than NULL: Base32, Base64, Base64u, Base128, or (only for TXT:) Raw (default: autodetect) -I max interval between requests (default 4 sec) to prevent DNS timeouts -L 1: use lazy mode for low-latency (default). 0: don't (implies -I1) -m max size of downstream fragments (default: autodetect) -M max size of upstream hostnames (~100-255, default: 255) -r to skip raw UDP mode attempt -P password used for authentication (max 32 chars will be used) Other options: -v to print version info and exit -h to print this help and exit -f to keep running in foreground -u name to drop privileges and run as user 'name' -t dir to chroot to directory dir -d device to set tunnel device name -z context, to apply specified SELinux context after initialization -F pidfile to write pid to a file
Here’s a nice method to bypass any annoying wifi gateways, such as the ones you find at hotels and airports. A prerequisite is that the gateway allows DNS requests to be made.
Once we have that in the clear, we’ll need root access to a server with full access to its DNS records. We’ll be using iodine and iodined on both sides of the tunnel.
First of all, we’ll need to create the proper DNS records – we’re going to need two of those, one would be a NS record for the DNS lookup, the second is an A record to the server itself.
I’m using Amazon’s Route53 service with the most excellent boto command line tools, so I would do this:
$ route53 add_record ZXXXXXXXXXXXXX iodine.domain.com. NS tunnel.domain.com. 259200 some_comment $ route53 add_record ZXXXXXXXXXXXXX tunnel.domain.com. A 18.104.22.168 900 some_comment
It obviously doesn’t matter what tools you use, you just want these two DNS records:
iodine IN NS tunnel.mydomain.com. tunnel IN A 22.214.171.124
So now we have the DNS records set up.
You can run
iodine from the command line in foreground mode:
iodine -f -P yourpassword 192.168.99.1 iodine.mydomain.com
The arguments you’re going to need are a password of your choice, an internal IP that is not in use, and the tunnel domain to listen to. Last thing, you’re going to want to make sure your firewall is open inbound to UDP requests on port 53.
Once you have that you can go on to http://code.kryo.se/iodine/check-it and test your setup with the
iodine.mydomain.com domain. If all is good you can continue to install the client.
Last step, installing the client. I’m on a Mac with homebrew installed, so again installing it is kind of a breeze:
sudo brew install iodine
Once that’s installed, launch the client:
sudo iodine -P yourpassword iodine.mydomain.com