iodine lets you tunnel IPv4 data through a DNS server. This can be usable in different situations where internet access is firewalled, but DNS queries are allowed.



iodine [-v] [-h] [-f] [-r] [-u user] [-t chrootdir] [-d device] [-P password] [-m maxfragsize] [-M maxlen] [-T type] [-O enc] [-L 0|1] [-I sec] [-z context] [-F pidfile] [nameserver] topdomain


  -T force dns type: NULL, TXT, SRV, MX, CNAME, A (default: autodetect)
  -O force downstream encoding for -T other than NULL: Base32, Base64, Base64u,
     Base128, or (only for TXT:) Raw  (default: autodetect)
  -I max interval between requests (default 4 sec) to prevent DNS timeouts
  -L 1: use lazy mode for low-latency (default). 0: don't (implies -I1)
  -m max size of downstream fragments (default: autodetect)
  -M max size of upstream hostnames (~100-255, default: 255)
  -r to skip raw UDP mode attempt
  -P password used for authentication (max 32 chars will be used)
Other options:
  -v to print version info and exit
  -h to print this help and exit
  -f to keep running in foreground
  -u name to drop privileges and run as user 'name'
  -t dir to chroot to directory dir
  -d device to set tunnel device name
  -z context, to apply specified SELinux context after initialization
  -F pidfile to write pid to a file


Setting Up an Iodine IP-over-DNS Proxy

Here’s a nice method to bypass any annoying wifi gateways, such as the ones you find at hotels and airports. A prerequisite is that the gateway allows DNS requests to be made.

Once we have that in the clear, we’ll need root access to a server with full access to its DNS records. We’ll be using iodine and iodined on both sides of the tunnel.

First of all, we’ll need to create the proper DNS records – we’re going to need two of those, one would be a NS record for the DNS lookup, the second is an A record to the server itself.

I’m using Amazon’s Route53 service with the most excellent boto command line tools, so I would do this:

$ route53 add_record ZXXXXXXXXXXXXX NS 259200 some_comment
$ route53 add_record ZXXXXXXXXXXXXX A 900 some_comment

It obviously doesn’t matter what tools you use, you just want these two DNS records:

iodine      IN  NS
tunnel      IN  A

So now we have the DNS records set up.

You can  run iodine from the command line in foreground mode:

iodine -f -P yourpassword

The arguments you’re going to need are a password of your choice, an internal IP that is not in use, and the tunnel domain to listen to. Last thing, you’re going to want to make sure your firewall is open inbound to UDP requests on port 53.

Once you have that you can go on to and test your setup with the domain. If all is good you can continue to install the client.

Last step, installing the client. I’m on a Mac with homebrew installed, so again installing it is kind of a breeze:

sudo brew install iodine

Once that’s installed, launch the client:

sudo iodine -P yourpassword

and if all is well you have just set up a fancy IP-over-DNS tunnel! For final testing try to ping your server via the IP you gave it: Once you have the tunnel you can start routing traffic through it. For this you’ll probably want to establish a secure connection, preferably via SSH. Remember that all DNS requests are non-secure and very easy to sniff over the network.


Leave a reply


We're are building as a community and a team. Be a part of it.


©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?