Iodine – tunneling IP over DNS

&quot;The name iodine was chosen since it starts with IOD (IP Over DNS) and since iodine has atomic number 53, which happens to be the DNS port number.&quot;<p>Cool.

I like using dns2tcp, it&#x27;s a lot easier to set up as it works on the transport layer (TCP), not the network layer (IP), and it seems a bit more reliable in my experience.<p><a href="http://blog.rootshell.be/2007/03/22/dns2tcp-how-to-bypass-firewalls-or-captive-portals/" rel="nofollow">http:&#x2F;&#x2F;blog.rootshell.be&#x2F;2007&#x2F;03&#x2F;22&#x2F;dns2tcp-how-to-bypass-fi...</a><p><a href="http://www.hsc.fr/ressources/outils/dns2tcp/download/README" rel="nofollow">http:&#x2F;&#x2F;www.hsc.fr&#x2F;ressources&#x2F;outils&#x2F;dns2tcp&#x2F;download&#x2F;README</a><p><a href="http://www.hsc.fr/ressources/outils/dns2tcp/download/" rel="nofollow">http:&#x2F;&#x2F;www.hsc.fr&#x2F;ressources&#x2F;outils&#x2F;dns2tcp&#x2F;download&#x2F;</a>

I&#x27;ve had some good experience with iodine in the past, it&#x27;s been useful at airports and on trains to bypass captive portals.<p>It&#x27;s extremely variable in performance, and can sometimes require a bit of tuning on the client side to work reliably; however, for the most part the auto-detection works well, and will upgrade to raw UDP on port 53 if it is possible.

An HN user is trying to tunnel IP over Facebook Chat, which is free (as in beer) to access on some mobile plans: <a href="https://news.ycombinator.com/item?id=7256477" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=7256477</a>

You can usw iodine to ger free internet access when your 4G mobile plan runs out of GBs and your ISP blocks you.<p>Example from sweden, I got around 200kbit after my 4G was supposed to block further internet due to unpaid bill. Hehe.

Plug for my dns tunnel not nearly complete as iodine, but it works and is very easy to setup.<p><a href="https://github.com/callesg/dns-tunnler" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;callesg&#x2F;dns-tunnler</a>

How do these avoid captive portals? I thought the thing about captive portals was that they intercepted DNS queries: that&#x27;s what caused you to get the portal when you typed in &quot;google.com&quot;. (i.e., it resolves all DNS entries to the portal&#x27;s IP until you authenticate) Is this not correct? (I can receive arbitrary DNS, not just send?)

I have been running OpenVPN on UDP&#x2F;53 for a few years now. I figure that any network operator sophisticated enough to do deep packet inspection to detect real DNS traffic is also sophisticated enough to block outbound UDP&#x2F;53 traffic.

IP over DNS, TCP over DNS, IP over ICMP... surely somebody is running a service with all of these for maximum captive portal avoidance?

Iodine is pretty cool, but do keep in mind that even though this repo looks new and novel, the project has been around since 2006.

There&#x27;s a network-manager plugin too: <a href="https://honk.sigxcpu.org/piki/projects/network-manager-iodine/" rel="nofollow">https:&#x2F;&#x2F;honk.sigxcpu.org&#x2F;piki&#x2F;projects&#x2F;network-manager-iodin...</a>

Also tangential to it: IP-over-ICMP <a href="http://thomer.com/icmptx/" rel="nofollow">http:&#x2F;&#x2F;thomer.com&#x2F;icmptx&#x2F;</a> though never got to play with it.<p>Iodine is cool. If you plan on using it soon remember to set up your DNS records beforehand cause it might take a bit to propagate. I literally spent a whole airplane flight sending DNS requests to see if it propagated yet.

This project reminds me of ptunnel <a href="http://www.cs.uit.no/~daniels/PingTunnel/" rel="nofollow">http:&#x2F;&#x2F;www.cs.uit.no&#x2F;~daniels&#x2F;PingTunnel&#x2F;</a><p>I&#x27;ve used it to get free internet at universities and hotels, slow but gets the job done. ICMP usually isn&#x27;t filtered by those kinds of firewalls and I&#x27;ve yet to find a place that blocked it.

This is another intriguing example of a covert communication channel [1] [2].<p>[1] <a href="http://en.wikipedia.org/wiki/Covert_channel" rel="nofollow">http:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Covert_channel</a><p>[2] File Transfer OverDNS - <a href="https://news.ycombinator.com/item?id=7370917" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=7370917</a>

Nice project. I&#x27;ve been curious about internet (TCP, IP, whatever) over DNS for a while, but it always seems like a lot of work. Is there an X-over-DNS that&#x27;s trivial to set up for Mac and phones? I&#x27;m aware that iodine works for those, it just looks .. complex.

What&#x27;s the legal side of this?<p>I can imagine tunnelling your traffic through DNS to avoid a captive portal (i.e. actually paying for it) counts as circumventing a security measure, which is illegal in a lot of places including the country where I live in.