DNS tunnelling is just another tunnelling technique. Usually, it is called VPN over DNS too, it is just naming. What it makes it very popular is that not all carriers or network administrators are aware of it or if they are, they don't know exactly how to stop it. Rogers, one of the biggest telecommunication carrier in Canada and Telcel the biggest player of mobile telephony in Mexico, both allow DNS tunnelling (I don't doubt others carriers do as well), so when you run out of data in your plan you can still connect if you configure it in your mobile. This is because smartphones need to connect to some carrier servers regardless if you have the right to 2G/3G/4G data access or not; smartphones still have access to the local DNS server. Local networks have the same symptom because DNS is used to access many IT services like the Active Directory, it is very difficult to differentiate between a true legitimate DNS query and DNS tunnelling traffic without the proper tools.
Because of this, I am going to describe how this technique works.
The DNS protocol is one of the oldest protocol on the Internet. It lacks security by design (although there are some security layers such as SecDNS and the new DNS over TLS). Its architecture of zone delegation allows forwarding DNS request to other servers.￼ The top TLD could be hosted in one server while a subdomain in another one.
Your computer has at least one DNS server configured, if you are in your home, this DNS server is usually your Internet router. The DNS server that resides inside that router (or any LAN) has a trust relationship. This means it will resolve all DNS requests. When your computer asks for google.com, your local DNS server will look for the request your computer asks for, this is commonly called a recursive DNS. Usually, You don't find recursive DNS servers on the Internet only in local networks. As this DNS server does not host google.com zone, it will look for it and it will grab the request answer for you.
Now, let's remember the types of DNS queries within the DNS Protocol. The DNS protocol has many types of DNS records, most common records are:
If you want to read a full list of DNS record types, you can consult this Wikipedia article.
If you are looking forward to building your own DNS you will need the following elements:
The software I recommend for this technique is Iodine, but there are more. I think there is an Android port for it (you will need a rooted device to use it). When you start the software, the client will request your local DNS server some records about the tunnelling zone you are using. The local DNS server (the one in the LAN or Internet router) will act as a proxy, for its eyes, it is just serving DNS requests.
The client and the DNS tunnelling server will start doing some negotiations to find what kind of DNS records are allowed and the maximum length of that record. Some carriers have IDS/IPS devices in which they block crafted DNS packets, for example, they block NULL packets or they block DNS packets longer than 512 bytes. After the handshake is done, your local computer will only do the allowed queries and the DNS tunnelling server will answer with the allowed conditions.
If you put a sniffer, you will see queries like this:
These queries are never the same, this is used to avoid any kind of DNS caching. As you guess, TXT DNS records are very common in DNS tunnelling technique. Your local computer will build a valid TCP/IP packet later with the payload.
Although DNS tunnelling is not easy to block, it has a big side effect: slowness. DNS tunnelling is slow and you will need to know that if you are planning to use it. You may mitigate this if you install a transparent proxy such as ziproxy and do an object compression before sending information through the tunnel. I will not cover how to do this in this article.
There are some VPN providers that claim to do DNS VPN without the speed penalty. Well, this is not true. DNS Tunneling works under UDP, which it has a maximum MTU of 1500, usually 512 (as some carriers or ISP'es block UDP packets longer than 512 bytes). So, fragmenting a TCP packet (longer than 1500) into many 512-byte chunks maks the speed significantly slower. On top, add that DNS is recursive, your DNS request is being processed through an unknown change of DNS servers before it arrives at you.
So, the next question would be: what are they doing? My guess is just passing UDP streams through the port 53/udp, which it is not DNS tunnelling. It is just a VPN using another port, for example, OpenVPN using 53/udp instead of the classic 1194/udp port. This approach is faster but very easy to block. You just block access to port 53/udp to any other server different than your local DNS.
Good luck with that! I can suggest the following actions:
If the server technical part is not your thing, I can offer you server rent through a monthly subscription. The following cities are available:
Good Luck!blog comments powered by Disqus