What is Iodine?
Basically it’s a server that allows you to tunnel traffic through DNS
Why would I want this?
There are multiple uses for this, the ones that come to mind are:
- – Get free internet from paid wifi hotspots
- – Access internet on mobile that has no data
- – Exfiltrate data from behind a SOC, firewall or IDS
This took me a while to figure out, although there are guides available they all seem to miss bits of information and need piecing together. Hopefully this will make things easier.
Things you will need:
- – New Debian server (this guide is written from base debian with nothing installed)
- – Domain name with access to change records
For this guide we have the domain “domain.tld” and the server has an external IP of “188.8.131.52”.
First things first lets configure the DNS. You will need to create 2 records, one “A” record and one “NS” record (note the . after the tld – I recommend namecheap for this and have heard you can’t add the period with godaddy). Create them as follows:
dns IN A 184.108.40.206 tunnel IN NS dns.domain.tld.
Now wait for the domain to propagate. Once it has connect to the server install iodine, screen and start iodine in a screen session:
apt-get install iodine screen screen -S iodine iodined -fP Password 10.0.0.1 tunnel.domain.tld
To exit the screen session press CTRL+A then CTRL+D, to re-attach to it type “screen -r”, to kill it from within the screen session type “exit”. Iodine can be stopped with CTRL+C.
On your client install iodine (apt-get install iodine) and run the following command:
iodine -fP Password tunnel.domain.tld
If all went well you should now be connected to your iodine server. check “ifconfig” to confirm there is a DNS0 interface with an IP address in the 10.0.0.x range. also try pinging 10.0.0.1, you should get a response.
At this point you should also be able to run the official test without it giving errors.
Just a couple more things to do before it’s all ready to use. Time to get the tunneling of data working. Create iptables rules as follows and allow IP forwarding:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t filter -A FORWARD -i eth0 -o dns0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t filter -A FORWARD -i dns0 -o eth0 -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward
Restart Iodine server and test again. If all went well I recommend making these permanent with the following:
iptables-save > /etc/iptables.rules echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/60-ipv4-forward.conf
There are multiple ways to start the client from creating a SOCKS5 proxy via SSH to installing network-manager-iodine and network-manager-iodine-gnome. However I have found these to be clunky and not work great. I would recommend cloning the following git repository: https://github.com/barak/iodine-client-start.
For this to work we need to create the following config file:
There are more configuration options for this script, I would recommend reading it’s source-code.
And that’s all. You should be able to run “./iodine-client-start” and have a working iodine tunnel. This can be tested by visiting ipchicken before connecting and after, you should see your IP address change.
A good way to check if things are working correctly is to start Iodined with debugging enabled -DDD on the server and keep that window open. you can then use dig to check it’s response from the client.
root[/opt/iodine-client-start]: dig -t TXT z123.tunnel.domain.tld -snip- ;; ANSWER SECTION: z123.tunnel.domain.tld. 0 IN TXT "tpjzwizro" ;; Query time: 56 msec ;; SERVER: 192.168.1.254#53(192.168.1.254) ;; WHEN: Thu Mar 02 13:54:22 GMT 2017 ;; MSG SIZE rcvd: 65
The tunnel should respond with random data to any request starting with “z” (z123 in example above)