digg

Facebook Connect Join Digg About

Tunnel your internet connection through DNS

dnstunnel.de This is not really a new idea, but it's pretty cool anyway. Get onto a paid-for public hotspot and try it out. Almost any hotspot is now free to use.

Who dugg this? Made popular Jul 25, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

106 Comments

show profanity settings
expand all
  • punkrock4life, on 10/10/2007, -0/+31the average digg user a year ago would have understood this. now, look at what we've become.
  • zyl0x, on 10/10/2007, -4/+34Started off simple enough, and then got waaaay too complicated.

    ..to keep my attention.
  • myFriendDerrik, on 10/10/2007, -1/+15I don't accept third party cookies.
  • Boing, on 10/10/2007, -9/+22I think it'd be easier to pay the $5 to use it.
  • Protoss, on 10/10/2007, -1/+11Same thing happened here. I went, WOW! I've ran into this problem on many occasions! This is a lifesave....damn, thats complicated.
  • bradleyland, on 10/10/2007, -0/+10This actually isn't that complicated. The concept is that even before you pay, the access point forwards DNS requests to the authoritative DNS server for any given zone. If you have your own domain, you can exploit this hole in the AP to forward data to your pseudo DNS server. Congrats, you're passing data through the "locked down" AP.

    Now your problem is one of data marshaling. Rather than running a standard DNS server for your zone, you run a special DNS server that takes data from the URL you're requesting, feeds it to STDIN, then returns output from STDOUT appended to a special type of DNS record. This is where base32 encoding comes in. You encode the data using base32 so that it conforms nicely to what would appear to be plain text hostname requests.

    The ugly part about this is that you're relying on the performance of whatever DNS server you're connecting through. A typical web page (with ads) might require 3-4 DNS lookups, and your computer is supposed to cache those, so you don't have to make the request every time. With this tunneling approach, you're talking about making hundreds, if not thousands of DNS requests. Depending upon the sophistication of the network surrounding the DNS server you're interrogating, you might get the door slammed in your face pretty quickly.

    You're also relying on the fact that DNS requests will, in fact, be forwarded. It sounds like the setup he's hacking through is pretty simplistic, because a properly sandboxed network would not be forwarding DNS requests from unauthorized hosts at all.

    That is not to say that this isn't an extremely crafty way to get around a paid hotspot lock down. I'm definitely going to try it out :)
  • fjc8, on 10/10/2007, -3/+12I usually just run OpenVPN on UDP port 53; it's worked pretty well for me so far.
  • Error601, on 10/10/2007, -3/+10How? The router is usually configured not to let you to any other IPs except their servers.
  • pu-z, on 10/10/2007, -0/+7I hate cheap-ass hotels, especially when they are extremely expensive. While staying at the Tokyo Park Hyatt (the one from Lost in Translation), I discovered that they offer only one free day of net access in the room. If you want more, you have to pay to their Indonesian ISP and give them your CC number. Not bloody likely. Open Terminal > sudo ifconfig en0 ether aa:bb:cc:dd:ee:ff and just increase the hex value by one for each day. Remember to pull the Ethernet plug while doing this, or the OS will broadcast a message stating the change. My way of saying "if you pay over 70000 yen pr night, the net access should be bloody included!"

    Otherwise a top notch hotel, except for the 2000 yen overcharge in the bar (even for hotel guests!).
  • ers35, on 10/10/2007, -2/+8First one to explain what is going on in the Terminal in the video gets a cookie:

    http://dnstunnel.de/dns_tunneling_example.avi
  • MASH007, on 10/10/2007, -1/+7NASA just had an information session on how this works and its counter-measures today. Very interesting that this story made it to the front page on the same day. The technique is pretty cool.
  • falconfox, on 10/10/2007, -2/+7you have a big ego
  • soupir, on 10/10/2007, -2/+6*points to internet*
  • cplusplus, on 10/10/2007, -1/+5Depending on your data plan this could be very expensive.
  • aurrea, on 10/10/2007, -2/+6You Anal?
  • dark_helmet, on 10/10/2007, -2/+6It'd be easier, but just plain boring.
  • r0b1, on 10/10/2007, -2/+5Does this work on Cygwin?
  • V3X3D, on 10/10/2007, -0/+3Uncapping a cable modem requires you to modify the modems firmware and you might not want to do that. Think of every possible scenario next time.
  • commnode, on 10/10/2007, -0/+3I think your watching him set his routing through the DNS wickedly fast and then you spend a long time as he watches each packet of information get routed through his DNS server (thats what the tcpdump on port 53 is doing)

    I think. it's really not much of an instructional video, more a proof of concept
  • Protoss, on 10/10/2007, -1/+4I'm assuming he'd go around, look for someone who's paid for access, then sniff the mac out of the air.
  • pyry, on 10/10/2007, -0/+3Did you use this? http://www.cs.uit.no/~daniels/PingTunnel/index.html

    It's developed at Tromsø simply because the network there allows you to ping anything, but you can't do anything else unless you're registered.
  • aiten, on 10/10/2007, -0/+3I would reccommend getting your own screenname correct first... we'll go from there.
  • ratsg, on 10/10/2007, -0/+2I have had better luck with IP over ICMP. Has worked very well for me on Mac OS X and Sun Solaris systems, both Sparc and X86.
  • brownspank, on 10/10/2007, -0/+2You lost me at base32.
  • Vizin, on 10/10/2007, -4/+6I had this idea at a hotel once. Payed hotspots leave DNS traffic alone, and just redirect all HTTP traffic to the payment site. (I assume all other data is just blocked)

    Hotspot managers could stop this *really* easily by just redirecting all DNS traffic to their own DNS server.
  • msgyrd, on 10/10/2007, -0/+2Or...I can afford to own a laptop and pay for a trip because I don't throw my money away on 30 minutes of internet access for a quarter of what I pay for an entire month of superior access at home. I'm all for limiting hot-spot abuse, but I shouldn't have to pay $5 to check my email for travel updates. A free quota of 5 to 10Mb should be available, and when you hit that, then you pay.
  • tomz17, on 10/10/2007, -1/+3tsk tsk tsk.. -1 for not understanding how DNS works... The article mentions some decent ways of stopping this.
  • bieber, on 10/10/2007, -1/+3...the more influence it has? I thought Digg was a news site; it's actually a source of political power now?
  • thenativeraver, on 10/10/2007, -0/+2http://thomer.com/howtos/nstx.html
  • masgrada, on 10/10/2007, -0/+2Wow, now that one made sense. Good summary.
  • bradleyland, on 10/10/2007, -0/+2No problem, I think I can help you out with that one. Have a look at a URL:

    http://www.idontexist.com/somepage.html?key=value

    * No spaces
    * Case insensitive
    * No special characters

    If you want to send information like text and images as plain text, you need a way to convert them to a format that conforms to the requirements above. That's called encoding, and Base32 is an encoding method. You can take any text or image and convert it to an encoded string of letters and numbers. Base32 works well in this case because it just happens to be relatively compact, but doesn't contain any crazy characters.
  • adrianmonk, on 10/10/2007, -0/+2I read the article, and the article IS proposing that you route everything through someone else's DNS server.

    If you don't see why that is, read the section called "I own a Server but my ISP doesn't allow me to change (the relevant) DNS settings". That section would be wholly unnecessary if you could just talk UDP on port 53 straight from your client to your server. Instead, because UDP port 53 is blocked end-to-end but you have access to a local server on port 53, you have to get that local server (the one at the coffee shop) to speak to your server by doing a recursive query and following the chain of delegation all the way from the root domain ("."), down through "de.", then "dnstunnel.de.", and so on until an IN NS lookup on "yourname.dnstunnel.de." refers the coffee shop's DNS server to your server.

    So, this hack will indeed put a lot of load on the coffee shop's DNS server. In fact, because DNS servers cache resource records, it has to use a difference domain for each packet of data, and this will fill up the DNS server's cache. Although I guess you can get around that by setting short TTLs (of, say, 60 seconds). Heh, in fact, if you look at nomde.pl line 167, you can see that they are setting a TTL of 60 seconds for TXT records (the ones used to transfer the bulk data), so the author of the Perl script already thought of that issue.
  • masgrada, on 10/10/2007, -1/+3Hahaha. Try explaining that one to the cops. "No officer, he's routing through the DNS. .. The DNS. .. Aw ***** it."
  • ahill7, on 10/10/2007, -0/+2This is pretty neat proof of concept. Reminds me of that article that came up about using ICMP to tunnel traffic on restricted networks.
  • allywilson, on 10/10/2007, -0/+2Somebody has just made my travelling needs easier. Never even gave this a thought - genius!
  • BryanJK, on 10/10/2007, -0/+1$60 / month + $100+ USB Card
  • adz999, on 10/10/2007, -0/+1This is a long way going about it, you will find they usually have one or two computers owned by the establishment that dont get routed back to there login paid page..... whip our your fav stumbling program (macstumbler for me) then in passive mode start scanning, "borrow" there mac address then spoof them ifconfig en0 ether a1:b2:c3:d4:e5:f6 =]...and if you REALLY want to steal some internerds just stumbler around and no doubt you will come access plenty of open access points!
  • psykiv, on 10/10/2007, -0/+1So thats why my internet stopped working!
    For the people that don't use linux, there's a windows program that does it for you. Also useful for those times when your friend's crappy ISP's modem has mac address filtering.
  • Porch, on 10/10/2007, -0/+1I use something called iodine that does basically the same thing. Not an easy system to setup, but it does work. It's somewhat speed capped due to the limited size of the DNS packets, but it does work. Works even here at work and I got the office network locked down.
    The only way to stop a bypass like this is to limit the size of the DNS packets at the firewall or DNS server to some small size. Like 256 bytes. At that point, the TCP/IP connection over DNS is so slow, it's not worth it. At 256, DNS should still work as most domains names are not that long.
  • NullrouteN, on 10/10/2007, -0/+1So the legitimate use of a paid hotspot might involve a handful of dns queries (maybe 1-5) to get you to the portal... So the simplest countermeasure would be to limit the bandwidth available for DNS traffic (per client) to something unbearable... except if you are simply doing non nefarious dns lookups. 5 normal queries would be microscopic in comparison to tens of packets per second to transfer data. Lastly, thanks to digg this will become popular and many operators will clue in. Darn you diggers!!!! ;)
  • kungfool101, on 10/10/2007, -0/+1It's the principle of it. Airport APs may be your only way to connect, so they have a monopoly and can charge whatever they want. So naturally they charge a whole lot. The super high price is annoying regardless of how much money you have.
  • Atomic1fire, on 10/10/2007, -0/+1just use stupid speak
    no officer he is using a hack on his computer to not have to pay for my hotspot
  • fjc8, on 10/10/2007, -0/+1Well, aren't you the *****. Being 16, reading some howtos, and coding PHP does not make you special.
  • merreborn, on 10/10/2007, -0/+1There's nothing inherently illegal about DNS tunneling. He might be better off if he didn't mention *why* people might use DNS tunneling on the page though.
  • shovel24, on 10/10/2007, -1/+2..or, you could simply pay for the service. If you've got enough dough to be at an airport and have a notebook computer, surely you're not some broke hobo struggling to get by.
  • inactive, on 10/10/2007, -0/+1LOL only thing i read in there.
  • merreborn, on 10/10/2007, -1/+2If you understood TFA at all, you'd understand that all traffic is routed to a private server you own. So no, it wouldn't "Make the DNS servers slow for the rest of us", because it's not done using a server that "the rest of us" use.
  • lathiat, on 10/10/2007, -0/+1To clarify for those that aren't aware, DNS traffic is always allowed in sandboxed portal environments because windows doesn't respect small TTLs for DNS records, so if they spoof the dns of the site you try to goto, to redirect to their portal, your computer won't query again and won't be able to get to said site - even if they send a 0/1 second ttl.
  • ratsg, on 10/10/2007, -0/+1yes, that is what I am using for IP over ICMP.
  • bennry73, on 10/10/2007, -0/+1Well, this is the same concept as a proxy server. I don't see why it's such a big deal. If you can't secure your access point and you will "call the cops", I suggest you read a book on TCP/IP and network protocols over network security, just to see why it's so easy to have fun with networks.
  • Fetching more discussions...
    Show 51 - 97 of 97 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.