DNS (and ICMP) Tunneling or How to Get Free Wifi at the Airport/Cafe

After having a personal interest in DNS tunneling I tried setting up iodine and quickly found out that it’s not a fun process (it involves a user controlled server and some DNS configurations). The idea, however, is definitely super cool.

So what the hell is useful about DNS tunneling?

Many pay for wifi services will block all types of traffic unless you pay an often insane amount. Why would I pay $10.00 for a one day pass for wifi? That’s insanity! DNS tunneling comes in handy here because these services often do not block DNS traffic so you can “hide” your normal traffic in DNS queries and evade their blocks altogether.

Why?

In a simplified way, your computer does DNS something like this:

*Your computer checks to see if it has the DNS record in it’s cache…Nope!*

PC -> Root Nameserver: “I need the IP for thehackerblog.com”

Root Nameserver -> PC: “Ah .com I see. My buddy TLD has that I think, check with him man.”

PC -> TLD: “I need the IP for thehackerblog.com”

TLD -> PC: “Yea man my friend ‘Authoritative Nameserver’ has that I think!”

PC -> Authoritative Nameserver: “Yea boy I got what you crave! The IP for that is 127.0.0.1!”

*PC puts that down in it’s cache so it doesn’t have to deal with those ghetto nameservers again*

So that’s how it normally works (granted it may be a little less “ghetto”) but I wonder how it’d work if the wifi service redirected all DNS to it’s own servers?

*Your computer checks to see if it has the DNS record in it’s cache…Nope!*

PC -> Root Namerserver: “What’s the IP for thehackerblog.com?”

*The wifi service intercepts this request and responds with it’s own server*

WIFI SERVER -> PC: “Yes, that IP is *cough* 1.3.3.7 (the WIFI SERVER’S IP)”

*PC thinks this is pretty legit and adds it to it’s cache*

So now when you try to go to thehackerblog.com your computer will not go to thehackerblog.com but rather their own server because the computer’s record shows that the IP address is 1.3.3.7. This seems great for the time being but imagine that you do pay for the expensive wifi server and they let you use their precious interweb service.

Now your DNS will work something like this:

*Your computer checks to see if it has the DNS record in it’s cache…Yep! thehackerblog.com is at 1.3.3.7*

Uh oh! Now the poor little PC thinks that the domain is at the wrong IP! This will end up confusing the end user for sure! Especially because this IP is probably an internal IP address so it will probably just show a connection error.

Not good, because of this, the pay-for wifi services usually allow DNS requests but modify the TCP/UDP data to redirect your browser to their pay page.

**Good news everyone!

**

This is good because it means we can communicate with the outside world over DNS! How exciting!

As much as I’d love to have a cute explanation how to hide information in DNS requests suffice to say that it’s possible and can be done (and is being done!).

(If you are interested in what a DNS packet would look like see here: http://www.firewall.cx/networking-topics/protocols/domain-name-system-dns/160-protocols-dns-query.html)

The nice thing is you can do the same thing over ICMP via a ping tunnel. This basically works in the same general way – you shove your requests inside ICMP packets and then send them off to your server who decodes/processes it and sends you data back in even more stuffed ICMP packets.

Sounds complicated, but I don’t want to have to set all this stuff up!

Glad you say that, it’s a pain in the butt to do, but you’re in luck!

Their is a service called “Wi-free” that actually provides this cool tunneling for a reasonable charge.

http://www.wi-free.com/

Their plans are pretty reasonable and if you travel a lot you’ll end up saving a good amount, not to mention it works as a normal VPN as well. They have been around for years and are a very reputable company.

HFjdgPJ[1]

 

So if you’re like me you’d prefer this service over setting up a complicated tunneling scheme for this sort of thing.

But if you’d prefer the geek route be my guest!

-mandat0ry

Matthew Bryant (mandatory)

Matthew Bryant (mandatory)
Security researcher who needs to sleep more. Opinions expressed are solely my own and do not express the views or opinions of my employer.