Feature request: ICMP/DNS tunnels

[kyhwana]

DNS/ICMP tunneling would be nice, especially to get around networks that shape/block things like SSH/OpenVPN, etc but allow outoging ICMP and/or DNS.

[jlund]

I haven't tried this before. In general, it sounds like the performance of this type of tunnelling is very, very slow. Do you have any suggestions for the best available daemons that support this? I will take a closer look.

[kyhwana]

I've used http://thomer.com/icmptx/ before, apparently http://code.gerade.org/hans/ has some more features.

For DNS tunnelling, that would require more setup, I guess. I've used iodine in the past and it worked, though it was slow. (So OK for SSH/IRC/etc. Not for watching youtube :|)
http://code.kryo.se/iodine/

[ddworken]

One thing to keep in mind is that for iodine (and other DNS tunneling solutions) one needs to have a domain name that they can configure for use with it. I would personally be willing to "donate" my domain name: tcp-dns.com (I got it for this exact use earlier) for this purpose if anyone has any suggestions of a DNS provider that has easily scriptable access to DNS records (2 DNS records need to be generated per client).

I also think that this would be a good solution as DNS tunneling is one of the few truly foolproof methods of tunneling out of a hostile/filtered network.

[psifertex]

I've used iodine before to great effect. It's main use is in captive portals that pass DNS, but it's also useful as YetAnotherProtectedCommsChannel which seems to be the main goal of Streisand.

At the start at least users could bring their own domains (it's not super-hard to setup the single NS record needed on an existing domain or sub-domain) and then all the configuration just requires the domain name being used.

[ddworken]

Personally, I feel like one of the main advantages to Streisand is that it automatically sets up a variety of services without significant user interaction. Forcing the user to either have their own domain name or disable a service seems to go against this idea. I just am not sure if there is any simple way to script adding DNS records though.

[psifertex]

Depends on the provider. If you've got amazon managing a domain name, then scripting up ns records is indeed possible. In fact, you could even check and see if they have any domains, ask them if they want to use one, and then make a random subdomain to run off of which requires no effort on their part.

That still is some interaction though which I realize isn't the point of streisand, so it might not be integrated. Maybe that can be one of those power-user command-line switches that people can enable.

[ddworken]

Right now the domain is registered with Dyn. I'll look into switching providers if you guys think TCP over DNS would be a good feature to implement.

[jlund]

I finally had some time tonight to look into Hans, ICMPTX, and iodine. I am very impressed with how clever these solutions are (abusing ping and DNS requests to route traffic is pretty rad). However, they all have a fatal flaw: none of them are encrypted.

Given some of the areas where I'm hoping Streisand will be used, like China and Iran, this is an absolute deal-breaker. All of the other services that Streisand sets up are encrypted, and I consider this to be a critical feature. While it's possible to double-tunnel encrypted traffic over the tunnels that Hans, ICMPTX, and iodine establish, this would be even slower than their default configuration. Given how well OpenSSH, OpenVPN (wrapped in stunnel), Shadowsocks, and Tor (with the obfs3 and ScrambleSuit pluggable transports) are working in China right now, I don't think it's necessary to make this leap quite yet.

I can look into making a separate Ansible playbook to automate the setup of iodine or one of these other tools, but the lack of encryption across the board, and domain name requirements for iodine in particular, make me feel like they aren't an ideal fit for Streisand right now.

[ddworken]

One thing that I think you may have missed: Iodine works by forwarding a port on the local machine (e.g. 60022) to a port on the server (e.g. 22). From there, one simply uses sshuttle or any other proxy that is available on the server (on the port you set it to). This means you could for example set up Iodine to forward the port to connect to OpenVPN. This means that the traffic will be encrypted (and there is no way to send unencrypted traffic).

[jlund]

Yeah, this is the "double tunnel" approach I was referring to. Performance was pretty bad (bordering on unusable sometimes) in my testing. I dislike the domain requirement too, even though I agree that portions of it could be mostly worked around.

On July 31, 2014 7:48:10 AM MDT, David Dworken [email protected] wrote:

One thing that I think you may have missed: Iodine works by forwarding
a port on the local machine (e.g. 60022) to a port on the server (e.g.
22). From there, one simply uses sshuttle or any other proxy that is
available on the server (on the port you set it to). This means you
could for example set up Iodine to forward the port to connect to
OpenVPN. This means that the traffic will be encrypted (and there is no
way to send unencrypted traffic).

---

Reply to this email directly or view it on GitHub:
#26 (comment)