Mac OS X Iodine DNS Tunnel using Namecheap DNS

Iodine is a software that let’s you tunnel IPv4 data through a DNS server. If you’re wondering why on earth you’d ever need such a thing, read here. You basically need a client (in my case an Apple MacBook Air) and a Linux server (see here for some super cheap low end Linux VPS boxes) to start off. Please see one of the tutorials on how to setup the Iodine daemon (iodined) on the Linux server. In this post I’m focusing on the client setup for OS X.

Iodine can be easily compiled using Xcode but I’m providing the binaries in this site’s download area for your convenience. You also need to install a tunnel device on the OS X client. Check out the TunTap virtual interface device kernel extension.

Setting up the required DNS records using freedns.afraid.org’s DNS was a no brainer. As indicated in every Iodine tutorial, all you need is a NS-record and an A-record pointing to the IP address of the VPS server (a.k.a. glue record). But since I just registered a new domain with Namecheap I wanted to use their DNS for my Iodine DNS tunnel. After trying a myriad of NS and A record combinations I finally found one that works with their DNS:

A-record: ns.subdomain.yourdomain.org –> VPS IP address
NS-record: subdomain.yourdomain.org –> ns.subdomain.yourdomain.org

For efficiency reasons make sure you use a short name for <subdomain>, ideally just one letter. For example: t.yourdomain.org (t for tunnel).

Don’t forget to register ns.subdomain using the VPS IP address as a name server under “Nameserver registration”. Interestingly, the Iodine tester shows a name server delegation error using these entries. Using Namecheap’s DNS I was unable to come up with a DNS record combination that passes the Iodine test but since the actual tunnel connection works I assume the delegation is still set up correctly. If you’re a DNS guru please let me know in the comments if you have an idea why the tester fails but the subdomain NS delegation works fine at the same time.

I couldn’t get NStun.sh script from Iodine’s tips & tricks page to work properly in OS X Lion. I always ended up with a dead gateway. However, I prefer to restrict the use of the DNS tunnel to my web browser only instead of routing all traffic from the client machine through the tunnel. This is where SSH port forwarding comes in handy.  The following script starts the iodine client and sets up a SOCKS proxy on the server.


#!/bin/sh

#### EDIT HERE ####

# Path to your iodine executable
IOD=&amp;quot;/usr/local/sbin/iodine&amp;quot;

# Your top domain
IOTD=&amp;quot;t.yourdomain.org&amp;quot;

# You may choose to store the password in this script or enter it every time
IOPASS=&amp;quot;topsecret&amp;quot;

# You might need to change this if you use linux, or already have
# tunnels running. In linux iodine uses dnsX and fbsd/osX use tunX
# X represents how many tunnel interfaces exist, starting at 0
IODEV=&amp;quot;tun0&amp;quot;

# The IP your iodined server uses inside the tunnel
# The man page calls this tunnel_ip
IOIP=&amp;quot;10.0.0.1&amp;quot;

SSH_FORWARDING_PORT=&amp;quot;9286&amp;quot;

# Valid user account on the server
SSH_USER=&amp;quot;username&amp;quot;

#### STOP EDITING ####
NS=`grep nameserver /etc/resolv.conf|head -1|awk '{print $2}'`
[ -z $IOPASS ] &amp;amp;&amp;amp; echo &amp;quot;Enter your iodine password&amp;quot;
[ -z $IOPASS ] &amp;amp;&amp;amp; $IOD $NS $IOTD
[ -n $IOPASS ] &amp;amp;&amp;amp; $IOD -P &amp;quot;${IOPASS}&amp;quot; $NS $IOTD
if ps auxw|grep iodine|grep -v grep
ssh -CTfnN2 -D $SSH_FORWARDING_PORT $SSH_USER@$IOIP
then echo &amp;quot;Press enter when you are done with iodine&amp;quot;
read yourmind
sudo kill -9 `ps auxw|grep iodine|grep -v grep|awk '{print $2}'`
sudo kill -9 `ps auxw|grep ssh|grep -v grep|awk '{print $2}'`
else echo there was a problem starting iodine
echo try running it manually to troubleshoot
fi
exit

Don’t hesitate to send in your script improvements.
Use an add-on like FoxyProxyin Firefox to connect to the SSH forwarding port:

You could also set up a Squid proxy on your Linux server instead of using SSH. Please note that Iodine doesn’t securely encrypt any data. Tunneling SSH through Iodine is secure, but will have a performance impact on slow connections (which usually is the case for DNS tunneling).

5 thoughts on “Mac OS X Iodine DNS Tunnel using Namecheap DNS

  1. Carmelo, basically just a
    sudo make install
    in a shell after installing Xcode and the source will be compiled and a binary installed on the Mac.

    Cheers,
    Jan

  2. Hello !

    I’m using iodine since several months, but I always took the binary from the net.

    Can you explain how you compiled it ?

    thanks a lot !

    Carmelo

Comments are closed.