iodined - Man Page

tunnel IPv4 over DNS

Synopsis

iodined [-v]

iodined [-h]

iodined [-4] [-6] [-c] [-s] [-f] [-D] [-u user ] [-t chrootdir ] [-d device ] [-m mtu ] [-l listen_ip4 ] [-L listen_ip6 ] [-p port ] [-n ( auto | external_ip ) ] [-b dnsport ] [-P password ] [-z context ] [-F pidfile ] [-i max_idle_time ] tunnel_ip [ /netmask ] topdomain

Description

iodine lets you tunnel IPv4 data through a DNS server. This can be useful in situations where Internet access is firewalled, but DNS queries are allowed. It needs a TUN/TAP device to operate. The bandwidth is asymmetrical, with a measured maximum of 680 kbit/s upstream and 2.3 Mbit/s downstream in a wired LAN test network. Realistic sustained throughput on a Wifi network using a carrier-grade DNS cache has been measured at some 50 kbit/s upstream and over 200 kbit/s downstream. iodine is the client application, iodined is the server.

Note: server and client are required to speak the exact same protocol. In most cases, this means running the same iodine version. Unfortunately, implementing backward and forward protocol compatibility is usually not feasible.

Options

Common Options

-v

Print version info and exit.

-h

Print usage info and exit.

-f

Keep running in foreground.

-4

Force/allow only IPv4 DNS queries

-6

Force/allow only IPv6 DNS queries

-u user

Drop privileges and run as user 'user' after setting up tunnel.

-t chrootdir

Chroot to 'chrootdir' after setting up tunnel.

-d device

Use the TUN device 'device' instead of the normal one, which is dnsX on Linux and otherwise tunX. On Mac OS X 10.6, this can also be utunX, which will attempt to use an utun device built into the OS.

-P password

Use 'password' to authenticate. If not used, stdin will be used as input. Only the first 32 characters will be used.

-z context

Apply SELinux 'context' after initialization.

-F pidfile

Create 'pidfile' and write process id in it.

Server Options

-c

Disable checking the client IP address on all incoming requests. By default, requests originating from non-matching IP addresses will be rejected, however this will cause problems when requests are routed via a cluster of DNS servers.

-s

Don't try to configure IP address or MTU. This should only be used if you have already configured the device that will be used.

-D

Increase debug level. Level 1 prints info about each RX/TX packet. Implies the -f option. On level 2 (-DD) or higher, DNS queries will be printed literally. When using Base128 upstream encoding, this is best viewed as ISO Latin-1 text instead of (illegal) UTF-8. This is easily done with : "LC_ALL=C luit iodined -DD ..." (see luit(1)).

-m mtu

Set 'mtu' as mtu size for the tun device. This will be sent to the client on login, and the client will use the same mtu for its tun device.  Default 1130.  Note that the DNS traffic will be automatically fragmented when needed.

-l external|listen_ip4

Make the server listen only on 'listen_ip4' for incoming IPv4 requests. By default, incoming requests are accepted from all interfaces (0.0.0.0). A domain name can be used as argument - use one with only one A record. If listen_ip4 is 'external', iodined will use the opendns.com DNS service to retrieve the external IP of the host and use that as listen address.

-L listen_ip6

Make the server listen only on 'listen_ip6' for incoming IPv6 requests. By default, incoming requests are accepted from all interfaces (::). A domain name can be used as argument - use one with only one AAAA record.

-p port

Make the server listen on 'port' instead of 53 for traffic. If 'listen_ip4' does not include localhost, this 'port' can be the same as 'dnsport'. Note: You must make sure the dns requests are forwarded to this port yourself.

-n auto|external_ip

The IP address to return in NS responses. Default is to return the address used as destination in the query. If external_ip is 'auto', iodined will use the opendns.com DNS service to retrieve the external IP of the host and use that for NS responses.

-b dnsport

If this port is specified, all incoming requests not inside the tunnel domain will be forwarded to this port on localhost, to be handled by a real dns. If 'listen_ip' does not include localhost, this 'dnsport' can be the same as 'port'. Note: The forwarding is not fully transparent, and not advised for use in production environments.

-i max_idle_time

Make the server stop itself after max_idle_time seconds if no traffic have been received. This should be combined with systemd or upstart on demand activation for being effective.

Server Arguments

tunnel_ip[/netmask]

This is the server's ip address on the tun interface. The client will be given the next ip number in the range. It is recommended to use the 10.0.0.0 or 172.16.0.0 ranges. The default netmask is /27, can be overridden by specifying it here. Using a smaller network will limit the number of concurrent users.

topdomain

The dns traffic is expected to arrive as queries for subdomains under 'topdomain'. This is normally a subdomain to a domain you own. Use a short domain name to get better throughput. This argument must be the same on both the client and the server. Queries for domains other than 'topdomain' will be forwarded when the -b option is given, otherwise they will be dropped. The topdomain can start with '*' which will allow all domains ending with the same suffix.

Examples

See the README file for both a quick test scenario, and a detailed description of real-world deployment.

Security

Login is a relatively secure challenge-response MD5 hash, with the password never passing the wire. However, all other data is NOT encrypted in any way. The DNS traffic is also vulnerable to replay, injection and man-in-the-middle attacks, especially when iodined is used with the -c option. Use of ssh or vpn tunneling is strongly recommended. On both server and client, use iptables, pf or other firewalls to block all traffic coming in from the tun interfaces, except to the used ssh or vpn ports.

Environment

Iodine_pass

If the environment variable IODINE_PASS is set, iodine will use the value it is set to as password instead of asking for one. The -P option still has precedence.

Iodined_pass

If the environment variable IODINED_PASS is set, iodined will use the value it is set to as password instead of asking for one. The -P option still has precedence.

See Also

The README file in the source distribution contains some more elaborate information.

Bugs

File bugs at https://github.com/yarrick/iodine

Authors

Erik Ekman <yarrick@kryo.se> and Bjorn Andersson <flex@kryo.se>. Major contributions by Anne Bezemer.

Referenced By

iodined_selinux(8).

APR 2023 User Manuals