yarrick / iodine Goto Github PK

View Code? Open in Web Editor NEW

6.1K 131.0 499.0 1.24 MB

Official git repo for iodine dns tunnel

Home Page: https://code.kryo.se/iodine

License: ISC License

Makefile 2.34% C 97.29% Shell 0.35% Vim Script 0.02%

dns-tunnel iodine dns tunnel vpn hacktoberfest

iodine's People

Contributors

Stargazers

Watchers

Forkers

openkava chuanzhuo zschoche garbr0 friedrich jedisct1 chrisballinger mscherer barak sunapi386 eiriklv jslhs utahdave onurozen dklesev djhartley ekat112 thatchristoph z00rk fuzion24 796f agsola nightwend sonemaro z-a-f vvvrrooomm cofyc niuruyutian wedussh oohtj ahnan4arch towords cvexva nullbind daramos neurotec cpatulea thinkski sjas glira cjhgo loganding mydba shekkbuilder frekky tools-alexuser01 imzack ezc prodigeni dexmc codercold dewa-ubuntu zaratros guliujian yagami0939 openiaas mcanthony s4sec wolf9s tempbottle duyamin pstray zackp30 xorllc rossonet landyking sechacking magictunnel security-geeks fnzv human2000 johnjohnsp1 malikal kindy rampagex hljhttp dexit grandpaul agentt gvsurenderreddy ggeorggg averroes carnal0wnage masaq- devdc owensa gemaarta qardeneden daedalus shinvdu rjmcguire wischi-chr deki0r greatspider xblackswan yodamaster crubalcaba mod233 itsuwari lochn

iodine's Issues

NS response invalid

Hello!

I launched iodined like this:

# ./iodined -f -c -P pass 10.46.34.1 ovca.ml -p 2053 -n MYIPADDRESS
ALERT! Other dns servers expect you to run on port 53.
You must manually forward port 53 to port 2053 for things to work.
Opened dns0
Setting IP of dns0 to 10.46.34.1
Setting MTU of dns0 to 1130
Opened IPv4 UDP socket
Opened IPv6 UDP socket
Listening to dns for domain ovca.ml

and then issued a dig command like this:

$ dig ovca.ml -t NS @127.0.0.1 -p 2053

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> ovca.ml -t NS @127.0.0.1 -p 2053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48883
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;ovca.ml.			IN	NS

;; ANSWER SECTION:
ovca.ml.		3600	IN	NS	ns.ovca.ml.

;; ADDITIONAL SECTION:
ns.ovca.ml.		3600	IN	A	2.0.0.0

;; Query time: 0 msec
;; SERVER: 127.0.0.1#2053(127.0.0.1)
;; WHEN: Wed Jul 22 23:48:56 CEST 2020
;; MSG SIZE  rcvd: 58

As far as I understand, instead of 2.0.0.0, the iodined dns server should respond with MYIPADDRESS. What's wrong and is this a bug?

Failed to set IP and MTU

Hi, i recently tried to use iodine to do tcp over dns and i got Failed to set IP and MTU in client

ip: 169.254.110.0 <--- i used this ip in server instead off 10.0.0.1

didn't work :/ why .??

i'm using windows and tap driver is installed

iodine shutdown

Hi dear Friend I see this in CLI and tunnel is down

iodine: No downstream data received in 60 seconds, shutting down

How solve this ???

Raw UDP socket support in macos/ios

Hello,

am I the only one who cannot get raw mode working on macOS / iOS?

Same setup, a linux and even a windows box can connect to raw socket but macos says test failed and goes through DNS queries (with a huge performance penalty).
It's curious to see that a linux VM running on my macbook can make the socket connection, while once again the host cannot.

Is there any limitation in place by Apple or maybe it's just about setting up the socket in a different way?

I'm sorry I cannot help you with the code but I can be a tester here 😁

iodine connection will not work

Hi,
command on server

sudo iodined -f -c -P PRIVATE10.1.1.1 iodine.adridoesthings.com

command on client (windows)

iodine.exe -f -P PRIVATE iodine.adridoesthings.com

dns (cloudflare):

My problem is that the client tell me this:

Opening device \\.\Global\{E7A18040-6E0C-49E0-BE8C-5B9B1D47FC34}.tap
Opened UDP socket
Opened UDP socket
Opened UDP socket
You use protocol v 0x0063ed54, server uses v 0x00000000. Giving up

The server doesn't print anything out after it's startet up.

This is the DNS response (got with wireshark):

I hope you can help me.

Slow speeds while doing DNS tunnelling

Hi,

I am using 0.7.0 from iodine, the host is a quite powerful aarch64 machine running Fedora and its not on the same network, not even so close (within EU borders, but in two different countries), but I get an average ping of 48 ms without the tunnel which is quite decent. Raw mode is disabled and lazy mode is enabled.

I am getting speeds of ~20 kbit/s and that's where it caps out. I tried lowering the -m value which didn't help much, but made it even slower. I was thinking it could be the bottleneck of the DNS resolver, but I can reproduce the same issue using 1.1.1.1 or any other public resolver from my unrestricted gigabit home network.

I also tried running dnsperf and hammered my DNS resolver with 10k reqs over 10 seconds and they all went thru except like 16 reqs. I was trying to request the same thing what iodine tried as well, a single TXT query. I can see that the network interface is actually under good use and there is around 4 Mb/s traffic on it. If I try running iodine and the benchmark at the same time, the benchmark seems to run fine with also not many failed reqs, however iodine is slow as usual.

In the stdout output I am seeing some SERVFAIL: server failed or recursion timeout and NXDOIMAIN: domain doesn't exist errors from time to time.

Can I do something about these? Seemingly I don't get as many errors from iodine if its in legacy mode, but then its even slower.

Thank you so much

lazy-mode doesn't work on cloudflare

On the server:

sudo iodined -f 172.16.0.0 freumh.org

On the client:

$ sudo iodine -f -r 1.1.1.1 freumh.org
Enter password:
Opened dns0
Opened IPv4 UDP socket
Sending DNS queries for freumh.org to 1.1.1.1
Autodetecting DNS query type (use -T to override).
Using DNS type NULL queries
Version ok, both using protocol v 0x00000502. You are user #2
Setting IP of dns0 to 172.16.0.3
Setting MTU of dns0 to 1130
Server tunnel IP is 172.16.0.0
Skipping raw mode
Using EDNS0 extension
Switching upstream to codec Base128
Server switched upstream to codec Base128
No alternative downstream codec available, using default (Raw)
Switching to lazy mode for low-latency
Server switched to lazy mode
Autoprobing max downstream fragment size... (skip with -m fragsize)
768 ok.. ...1152 not ok.. ...960 not ok.. ...864 not ok.. ..816 ok.. .840 ok.. .852 ok.. will use 852-2=850
Setting downstream fragment size to max 850...
Connection setup complete, transmitting data.
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Hmm, that's 1. Your data should still go through...
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Hmm, that's 2. Your data should still go through...
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Hmm, that's 3. Your data should still go through...
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Hmm, that's 4. Your data should still go through...
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: I think 5 is too many. Setting interval to 1 to hopefully reduce SERVFAILs. But just ignore them if data still comes through. (Use -I1 next time on this network.)
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
^C%

Trying -c on the server:

$ sudo iodined -c -f 172.16.0.0 freumh.org

On the client resulted in:

$ sudo iodine -f -r 1.1.1.1 freumh.org
Enter password:
Opened dns0
Opened IPv4 UDP socket
Sending DNS queries for freumh.org to 1.1.1.1
Autodetecting DNS query type (use -T to override).
Using DNS type NULL queries
Version ok, both using protocol v 0x00000502. You are user #2
Setting IP of dns0 to 172.16.0.3
Setting MTU of dns0 to 1130
Server tunnel IP is 172.16.0.0
Skipping raw mode
Using EDNS0 extension
Switching upstream to codec Base128
Server switched upstream to codec Base128
No alternative downstream codec available, using default (Raw)
Switching to lazy mode for low-latency
Server switched to lazy mode
Autoprobing max downstream fragment size... (skip with -m fragsize)
768 ok.. ...1152 not ok.. ...960 not ok.. ...864 not ok.. ..816 ok.. .840 ok.. .852 ok.. will use 852-2=850
Setting downstream fragment size to max 850...
Connection setup complete, transmitting data.
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Hmm, that's 1. Your data should still go through...
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Hmm, that's 2. Your data should still go through...
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Hmm, that's 3. Your data should still go through...
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Hmm, that's 4. Your data should still go through...
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: I think 5 is too many. Setting interval to 1 to hopefully reduce SERVFAILs. But just ignore them if data still comes through. (Use -I1 next time on this network.)
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
^C%

Trying -I1:

$ sudo iodine -f -r 1.1.1.1 freumh.org -I1
Enter password:
Opened dns0
Opened IPv4 UDP socket
Sending DNS queries for freumh.org to 1.1.1.1
Autodetecting DNS query type (use -T to override).
Using DNS type NULL queries
Version ok, both using protocol v 0x00000502. You are user #0
Setting IP of dns0 to 172.16.0.1
Setting MTU of dns0 to 1130
Server tunnel IP is 172.16.0.0
Skipping raw mode
Using EDNS0 extension
Switching upstream to codec Base128
Server switched upstream to codec Base128
No alternative downstream codec available, using default (Raw)
Switching to lazy mode for low-latency
Server switched to lazy mode
Autoprobing max downstream fragment size... (skip with -m fragsize)
...768 not ok.. ..384 ok.. ...576 not ok.. 480 ok.. 528 ok.. ...552 not ok.. ...540 not ok.. will use 528-2=526
Setting downstream fragment size to max 526...
Connection setup complete, transmitting data.
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
^C%

Some pings but through, but had up to 10 seconds of delay:

ping 172.16.0.0
PING 172.16.0.0 (172.16.0.0) 56(84) bytes of data.
64 bytes from 172.16.0.0: icmp_seq=6 ttl=64 time=10158 ms
64 bytes from 172.16.0.0: icmp_seq=12 ttl=64 time=7088 ms
64 bytes from 172.16.0.0: icmp_seq=16 ttl=64 time=3065 ms
64 bytes from 172.16.0.0: icmp_seq=25 ttl=64 time=74.3 ms
64 bytes from 172.16.0.0: icmp_seq=29 ttl=64 time=5059 ms
64 bytes from 172.16.0.0: icmp_seq=34 ttl=64 time=7180 ms
64 bytes from 172.16.0.0: icmp_seq=41 ttl=64 time=74.5 ms

I think Cloudflare's timeouts are too aggressive.

Chroot to 'chrootdir' after setting up tunnel

Can you elaborate on the '-t' option? What is it for and why does it work even on an empty directory (non-bootstrapped)?

Thanks

Performance improvement

Issue and fix for failed systemd startup at boot.

I encountered an issue with the systemd service failing to start and then failing to restart too fast. It appears that systemd, by default, attempts 5 times to restart and then quits. After the following changes I was able to get iodined.service to start up. (A little digging showed that my server needed 7 failures... just over the 5 that systemd permits by default.)

Here is the Unit file I got to work:

[Unit]
Description=A daemon for tunneling traffic over DNS queries
After=local-fs.target network.target systemd-tmpfiles-setup.service
Documentation=man:iodined(8)

[Service]
EnvironmentFile=/etc/default/iodine
ExecStart=/usr/sbin/iodined -f -u iodine -t /var/run/iodine $IODINED_ARGS -P ${IODINED_PASSWORD}
StartLimitIntervalSec=120
StartLimitBurst=120
Restart=on-failure
Type=simple

[Install]
WantedBy=multi-user.target

The only real difference is the StartLimit* lines. I think the only one that matters is the StartLimitBurst one but I've left both in there since it works consistently.

If it matters, I'm in a VM of Ubuntu 20.04 Desktop (gnome) with no modifications (basically a bare bones Ubuntu desktop install).

Iodine Lc

Simpler DNS ? Or...

Excuse me, I found a DNS just connect by importing a simple address like Google DNS, cloud flare DNS it can import on a router.
Mobile, pc...
There's 3 questions:
Can your DNS be work similar dns in up
If (question in top = true)
Q1={How can I config this(your DNS) in my vps }
Type (Q1)
Else:
Q2={how can I config similar first DNS I typed in top}
Q1.List.append{Q2}
Type (Q1)
Excuse me for bad English .
Thanks for your help and time from now.
And it's can be very better if you create a simple setup script because everyone can use it

I realized some specific hostnames will be blocked by the firewall

Ex.
From the client side, if I send a DNS query like this

dig @8.8.8.8 vaaaakaxhiu.mysubdomain.com

will be blocked, while this query

dig @8.8.8.8 abcdefghijk.mysubdomain.com

I spent tons of time finding out about this issue.
Just record in case other people encounter this issue

I launch iodined like this:

./iodined -DD -n <my public IP> -f 10.100.99.1 -c -P 0930100010 b.mysubdomain.com
Debug level 2 enabled, will stay in foreground.
Add more -D switches to set higher debug level.
iodined: IPv6 not supported, skipping
Opened dns0
Setting IP of dns0 to 10.100.99.1
Setting MTU of dns0 to 1130
Opened IPv4 UDP socket
Listening to dns for domain b.mysubdomain.com
RX: client 173.194.93.2, type 1, name abcdefghijk.b.mysubdomain.com
TX: client 173.194.93.2, type 1, name abcdefghijk.b.mysubdomain.com, 5 bytes data

get_addr() should return -1 in case of error

Subject says it all:
getaddrinfo() returns positive values in case of errors. These get returned
to the caller:

    res = getaddrinfo(host, portnum, &hints, &addr);
    if (res == 0) {
            int addrlen = addr->ai_addrlen;
            /* Grab first result */
            memcpy(out, addr->ai_addr, addr->ai_addrlen);
            freeaddrinfo(addr);
            return addrlen;
    }
    return res;

But the caller check for negative values, e.g.:

    res = get_addr("resolver1.opendns.com", 53, AF_INET, 0, &query.destination);
    if (res < 0) return 1;
    ...
    dns4addr_len = get_addr(listen_ip4, port, AF_INET, AI_PASSIVE, &dns4addr);
    if (dns4addr_len < 0) {
    ...
    int addr6_res = get_addr(listen_ip6, port, AF_INET6, AI_PASSIVE, &dns6addr);
    if (addr6_res < 0) {

Performance increase with socks on server

Hello there,

I recently have setup iodine similarly to situation 1 from the description in the readme. The performance was not the best but worked out for most of my needs - as always. I usually use a SSH Tunnel from iodine-client to iodine-server with the -D socks tunnel option, but this time I changed it up a bit.

I also have a VPN-client from nordvpn with sockd running on the server. So I passed -L7777:[sockd_Listening_IP]:port instead of -D7777 to the ssh command - just forwarding the traffic to the remote sockd on the server side instead of using the builtin socks proxy. The speed difference is truly amazing. I tested it at 30-40 MBit/s up- and download speed.

I verified it several times and the speed seemed to be limited only by the connection speed of my VPN provider. The documentation on the project site states, that speed should be limited at 1MBit/s, so now I'm wondering, if this is normal behaviour or special circumstance.

unable to ping

iodine is running properly on the server end and I've verified the tunnel is running by using https://code.kryo.se/iodine/check-it/
the client is able to connect to the tunnel but unable to ping it

cringe, remove systemd dependency or make option to build without systemd

iodined.c:61:11: fatal error: systemd/sd-daemon.h: No such file or directory
61 | # include <systemd/sd-daemon.h>
| ^~~~~~~~~~~~~~~~~~~~~

Support wintun

https://www.wintun.net/

Patches are welcome..

Support more than one top domain name to be used with a daemon

Hello.

I'd like to build a small fleet of highly available (hehe) iodined using several domain names, would it be possible to let iodined support more than one top domain names at the same time? Or even better if it will just work with any top domain names regardless of what they are.

Thank you.

What does "raw UDP login" mean in this project?

sudo ./bin/iodine -f xxxxx xxxxx
Enter tunnel password:
No tun devices found, trying utun
iodine: open_utun: connect: Resource busy
Opened utun1
Opened IPv4 UDP socket
Sending DNS queries for xxxxx to xxxxxx
Autodetecting DNS query type (use -T to override).
Using DNS type NULL queries
Version ok, both using protocol v 0x00000502. You are user #1
Setting IP of utun1 to 10.0.0.3
Adding route 10.0.0.0/27 to 10.0.0.3
add net 10.0.0.0: gateway 10.0.0.3
Setting MTU of utun1 to 1130
Server tunnel IP is 10.0.0.1
Requesting server address to attempt raw UDP mode (skip with -r)
Server is at xxxxx, trying raw login: (skip with -r) ....failed

and the code:

iodine/src/client.c

Lines 1489 to 1520 in dc307b7

    
           for (i = 0; running && i < 4; i++) { 
        
           	tv.tv_sec = i + 1; 
        
           	tv.tv_usec = 0; 
        
           	send_raw_udp_login(dns_fd, seed); 
        
           	FD_ZERO(&fds); 
        
           	FD_SET(dns_fd, &fds); 
        
           	r = select(dns_fd + 1, &fds, NULL, NULL, &tv); 
        
           	if (r > 0) { 
        
           		/* recv() needed for windows, dont change to read() */ 
        
           		len = recv(dns_fd, in, sizeof(in), 0); 
        
           		if (len >= (16 + RAW_HDR_LEN)) { 
        
           			char hash[16]; 
        
           			login_calculate(hash, 16, password, seed - 1); 
        
           			if (memcmp(in, raw_header, RAW_HDR_IDENT_LEN) == 0 
        
           				&& RAW_HDR_GET_CMD(in) == RAW_HDR_CMD_LOGIN 
        
           				&& memcmp(&in[RAW_HDR_LEN], hash, sizeof(hash)) == 0) { 
        
           				fprintf(stderr, "OK\n"); 
        
           				return 1; 
        
           			} 
        
           		} 
        
           	} 
        
           	fprintf(stderr, "."); 
        
           	fflush(stderr); 
        
           } 
        
           fprintf(stderr, "failed\n"); 
        
           return 0;

But I could not understand the semantic of "raw UDP login"
Would you mind explaining it in the README?

DNS tunnel transmission rate is very low

Hi, Yarrick:

My iodine server is centos7, currently running iodine and squid services normally, the server's virtual network card IP address is 172.16.255.254; The Win7 client installs the openvpn virtual network card and sets the browser proxy to 172.16.255.254:3128, the web page can be opened normally, and can watch 1080p video smoothly. Win7 client test ping 172.16.255.254 successfully, the average delay is about 150ms.

I currently encounter a problem as follows:

This iodine server and Win7 iodine client are very slow to transmit data through the virtual network card, FTP transfers about 60MB of data, it takes at least 1 hour.

What direction should this problem be investigated?

Connectivity errors between two linux machines

I'm trying to connect two linux machine via dns tunneling. I've setup duckdns dynamic dns subdomain i.e. crappyhorse.duckdns.org on the server machine, and i also registered a free domain name at freenom with the current dns configuration. The command i issue at the server is

$ sudo iodined -f -c -P justphrase 192.168.99.1 t.vodafonegenericavail.cf
Opened dns0
Setting IP of dns0 to 192.168.1.7
Setting MTU of dns0 to 1130
Opened IPv4 UDP socket
Listening to dns for domain t.vodafonegenericavail.cf

$ sudo iodine -f -P justphrase t.vodafonegenericavail.cf
Opened dns0
Opened IPv4 UDP socket
Sending DNS queries for t.vodafonegenericavail.cf to 127.0.0.53
Autodetecting DNS query type (use -T to override).iodine: Got NOTIMP as reply: server does not support our request
.iodine: Got NXDOMAIN as reply: domain does not exist
.iodine: Got NXDOMAIN as reply: domain does not exist
.iodine: Got NXDOMAIN as reply: domain does not exist
.iodine: Got NXDOMAIN as reply: domain does not exist
.iodine: Got NXDOMAIN as reply: domain does not exist
.iodine: Got NXDOMAIN as reply: domain does not exist
.iodine: Got NOTIMP as reply: server does not support our request
.iodine: Got NXDOMAIN as reply: domain does not exist
.iodine: Got NXDOMAIN as reply: domain does not exist
.iodine: Got NXDOMAIN as reply: domain does not exist
.iodine: Got NXDOMAIN as reply: domain does not exist
.iodine: Got NXDOMAIN as reply: domain does not exist
.iodine: Got NXDOMAIN as reply: domain does not exist
.iodine: Got NOTIMP as reply: server does not support our request
.iodine: Got NXDOMAIN as reply: domain does not exist
.iodine: Got NXDOMAIN as reply: domain does not exist
.iodine: Got NXDOMAIN as reply: domain does not exist
.iodine: Got NXDOMAIN as reply: domain does not exist
.iodine: Got NXDOMAIN as reply: domain does not exist
.iodine: Got NXDOMAIN as reply: domain does not exist

iodine: No suitable DNS query type found. Are you connected to a network?
iodine: If you expect very long roundtrip delays, use -T explicitly.
iodine: (Also, connecting to an "ancient" version of iodined won't work.)

$ dig t.vodafonegenericavail.cf

; <<>> DiG 9.16.1-Ubuntu <<>> t.vodafonegenericavail.cf
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27729
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;t.vodafonegenericavail.cf.	IN	A

;; ANSWER SECTION:
t.vodafonegenericavail.cf. 3600	IN	CNAME	dnsrecord.vodafonegenericavail.cf.
dnsrecord.vodafonegenericavail.cf. 3599	IN CNAME crappyhorse.duckdns.org.
crappyhorse.duckdns.org. 59	IN	A	41.36.193.3

;; Query time: 219 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Mar 15 15:02:53 EET 2022
;; MSG SIZE  rcvd: 131

The output of https://code.kryo.se/iodine

Troubleshoot your iodine setup

Analyzing DNS setup for tunnel domain 't.vodafonegenericavail.cf'... (might take some time)

Looking for nameserver for vodafonegenericavail.cf.. got ns04.freenom.com (at 104.155.29.241).
Resolving delegation of t.vodafonegenericavail.cf at 104.155.29.241... not known.

Error: The tunnel name t.vodafonegenericavail.cf is not delegated to any host according to nameserver ns04.freenom.com.

I'm currently incapable of getting my head around what's the culprit of the problem or wrong with this setup. Any ideas ?

Getting "Segmentation fault: 11" on MacOS Catalina

Hello, I've tried using iodine on MacOS Catalina and I'm getting a segfault error:

kbs@touchbar:~/git/iodine$ /usr/local/sbin/iodine -f -P pelado tunnel.peladonerd.com
iodine: Run as root and you'll be happy.
kbs@touchbar:~/git/iodine$ sudo /usr/local/sbin/iodine -f -P pelado tunnel.peladonerd.com
Segmentation fault: 11

The installation steps went well:

kbs@touchbar:~/git/iodine$ make
OS is DARWIN, arch is x86_64
kbs@touchbar:~/git/iodine$ make install
OS is DARWIN, arch is x86_64
mkdir -p /usr/local/sbin
install  bin/iodine /usr/local/sbin/iodine
chmod 755 /usr/local/sbin/iodine
install  bin/iodined /usr/local/sbin/iodined
chmod 755 /usr/local/sbin/iodined
mkdir -p /usr/local/share/man/man8
install  man/iodine.8 /usr/local/share/man/man8/iodine.8
chmod 644 /usr/local/share/man/man8/iodine.8
mkdir -p /usr/local/share/doc/iodine
install  README.md /usr/local/share/doc/iodine/README.md
chmod 644 /usr/local/share/doc/iodine/README.md

Any ideas?

Domain in binary format even when not set.

Hello,
I tried to setup iodine, everything seems working. However when I try to check what domains are coming to the server, they all appear to be in binary format. I've started the client to not run in binary format. I'd like to know if it is possible to make the client query domains which container only ascii characters allowed in the domain name? I've tried using -O with different encoding but still in tcpdump I saw binary domains like so:
zwchaA0123456789M-<M-=M->[email protected]

Command to start the client:
iodine -r -f -P password 111.111.111.111 t.iodine.com

Choose which interface to use?

Hi, I'm more than anything just having some fun learning about this stuff. But I'm wondering if it's at all possible to choose which interface this uses. My reasoning is that en0 is wired ethernet and I'd like to connect to a wifi signal and have a connection available just as an "in case" the main internet goes down.

Does iodine work on Mac OS X 10.15.6?

I see the following error on Mac OS X 10.15.6. Does iodine support Mac OS X? Thanks.

$ sudo ./iodined -f 10.0.0.1 test.com
Enter password: 
iodined: open_tun: Failed to open tunneling device: No such file or directory

Can forward Ip traffic tcp-udp over iodine ?

Hi Dear I run iodine tunnel on ubuntu 18.0.4 Tunnel Establish and have ping interface of tunnel
Nat ip range in iodine server and route to client side
in client donnot have ping by ip range route t the client

please help me

Cannot make on Android 12

I'm using Samsung S10, Android 12, Termux (latest from f-droid)

This is what I get when I make:

make[1]: Entering directory '/data/data/com.termux/files/home/iodine/src'
OS is LINUX, arch is aarch64
CC common.c
common.c:61:12: error: static declaration of 'daemon' follows non-static declaration
static int daemon(int nochdir, int noclose)
^
/data/data/com.termux/files/usr/include/unistd.h:343:5: note: previous declaration is here
int daemon(int __no_chdir, int __no_close);

Is the problem that it thinks OS is LINUX, rather than ANDROID?

Question about project

Hi,
If anyone sees this, I am curious if the connection password is sent encrypted or hashed in any way. I realize the actual data inside the tunnel is not, but I am worried that if the connection password is viewable, my Iodine server will get connections from other people.
Thank you!

Brew support

I see a small mention about brew in a yaml file and an old brew package elsewhere on the internet. But has anyone looked at making a recent iodine recipie for brew?

I haven’t created any brew packages before so if nobody else is, I wouldn’t mind creating one for iodine.

Do not panic if not root

Hello.

Given the systemd (or a similar system manager) is available, it should be possible to run iodined with very restricted privileges and on behalf of a non-root user (even a dynamically generated one), granting additional capabilities via AmbientCapabilities=. Hence, unconditional panic in check_superuser() should be avoided. So, instead of calling check_superuser(), at least on Linux, there should be a check against required capability (there's libcap-ng for this). For creating a tun device it'd be CAP_NET_ADMIN, for binding on port 53 it's CAP_NET_BIND_SERVICE, for changing the user it is CAP_SETUID and CAP_SETGID.

Thanks.

Cannot `make` on macOS

Hi, I'm on MacOS 11.4 (Big Sur) (M1) and I can't compile iodine.

I get the following error:

iodine % make
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
/bin/sh: line 0: cd: src: No such file or directory
^Cmake[47]: *** [all] Interrupt: 2
make[46]: *** [all] Error 130
make[45]: *** [all] Error 130
make[44]: *** [all] Error 130
make[43]: *** [all] Error 130
make[42]: *** [all] Error 130
make[41]: *** [all] Error 130
make[40]: *** [all] Error 130
make[39]: *** [all] Error 130
make[38]: *** [all] Error 130
make[37]: *** [all] Error 130
make[36]: *** [all] Error 130
make[35]: *** [all] Error 130
make[34]: *** [all] Error 130
make[33]: *** [all] Error 130
make[32]: *** [all] Error 130
make[31]: *** [all] Error 130
make[30]: *** [all] Error 130
make[29]: *** [all] Error 130
make[28]: *** [all] Error 130
make[27]: *** [all] Error 130
make[26]: *** [all] Error 130
make[25]: *** [all] Error 130
make[24]: *** [all] Error 130
make[23]: *** [all] Error 130
make[22]: *** [all] Error 130
make[21]: *** [all] Error 130
make[20]: *** [all] Error 130
make[19]: *** [all] Error 130
make[18]: *** [all] Error 130
make[17]: *** [all] Error 130
make[16]: *** [all] Error 130
make[15]: *** [all] Error 130
make[14]: *** [all] Error 130
make[13]: *** [all] Error 130
make[12]: *** [all] Error 130
make[11]: *** [all] Error 130
make[10]: *** [all] Error 130
make[9]: *** [all] Error 130
make[8]: *** [all] Error 130
make[7]: *** [all] Error 130
make[6]: *** [all] Error 130
make[5]: *** [all] Error 130
make[4]: *** [all] Error 130
make[3]: *** [all] Error 130
make[2]: *** [all] Error 130
make[1]: *** [all] Error 130
make: *** [all] Error 130

I'm not sure where to look for what could be causing the issue.

When is the next release?

I see a lot of work put into iodine after the latest 0.7.0 release (which is 7 years ago). iodine commits newer than 0.7.0 release fix opening utunX devices on Darwin. I'd really like the fix to appear on a release.

Version bump

The latest version is 0.7.0 and was released on 2014-06-16. I see there's been quite a lot of commits since that time.

Does it make sense to bump the version so that the new features gets included in the distributions packaging the project?

Bad IPv6 adress to listen on

iodined: Bad IPv6 address to listen on: '(null)'

I got this issue when trying to run: iodined -f . It returned the error Bad Ipv6 adress to listen on. While trying to find out why i got this issue, i commented out the if statement that is responsible for returning this error. I got the following error: socket: Address family not supported by protocol.

I' m afraid it might have something to do with the configuration of my VPS, but I have no idea what would cause it. If anyone can help with this, that would be great :)

Improve performance via direct queries

Just stumbled across this project and thought it was really cool! The only downside seems to be the throughput, but I understand the reasoning behind it (not wanting to affect intermediate DNS servers that we don't own). I wonder, though, would it be possible to speed up the throughput of the DNS tunnel by setting the client's DNS resolver to be the server running iodined?

In my mind, it would be some sort of additional flag where we set a static IP (e.g. --iodined X.X.X.X). If there was a way to attempt this with the client, we could send the DNS packets directly to our server as fast as we want.

I'm probably making a lot of incorrect assumptions here because I am super new to this project and idea, but I thought I'd throw the thought out there and see what others think.

iodine breaks my debian system

Hi,
May this report may not be useful but I noticed that using iodine crash my kde setup (xorg stays alive), also i noticed that some fuse file system are not responding anymore, dmesg does not say much... sorry i don´t have more information to share.
But I can replicate some steps if mentored.

Regards

[macOS] Check for `if_utun.h` and provide needed defines, if the header is missing

@yarrick MacOS prior to released version of 10.6 does not have net/if_utun.h. The header itself in 10.6.8 is trivial though; perhaps, it can be checked in configure and it not detected, we can add required defines from 10.6.8 version?

:info:build make: Entering directory `/opt/local/var/macports/build/_opt_PPCSnowLeopardPorts_net_iodine/iodine/work/iodine-0.8.0'
:info:build make[1]: Entering directory `/opt/local/var/macports/build/_opt_PPCSnowLeopardPorts_net_iodine/iodine/work/iodine-0.8.0/src'
:info:build CC tun.c
:info:build CC read.c
:info:build CC dns.c
:info:build CC encoding.c
:info:build CC login.c
:info:build OS is DARWIN, arch is Power Macintosh
:info:build CC base32.c
:info:build tun.c:34:25: error: net/if_utun.h: No such file or directory
:info:build CC base64.c
:info:build tun.c: In function ‘open_utun’:
:info:build tun.c:377: error: ‘UTUN_CONTROL_NAME’ undeclared (first use in this function)
:info:build tun.c:377: error: (Each undeclared identifier is reported only once
:info:build tun.c:377: error: for each function it appears in.)
:info:build tun.c:406: error: ‘UTUN_OPT_IFNAME’ undeclared (first use in this function)
:info:build Making base64u.c
:info:build CC base128.c
:info:build make[1]: *** [tun.o] Error 1
:info:build make[1]: *** Waiting for unfinished jobs....

This is on 10a190 build of 10.6. I borrowed the header from 10.6.8 SDK, and build worked fine then.

Big Sur "No tun devices found, trying utun. segmentation fault"

I'm trying to run iodine as follows:

sudo ./iodine -f -P password t1.mydomain.com

However, I get:

No tun devices found, trying utun
[1]    4469 segmentation fault sudo ./iodine -f -P password t1.mydomain.com

This happens regardless of specifying -d=utun0 (all the way through utun7, only utun0 through utun6 are shown on my ifconfig). There aren't any /dev/tunX or /dev/utunX devices showing in /dev, though I am not sure whether they should be or not.

This is using the latest master commit as of May 12th 2021 on Mac OS X Big Sur 11.3.

Tunnelblick seems to be able to create a new utun7 no problem when it creates an OVPN connection.

Improve raw login from v4-only network against v6-capable server

If the client only has IPv4 available, and the server has both IPv4 and IPv6, raw login can be attempted on IPv6 anyway if the DNS servers in use prefer it.

It works this way since the server does not always know its addresses (if listen addresses are not set). The server should respond with addresses for both protocols (guessing its address if required) to allow the client to try either one.

$ sudo ./bin/iodine -f4    dns.tun
Enter tunnel password: 
Opened dns0
Opened IPv4 UDP socket
Sending DNS queries for dns.tun to 127.0.0.53
Autodetecting DNS query type (use -T to override).iodine: ..
Using DNS type TXT queries
Version ok, both using protocol v 0x00000502. You are user #1
Setting IP of dns0 to 10.4.5.3
Setting MTU of dns0 to 1130
Server tunnel IP is 10.4.5.1
Requesting server address to attempt raw UDP mode (skip with -r) 
Server is at 2001:db8::1, trying raw login: (skip with -r) ....failed

Issue with TAP version 9.0.0.21 on Windows

Iodine is not compatible with TAP 9.0.0.21 on Windows 10
File: tap0901.sys
Version: 9.0.0.21
Productversion: 9.21.1 9/21

Connection between client-server gets established without any error message BUT ping from client to server is not working (and vice-versa). Tunnel is not working.
Reason for connection issue/ not working tunnel is not visible.

( It is working with TAP version 9.0.0.9)

Donated servers?

Hello, I just found out that my LTE operator passes DNS requests with ~30kbytes/s, and I think this is not the limit.
I found android package AndIodine, but I can't find any servers, I know maybe it's nerve-wracking question, but since I don't have any knowledge on Linux could you create a place for devs to contribute their iodine configurations for community?
Thanks, also you could reach me at nuzzle[at]duck.com

Bind to interface instead of IP address?

I'm running iodine daemon on OpenWRT (Linux 4.14)
Having a dynamic WAN IP, I'd find it great if iodined could listen on any IP, but only on a specific interface (WAN).

The current way of binding to 0.0.0.0 on any interface messes with my other DNS services.

Obviously I should (and will continue to try to) get a script hooked on an IP change on the WAN interface, that would then restart iodioned with the new address in the -l parameter (but apparently I'm too stupid for that).

External IP deduction doesn't work

Hi! The source code tries to resolve external IP of server by using API of api.externalip.net which is no longer available. It is no problem to replace it with another service's URL. But why do it at all? Why can't we use DNS to find out NS record responsible for the given domain and then retrive A record for it? I cannot figure out the case where external IP doesn't match the IP in A-record for the nameserver. Do you?

iodine fails to find new OpenVPN TAP adapter on Windows

The Windows OpenVPN installer (OpenVPN-2.5.6-I601-amd64.msi) now creates a TAP interface with a root-enumerated hardware ID (ComponentId = root\tap0901). Iodine (tun.c) only looks for legacy hardware IDs (e.g. ComponentId = tap0901), even if a device name is provided (-d).

Please update the registry device enumeration section to match: tap0801, tap0901, and root\tap0901.

Also: there are several malformed warnx statements in tun.c.
e.g.: warnx("Error opening registry key " TAP_ADAPTER_KEY);
should be: warnx("Error (%d) opening registry key: %s", status, TAP_ADAPTER_KEY);

can't bring up tunnel through Fedora (36) bind-9.16.27

I'm trying to bring up an iodine tunnel from a client through a vanilla-configured cache running on Fedora 36. The cache config file is:

# /etc/named/named.conf
options {
    listen-on port 53 { any; };
    allow-query { any; };
    recursion yes;
    dnssec-validation no;
    querylog yes;
    directory "/var/named";
    dump-file "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

logging {
    channel default_debug {
        file "data/named.run";
        severity dynamic;
    };
};

zone "." IN {
    type hint;
    file "named.ca";
};

I'm starting the server using

iodined -P foobar 192.168.14.1 -DD -f test.com

and the client using

iodine -r -P foobar test.com

The symptom I'm observing is that the cache introduces a huge (around 5 second) delay into the forwarding of some of the client-generated queries (e.g. raacdMAj..., which I think are part of the downstream path fragment size negotiation).

What I'm seeing is that the client gives up on progressively smaller attempted downstream path fragment sizes, until it fails entirely. A few seconds later, the cache starts sending a bunch of the wrongfully-delayed client-generated queries to the server, which immediately replies to them, and the cache then logs them as query failed (timed out) in its /var/named/data/named.run log file.

This all used to work perfectly well back when Fedora used named-9.11.*, and building the old rpm packages of named-9.11 for Fedora-36 and downgrading to them there gets it working perfectly well, so I suspect the problem is a bug (or weird new configuration default) in bind-9.16.*.

I understand this does not appear to be a problem with iodine itself, but rather with bind-9.16.*, but figured if anyone would know or care, or notice the problem, they'd be more likely to be found here than on some Fedora or bind-9 mailing list :)

Any clue on what might be going on much appreciated -- thanks!

	for (i = 0; running && i < 4; i++) {
	tv.tv_sec = i + 1;
	tv.tv_usec = 0;

	send_raw_udp_login(dns_fd, seed);

	FD_ZERO(&fds);
	FD_SET(dns_fd, &fds);

	r = select(dns_fd + 1, &fds, NULL, NULL, &tv);

	if (r > 0) {
	/* recv() needed for windows, dont change to read() */
	len = recv(dns_fd, in, sizeof(in), 0);
	if (len >= (16 + RAW_HDR_LEN)) {
	char hash[16];
	login_calculate(hash, 16, password, seed - 1);
	if (memcmp(in, raw_header, RAW_HDR_IDENT_LEN) == 0
	&& RAW_HDR_GET_CMD(in) == RAW_HDR_CMD_LOGIN
	&& memcmp(&in[RAW_HDR_LEN], hash, sizeof(hash)) == 0) {

	fprintf(stderr, "OK\n");
	return 1;
	}
	}
	}
	fprintf(stderr, ".");
	fflush(stderr);
	}

	fprintf(stderr, "failed\n");
	return 0;