Free access to the network for an emergency

We remind you that the user performs all the actions described in the article at his own risk. The material is provided for informational purposes only. The editors of 3DNews are not responsible for any possible consequences.

⇡ # Introduction

Free Internet access … Fairy tale? Byl? After all, free cheese is only in a mousetrap, is not it? The method described below will allow access to the Network without paying a single penny. However, do not hope that this will be a "normal" access – the connection speed will be very small, as in times of dial-up (this word does not cause you an uncontrollable attack of nostalgia?). However, it should be enough for communication in various messengers (except, perhaps, Skype), access to mobile versions of sites or to pages that do not contain a lot of content.

Before proceeding with the setup, it would be nice to answer the question: "Why is this all necessary?" Options, when such access can be useful, mass. For example, you have disabled the Internet for non-payment (as it usually happens on the first day of the month a little later than midnight), and you urgently need to contact someone or transfer the required amount to the provider's account. There are still some bad companies that even access to the private office are turned off at zero balance, thus preventing at least blocking the account, and quietly write-off money for an unavailable service. Or, for example, in your organization are very malicious admins (necessarily bearded and in sweaters), which block access to instant messengers, social networks and other joys of a simple office employee. It also happens that there is an open network of Wi-Fi, but, according to security policy, the Internet is not for outsiders. In general, there is only one condition – the main thing is that you should have a free DNS server!

⇡ # Theory

Using the IP-over-DNS technique, you can organize a tunnel to transfer arbitrary traffic over the DNS protocol. Historically, the size of the DNS packet should not exceed 512 bytes, which is enough to place information about 13 root servers (of which there are 200 already). However, as a rule, there is enough "free" space in it. Then the magic begins. We must have our own server on the Web, which is actually a fake name server, responsible for a certain domain zone. We send a DNS-request to our local (provider) DNS-server about this very zone. He, as expected, is interested in a fake server, what is this zone, and he answers it. In fact, we already "got through" to our server on the Internet. The nuance is that we actually did not go beyond the local network all this time. Well, then everything is simple. Communication with the server is, you can exchange packages with it. It remains only to gently cut all traffic into small pieces, pack them into free space in DNS-packages and give them to the client, who will be on his side to restore the original sequence. And, accordingly, in the same way to return back, it is desirable also with the associated compression of traffic.

The question of the legality of such access to the Web is controversial. On the one hand, we do not seem to violate the specifications and work with DNS as expected. "Legal" requests to DNS from false to distinguish it is impossible. On the other hand, we all understand that from a moral point of view this, let's say, is not very good. So you should not abuse this method. The vast majority of providers, even with disconnected Internet access, leave their DNS servers open to users, although some also block suspiciously "greasy" packages. In general, there is still no sufficiently universal and effective means against IP-over-DNS. Although, of course, parasitic traffic can be calculated from the sharply increased frequency of requests to the name server or through intrusion detection systems.

⇡ # Practice

There are several implementations of IP-over-DNS: NSTX (probably the oldest), OzymanDNS, DNSCat, iodine and others, usually written only for themselves. At the moment, the best implementation is the iodine project. In the title there is a kind of play of words. First, iodine contains the abbreviation IP-over-DNS (IOD). Secondly, iodine, also iodine, has a serial number 53 in the periodic table, which coincides with the default DNS port number. In fact, this is the only project that is more or less regularly updated and improved, and also ported to a large number of platforms. In addition, and setting it does not require much effort.

However, there are more exotic methods of obtaining free access to the Web. For example, IP-over-IRC or IP-over-XMPP, because many providers provide free access to internal IRC or Jabber servers, which are often connected to other servers on the Web. There is absolutely crazy method of IP-over-ICMP (ICMPTX). However, we will focus on IP-over-DNS and consider this whole case using the example of iodine.

⇡ # Setting up the iodine server

As an example, consider installing iodine on a server with Ubuntu 10.04.1 in Amazon EC2, the configuration of which was described in the previous article. Just in case, it is recommended to read it again so that there are no unnecessary questions. The configuration for other GNU / Linux distributions is similar. However, if you have such a server, it is unlikely that additional explanations will be required. In fact, it's best to install iodine on a server that is physically closer to you, at least for the sake of reducing the response time.

To begin with, you must register a domain through which DNS queries will go. In principle, you can choose any registrar, including free. If only there was an opportunity to change NS-records for the created subdomains. For example, consider The choice of this service is not accidental. First, it does not require payment. Secondly, we must remember that the shorter our domain name is, so, relatively speaking, more useful information will fit into the DNS package. On the main page of the service we are offered to choose a domain and, if it is free, immediately register., but you can choose any suitable name, click on the "Check availability" button and go through the rest of the registration procedure on the site, which should not be a problem. If the domain name is not available, then it will be necessary to return to the main page and try another.

After the registration is over, you need to log in to the service, in My Domains select the domain and click on the item Zone Record. Now fill out all the required fields. In Host enter the name of the subdomain (for example,, in Type select NS, and in Value we enter DynDNS-name of our server in the cloud Amazon EC2 (in our example it was Finally, click the "Customize" button. It will take some time to delegate the domain. The site says that the changes will take effect within 48 hours, but in fact, you will hardly have to wait more than an hour. However, a lot depends on your provider. In the meantime, in order not to get bored, let's take care of setting up the server.

First we will need to open the 53rd port on our server. To do this, go to the AWS management console, go to the Security Groups section and click on the default group in the list. Go to the Inbound tab. Select the DNS item in the Create a new rule list and click Add rule, and then Apply Rule Changes. It should look like the screenshot below.

Now we'll simplify our work with SSH a little. Launch PuTTY, enter the DynDNS-address of the server in the Host Name field (in our example it was Then go to the menu on the left in Connection → SSH → Auth and specify the path to our key in the ppk format in the Private key file. Slightly higher, in the Connection → Data section there is an Auto-login username field, into which you need to enter ubuntu (this is our login). Finally, in Window → Translation, select the UTF-8 encoding and return to the Session section. In the Saved Sessions field, enter any name (for example, amazonvpn) and click on the Save button on the right. Now after starting PuTTY it will be enough to double-click the name of the saved connection (amazonvpn) and the console of the remote server will open itself.

Open the console and install iodine with the following command:

 sudo apt-get install iodine 

Now you need to edit the configuration file / etc / default / iodine

 sudo nano / etc / default / iodine 

and bring it to about this kind:

Let's analyze the input parameters. is the IP address of the server inside the future DNS tunnel. Instead of, you can select any other local subnet. Requirement one – addressing in the tunnel should not coincide with addressing of your local network connection. is the subdomain we registered above. Finally, IODINED_PASSWORD specifies the password that you will need to enter on the next connection. Save the changes by pressing F2, then Y and Enter.

Now you need to know the installed version of iodine command

 iodine -v 

and restart the iodine daemon:

 sudo /etc/init.d/iodined restart 

Next, you need to "twist" the routing commands

 sudo iptables -t filter -A FORWARD -i eth0 -o dns0 -m state -state 
 sudo iptables -t filter -A FORWARD -i dns0 -o eth0 -j ACCEPT 

and add them to /etc/rc.local, not forgetting to save the file after editing:

 sudo nano /etc/rc.local

There should be something like this:

This completes the setup of the iodine server, and you can exit the console using the exit command. Finally a couple of comments for those who install iodine on their own server. First, do not forget about net.ipv4.ip_forward = 1. Secondly, if you already have BIND on port 53, then on the Tips and tricks page of the project there are useful indications about this. There, by the way, there is also a link to the script for quick setup of the routes in Mac OS X, GNU / Linux and FreeBSD when using the iodine client under these OS.

⇡ # Setting up the iodine client

The client part, like last time, will be 32-bit Windows 7. It is necessary to start with installing the virtual TAP-adapter from the OpenVPN package. You can download only the driver (run addtap.bat) or pick up the latest version from here and install only the TAP Virtual Ethernet Adapter when installing.

When installing the driver, the system asks for permission to perform this action. To refuse it is not necessary.

We go to the "Control Panel", select "Network and Sharing Center" and on the left click on "Change adapter settings". Here we will need to change the name of the newly created network adapter to dns.

From the iodine project page, download the archive with the version of the program for Windows. Note that the version number of the server (we learned it just above) and the client must match. In our case, the server was version 0.5.1, which means that you need to download the archive. After downloading, unpack the archive into a folder.

To configure the routes, you need to know the IP addresses of the local DNS server and the default gateway. At the Windows command prompt (Win + R, cmd, Enter), enter the command

 ipconfig / all 

and look at the properties of the local network connection. In our example, we will use DNS at address and gateway with IP

Pick up the iodine tunnel with

 c:  path  to  iodine.exe -f 

Instead of substitute your DNS-server, and instead of – its subdomain. We will be asked to enter the password that we specified above in the variable IODINED_PASSWORD. If you did everything correctly, the tunnel will rise after a few seconds. A great help is that iodine automatically determines the size of the MTU. To lower the tunnel, it will be sufficient to close the window with the iodine client running.

You can check the availability of the server by opening another command window and typing


where is the server's tunnel address (see above). If everything is in order, then the server will respond.

As before, you can start the SOCKS server through PuTTY, which will be available at on port 9999:

 c:  path  to  putty.exe -l ubuntu -D 9999 -i c:  path  to  file.ppk 

But, of course, it's better not to do this, but to close PuTTY and configure routing in Windows. It should be that requests to the local DNS server go through the default gateway, and all other traffic is "wrapped" to our server in the Amazon EC2 cloud. This is done simply. Open another Windows command line and enter the following commands:

 route delete 
 route add mask 
 route add mask 

Again, instead of substitute the local DNS address, instead of – the gateway address, instead of – the address of the iodine server in the tunnel. Everything, now it is possible to use Internet-programs in a usual mode. Well, almost in the usual – do not forget about the small speed.

To stop all this mess, you need to close the window with the running iodine client, and enter two commands on the command line:

 ipconfig / release 
 ipconfig / renew 

⇡ # Conclusion

The actual speed of the received connection will be extremely low – most likely, from 1-2 to 10-20 kbit / s. Although the author of the project in a test environment, close to ideal, it turned out and more solid figures. For all chats, this should be enough. But to view the web pages it is better to use the Opera browser. First, you can quickly disable the downloading of images in it. Secondly, it has a Turbo mode, when traffic is previously compressed on third-party servers. For other browsers there are similar plug-ins, including those using Opera servers. However, there are many other similar services. It is also recommended to "nail" programs that can actively use the network in the background. For example, torrent clients or auto-updates for software. Well, do not forget that the exit from our tunnel is in the US. Finally, let us remind you again that you do not need to abuse this method of access to the Internet – it's only worth using as a last resort. The hour is not even, the provider will take offense and excommunicate you from the Web.

If you notice an error – select it with the mouse and press CTRL + ENTER.

Leave a Reply