How to bypass firewalls or captive portals with dns2tcp

news Add comments

Have you ever found an open wireless access and when opening your browser you get a nice login screen asking you a credit card number (a captive portal)? What’s next? Make your choice: fill the form with the magic numbers or try to bypass this security mechanism!

Classic wireless hot spots commonly allow two protocols: ICMP and DNS (UDP/53). ICMP (Internet Control Message Protocol) is used to report errors and warning to the client and DNS is mandatory to resolve hostnames. While ICMP can also be used as a transport protocol (see PTunnel), firewalls may block unusual ICMP packets (ex: suspicious big packets). On the other side, there are often less restriction regarding DNS traffic.

In the following tutorial, we will use the tool dns2tcp written by two guys working for HSC, a French security company.

Required components

  • An official registered domain name. Example:
  • A server with a public IP address not running any DNS service. The server must run UNIX[1]. Example:

[1] I successfully tested dns2tcp on Linux and client also on iPhone.

Domain name zone configuration

Choose a subdomain name for your domain. In this example, we will use a subdomain Add the following line in your zone file:

dnstunnel    IN     NS

Don’t forget to increase the serial and to reload the zone. If you don’t manage the zone yourself, ask you ISP or hoster to do this for you.

Server configuration

(these operations are performed on your public server)

Download the tarball and compile the binaries:

# cd /tmp
# tar xzvf dns2tcp-0.3.tar.gz
# cd dns2tcp-0.3
# configure
# make install

This will create two binaries (dns2tcpd and dns2tcpc) and their respective manpages. Now, we will create a configuration file /etc/dns2tcpd.conf:

# cat >/etc/dns2tcpd.conf <<EOF
listen = w.x.y.z
port = 53
chroot = /var/empty/dns2tcp/
domain =
ressources = ssh:

Be sure to replace the domain and the IP address with your own values! The port must be 53!

Now, start the daemon:

# ./dns2tcpcd -F -d 1 -c dns2tcpd.conf

“-F” means to run in foreground and “-d 1? enables debugging.

Client configuration

Perform the same operations as on the server side. (configure && make install). Then create the client configuration file/etc/dns2tcpc.conf:

# cat >/etc/dns2tcpc.conf <<EOF
domain =
ressource = ssh
local_port = 2222

Be sure to replace the domain and the IP address with your own values! The local port must be free and above 1024 to be binded by a non-root user!

Now, check if we can communicate with the server:

# ./dns2tcpc -z <dns_server>
Available connection(s) :

The dns_server can be your public server or, if you are forced, the local DNS.

Start a SSH session

Now, we are ready to start a tunnel with encapsulated SSH packet:

# ./dns2tcpd -c -f dns2tcpc.conf
listening on port 2222

Now, start your SSH session:

# ssh -p 2222 user@

Here we go! You’ve a session on your public server!

If you start your SSH as a socks proxy with the “-D” and configure your browser to surf thru this tunnel.

You can create as mush resources as you want on the server but packets send thru the DNS tunnel are not encrypted so SSH is recommanded as the best solution.

© 2000-2007 by fosk & powered by Wordpress themed by N.Design Studio