Changes

Page history
Raw import from Trac using Trac markup language. authored by Alexander Hansen Færøy's avatar Alexander Hansen Færøy
Show whitespace changes
Inline Side-by-side
doc/DnsPluggableTransport.md 0 → 100644
View page @ 53a16e3a
Moved to #15213.
Brainstorming and planning for a DNS-based pluggable transport.
Encode data in recursive DNS queries and responses. Your local recursive resolver sends your packets to the right place. A dns bridge would be an authoritative name server for a particular domain; users would configure a domain rather than an IP address in their `Bridge` lines. Tools already exist to do DNS tunneling, for example [http://code.kryo.se/iodine/ iodine] and [https://github.com/iagox86/dnscat2 dnscat2]. Probably requires a reliability layer and periodic polling by the client.
[[./Survey|Survey of DNS tunnel encodings]]
Brainstorming options for a reliability layer:
* [https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md#dnscat-protocol dnscat2 protocol]: uses SYN, FIN, SEQ, ACK. Independent of DNS. (dnscat2 also has a separate procedure for encoding data as DNS requests/responses.)
* [https://github.com/skywind3000/kcp/blob/master/README.en.md KCP]
* [http://lksctp.sourceforge.net/ libsctp] or other user-space SCTP
Demo of encoding/decoding DNS with Scapy:
{{{
>>> from scapy.all import *
>>> str(DNS(rd=True, qd=DNSQR(qtype="A", qname="example.com"))).encode("base64")
'AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE=\n'
}}}
{{{
$ echo -n AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE= | base64 -d | curl -H 'Content-Type: application/dns-udpwireformat' --data-binary @- https://cloudflare-dns.com/dns-query -o - | base64
AACBgAABAAEAAAAAB2V4YW1wbGUDY29tAAABAAHADAABAAEAAAiRAARduNgi
}}}
{{{
>>> DNS("AACBgAABAAEAAAAAB2V4YW1wbGUDY29tAAABAAHADAABAAEAAAiRAARduNgi")
<DNS id=16705 qr=0L opcode=8L aa=0L tc=1L rd=1L ra=0L z=1L ad=0L cd=0L rcode=server-failure qdcount=26433 ancount=16706 nscount=16705 arcount=17729 qd='' an='' ns='' ar='' |<Raw load='AAAAB2V4YW1wbGUDY29tAAABAAHADAABAAEAAAiRAARduNgi' |>>
}}}
== Mailing list discussions ==
* [anti-censorship-team] How to run Tor Browser through a DoH/DoT tunnel\\
https://lists.torproject.org/pipermail/anti-censorship-team/2020-April/000080.html
* [tor-dev] obfsproxy dns transport\\
https://lists.torproject.org/pipermail/tor-dev/2014-February/006250.html (Feb 2014)
* using OzymanDNS to access Tor via DNS\\
https://lists.torproject.org/pipermail/tor-talk/2006-January/007124.html (Jan 2006)
https://web.archive.org/web/20090421124725/http://afs.eecs.harvard.edu:80/~goodell/blossom/tor-via-dns.html
\ No newline at end of file