search

yarrick / iodine

Official git repo for iodine dns tunnel
https://code.kryo.se/iodine
ISC License
6.25k stars 507 forks source link

Domain in binary format even when not set. #59

Closed Narzhan closed 3 years ago

Narzhan commented 3 years ago

Hello, I tried to setup iodine, everything seems working. However when I try to check what domains are coming to the server, they all appear to be in binary format. I've started the client to not run in binary format. I'd like to know if it is possible to make the client query domains which container only ascii characters allowed in the domain name? I've tried using -O with different encoding but still in tcpdump I saw binary domains like so: zwchaA0123456789M-<M-=M->M-?M-@M-AM-BM-CM-DM-EM-FM-GM-HM-IM-JM-KM-LM-MM-NM-O.t.iodine.com

Command to start the client: iodine -r -f -P password 111.111.111.111 t.iodine.com

yarrick commented 3 years ago

The client automatically tests different encodings when logging in, to find the most efficient way to send data upstream.

See https://github.com/yarrick/iodine/blob/master/src/client.c#L1601

The -O flag controls downstream codec (server -> client). There is currently no flag for forcing a specific upstream codec.

What do you mean with "I've started the client to not run in binary format." ? I guess raw mode.

yarrick commented 3 years ago

The query you see is still a valid DNS query (testing the limits of validation). If raw mode is used then it is just sending the raw packets instead, and the domain name you use will not be included anywhere.

Narzhan commented 3 years ago

Why do you think that the query is valid if the domain does not meet the domain name standard. To my knowledge characters like ? and @ are not permitted in a domain name.

yarrick commented 3 years ago

Because if it works, transfers from the client to the server will be twice as fast. If you saw these domain names in the server, that means that it worked (or that you have no intermediate servers).

DNS server(s) between the client and the server only need to parse the end of the domain name - they just need enough to find the server to send it to. So the end of the domain name is still valid.

Narzhan commented 3 years ago

I understand this.

Would it be possible to disable this behaviour and decrease the performance in order to get domains that are "parseble". In the sense that tools like tcpdump might get those domains in a human readable domain names?

The reason I'm asking for this is that I'd like to build a dns tunneling classifier and I'd need some domains for that.

yarrick commented 3 years ago

You can still parse domain names. They are encoded with length first, and then that many bytes, then repeat, following jumps for compression and ending when length is zero.

I will not change the code, but you can test with skipping parts of handshake_upenc_autodetect() in src/client.c