search

yarrick / iodine

Official git repo for iodine dns tunnel
https://code.kryo.se/iodine
ISC License
6.25k stars 507 forks source link

lazy-mode doesn't work on cloudflare #87

Closed RyanGibb closed 1 year ago

RyanGibb commented 1 year ago

On the server:

sudo iodined -f 172.16.0.0 freumh.org

On the client:

$ sudo iodine -f -r 1.1.1.1 freumh.org
Enter password:
Opened dns0
Opened IPv4 UDP socket
Sending DNS queries for freumh.org to 1.1.1.1
Autodetecting DNS query type (use -T to override).
Using DNS type NULL queries
Version ok, both using protocol v 0x00000502. You are user #2
Setting IP of dns0 to 172.16.0.3
Setting MTU of dns0 to 1130
Server tunnel IP is 172.16.0.0
Skipping raw mode
Using EDNS0 extension
Switching upstream to codec Base128
Server switched upstream to codec Base128
No alternative downstream codec available, using default (Raw)
Switching to lazy mode for low-latency
Server switched to lazy mode
Autoprobing max downstream fragment size... (skip with -m fragsize)
768 ok.. ...1152 not ok.. ...960 not ok.. ...864 not ok.. ..816 ok.. .840 ok.. .852 ok.. will use 852-2=850
Setting downstream fragment size to max 850...
Connection setup complete, transmitting data.
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Hmm, that's 1. Your data should still go through...
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Hmm, that's 2. Your data should still go through...
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Hmm, that's 3. Your data should still go through...
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Hmm, that's 4. Your data should still go through...
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: I think 5 is too many. Setting interval to 1 to hopefully reduce SERVFAILs. But just ignore them if data still comes through. (Use -I1 next time on this network.)
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
^C%

Trying -c on the server:

$ sudo iodined -c -f 172.16.0.0 freumh.org

On the client resulted in:

$ sudo iodine -f -r 1.1.1.1 freumh.org
Enter password:
Opened dns0
Opened IPv4 UDP socket
Sending DNS queries for freumh.org to 1.1.1.1
Autodetecting DNS query type (use -T to override).
Using DNS type NULL queries
Version ok, both using protocol v 0x00000502. You are user #2
Setting IP of dns0 to 172.16.0.3
Setting MTU of dns0 to 1130
Server tunnel IP is 172.16.0.0
Skipping raw mode
Using EDNS0 extension
Switching upstream to codec Base128
Server switched upstream to codec Base128
No alternative downstream codec available, using default (Raw)
Switching to lazy mode for low-latency
Server switched to lazy mode
Autoprobing max downstream fragment size... (skip with -m fragsize)
768 ok.. ...1152 not ok.. ...960 not ok.. ...864 not ok.. ..816 ok.. .840 ok.. .852 ok.. will use 852-2=850
Setting downstream fragment size to max 850...
Connection setup complete, transmitting data.
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Hmm, that's 1. Your data should still go through...
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Hmm, that's 2. Your data should still go through...
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Hmm, that's 3. Your data should still go through...
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Hmm, that's 4. Your data should still go through...
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: I think 5 is too many. Setting interval to 1 to hopefully reduce SERVFAILs. But just ignore them if data still comes through. (Use -I1 next time on this network.)
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
^C%

Trying -I1:

$ sudo iodine -f -r 1.1.1.1 freumh.org -I1
Enter password:
Opened dns0
Opened IPv4 UDP socket
Sending DNS queries for freumh.org to 1.1.1.1
Autodetecting DNS query type (use -T to override).
Using DNS type NULL queries
Version ok, both using protocol v 0x00000502. You are user #0
Setting IP of dns0 to 172.16.0.1
Setting MTU of dns0 to 1130
Server tunnel IP is 172.16.0.0
Skipping raw mode
Using EDNS0 extension
Switching upstream to codec Base128
Server switched upstream to codec Base128
No alternative downstream codec available, using default (Raw)
Switching to lazy mode for low-latency
Server switched to lazy mode
Autoprobing max downstream fragment size... (skip with -m fragsize)
...768 not ok.. ..384 ok.. ...576 not ok.. 480 ok.. 528 ok.. ...552 not ok.. ...540 not ok.. will use 528-2=526
Setting downstream fragment size to max 526...
Connection setup complete, transmitting data.
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
^C%

Some pings but through, but had up to 10 seconds of delay:

ping 172.16.0.0
PING 172.16.0.0 (172.16.0.0) 56(84) bytes of data.
64 bytes from 172.16.0.0: icmp_seq=6 ttl=64 time=10158 ms
64 bytes from 172.16.0.0: icmp_seq=12 ttl=64 time=7088 ms
64 bytes from 172.16.0.0: icmp_seq=16 ttl=64 time=3065 ms
64 bytes from 172.16.0.0: icmp_seq=25 ttl=64 time=74.3 ms
64 bytes from 172.16.0.0: icmp_seq=29 ttl=64 time=5059 ms
64 bytes from 172.16.0.0: icmp_seq=34 ttl=64 time=7180 ms
64 bytes from 172.16.0.0: icmp_seq=41 ttl=64 time=74.5 ms

I think Cloudflare's timeouts are too aggressive.

RyanGibb commented 1 year ago

Actually even with lazy-mode disabled this still fails:

$ sudo iodine -f -r 1.1.1.1 freumh.org -L0
Enter password:
Opened dns0
Opened IPv4 UDP socket
Sending DNS queries for freumh.org to 1.1.1.1
Autodetecting DNS query type (use -T to override).
Using DNS type NULL queries
Version ok, both using protocol v 0x00000502. You are user #0
Setting IP of dns0 to 172.16.0.1
Setting MTU of dns0 to 1130
Server tunnel IP is 172.16.0.0
Skipping raw mode
Using EDNS0 extension
Switching upstream to codec Base128
Server switched upstream to codec Base128
No alternative downstream codec available, using default (Raw)
Autoprobing max downstream fragment size... (skip with -m fragsize)
...768 not ok.. ...384 not ok.. ...192 not ok.. ...96 not ok.. .48 ok.. 72 ok.. ...84 not ok.. ...78 not ok.. ...75 not ok.. ...74 not ok.. will use 72-2=70
Note: this probably won't work well.
Try setting -M to 200 or lower, or try other DNS types (-T option).
Setting downstream fragment size to max 70...
Connection setup complete, transmitting data.
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
iodine: Got SERVFAIL as reply: server failed or recursion timeout
^C%
$ ping 172.16.0.0
PING 172.16.0.0 (172.16.0.0) 56(84) bytes of data.
64 bytes from 172.16.0.0: icmp_seq=1 ttl=64 time=3052 ms
64 bytes from 172.16.0.0: icmp_seq=4 ttl=64 time=2991 ms
64 bytes from 172.16.0.0: icmp_seq=20 ttl=64 time=115 ms
64 bytes from 172.16.0.0: icmp_seq=23 ttl=64 time=124 ms
yarrick commented 1 year ago

Are there many networks where cloudflare is the only allowed DNS server to use? It is expected that not all servers accept iodine traffic.

Try some other server and it should work.