[iodine-users] iodine mangling passthrough DNS queries?

Erik Ekman yarrick at kryo.se
Sun Mar 1 10:28:39 CET 2015 

On Fri, Feb 27, 2015 at 5:46 PM, Rick van Rein <rick at vanrein.org> wrote:
> Hello,

Hi
>
> First of all, thanks for iodine.  It looks like a well-done piece of software, and very useful to access low-traffic protocols like Kerberos that are suppressed by populustic interpretations of “Internet access”.  It may also be an interesting fallback carrier for my own 6bed4 tunnel, which provides IPv6 on any netwerk, usually with realtime p2p connections.
>
> I tried iodine but was shocked to see it modify “normal” traffic.  What am I doing wrong?
>
> I studied http://lists.wpkg.org/pipermail/iodine-users/2011-February/000018.html
> and decided the transparancy warnings weren’t that awful and tried it as a stumbling block a low-traffic authoritative.  It only degrades IPv4 name service anyway ;-)
>
> This mangled DNS answer was sent although the query fell outside the iodine-assigned topdomain, as shown by tshark:
>
> 78.905041 69.252.250.23 -> 123.45.67.89     DNS Standard query A ns1.mydomain.nep
> 78.905046 69.252.250.23 -> 123.45.67.89     DNS Standard query A ns2.mydomain.nep
> 78.905133     123.45.67.89 -> 69.252.250.23 DNS Standard query response CNAME hijauitcfjy.kj
> 78.905165     123.45.67.89 -> 69.252.250.23 DNS Standard query response CNAME hijauitcfjy.nq
>
> I was running an iodine 0.6.0-rc1 client at the same time, but not on the client IP shown here.  Lacking a new 0.6.0, I’ve assumed that 0.6.0-rc1 == 0.6.0-stable.
>
> The server is iodine 0.6.0 from the Debian Squeeze package.  I had iodine sitting on port 53, the “real” authoritative sitting on port 54 and the iodined was run with
>
> /usr/sbin/iodined -f -b 54 -P sekreet 192.168.0.1 iodine.example.org
>
> Note that iodine.example.org differs from mydomain.nep which nonetheless got the funny-looking CNAME response.  And no, my name servers aren’t hijacked; they are authoritatives not resolvers, and when I ask them on port 54 they did send proper replies ;-)
>
> Am I mistaken, or is my normal DNS traffic incorrectly being mangled here?  Or did I goof up anywhere?

I don't fully remember how the forwarding thing works, but I can take a look.
Please send me a packet capture of all 4 stages of the request (to
iodined, to nameserver, from nameserver, from iodined) off-list and I
will check.

Recommended way of running together with a 'real' nameserver is to
filter based on packet content in the firewall,
see this tip: http://dev.kryo.se/iodine/wiki/TipsAndTricks#Runningiodineside-by-sidewithanotherDNSserver

/Erik

More information about the iodine-users mailing list