[iodine-users] Difference between iodine and a VPN over UDP port 53

Erik Ekman yarrick at kryo.se
Wed Nov 17 19:52:19 CET 2021

On Wed, 17 Nov 2021 at 14:44, Nils Andre <nils at nilsand.re> wrote:
> Hello everyone,

> As stated on the homepage of iodine, a use case of iodine is to be able
> to access the internet despite being in a network where internet access
> is firewalled but DNS queries are allowed.
> I would imagine that in most cases where this is the case, what is
> actually happening is that requests over all ports but port 53 are
> blocked. With this assumption in mind, how is iodine different than a
> standard VPN over UDP port 53 (in terms of being able to access the
> internet)?

Many locations block all traffic to the outside world (including UDP
port 53) for guest users (until you pay or give a password or
similar). A normal UDP VPN would not work.
What iodine does is to send valid DNS queries via the local DNS server
(found from DHCP/SLAAC), which will often happily forward them to any
host on the internet.
These DNS servers are normally dumb enough that they don't check who
is logged in or not - and many hotspots depend on the user
successfully resolving a domain and then intercepting the HTTP traffic
to show the login screen.

The iodine traffic (both the request and the response) consists of
valid DNS packets. They can pass through one or more servers, and
iodine tries to detect any changes (like if the domain name is
converted to lowercase along the way) and work around them. This makes
it quite slow as very little data can be sent upstream (all encoded in
the requested domain name). The downstream path is faster since it can
contain over 1000 bytes in many cases.

iodine raw mode is similar to a normal VPN application on UDP port 53,
and will be used if the network rules allow it.


More information about the iodine-users mailing list