Sniffing & Spoofingdnstunnelingtcp-over-dnscovert-channeltunnel

dns2tcp

dns2tcp is a set of tools to encapsulate TCP sessions inside DNS packets, creating a TCP-over-DNS tunnel. It allows tunneling traffic through firewalls that only permit DNS traffic.

Description

dns2tcp provides a server (dns2tcpd) and client (dns2tcpc) for tunneling TCP traffic over DNS protocols. This is useful for bypassing network restrictions where only DNS traffic is allowed through firewalls or NAT devices. The tool uses TXT records within a subdomain to carry the tunneled data, requiring a NS record pointing to the tunnel server.

Common use cases include accessing internal services from behind restrictive perimeters or exfiltrating data covertly. The client does not require root privileges, making it flexible for various environments. Configuration is done via rc files specifying domains, keys, resources, and ports.

The tunnel achieves better throughput than IP-over-DNS due to smaller packet sizes. Resources like SSH can be mapped to local ports on the client side for easy access.

How It Works

dns2tcp encapsulates TCP sessions within DNS TXT records queried to a specific subdomain. The server (dns2tcpd) listens on UDP/53 and responds to queries from authorized clients using a pre-shared key. Client (dns2tcpc) binds a local port and forwards traffic by encoding it into DNS queries sent to the server's domain. A NS record must point the subdomain to the server IP. Compression is optional, and resources are defined to map remote services to local ports.

Installation

bash
sudo apt install dns2tcp

Flags

-cenable compression
-z <domain>domain to use (mandatory)
-d <1|2|3>debug_level (1, 2 or 3)
-r <resource>resource to access
-k <key>pre-shared key
-f <filename>configuration file
-l <port|->local port to bind, '-' is for stdin (mandatory if resource defined without program )
-e <program>program to execute
-i IPIP to listen on (dns2tcpd)
-Frun in foreground (dns2tcpd)
-p pidfilepid file location (dns2tcpd)

Examples

Create dns2tcpd server configuration file mapping SSH resource
cat >>.dns2tcpdrc <<END
listen = 0.0.0.0
port = 53
user=nobody
chroot = /root/dns2tcp
pid_file = /var/run/dns2tcp.pid
domain = dns2tcp.kali.org
key = secretkey
resources = ssh:127.0.0.1:22
END
Start dns2tcpd server daemon using config file
dns2tcpd -f .dns2tcpdrc
Create dns2tcpc client configuration file for SSH resource
cat >>.dns2tcprc <<END
resource = ssh
local_port = 2139
key = secretkey
END
Start dns2tcpc client using config file, binds local port 2139
dns2tcpc -f .dns2tcprc
SSH through the DNS tunnel to remote server with SOCKS proxy on port 8090
ssh root@localhost -p 2139 -D 8090
Run dns2tcpc client with command line flags instead of config file
dns2tcpc -z dns2tcp.kali.org -r ssh -k secretkey -l 2139
Start dns2tcpd in foreground with debug level 1 for testing
dns2tcpd -f .dns2tcpdrc -F -d 1
Updated 2026-04-16kali.org ↗