Howto - setting up dns2tcp


The following article has been tested on Debian Etch (server) and Debian Lenny and Mac OS X (clients).

Edit 03/2011 : dns2tcp client v0.5 won’t work with dns2tcp server v0.4.

I’m not gonna explain what dns2tcp is, just how to get it running in less than 30 minutes.

You need :

Considerations : dns2tcp public server IP : (IP dns2tcp subdomain : (this doesn’t need an A record, just a NS record pointing to dns2tcp resources (services which dns2tcp will make available to us) :

**DNS : ** Create a NS record for the subdomain pointing to address


The NS you specify is NOT a DNS server, it’s the dns2tcp server !

Hint : allows creation of NS records for subdomains. Not all control panels do (Enom for example).

Server : Install dns2tcp on (apt-get install dns2tcp on Debian) Edit the file /etc/dns2tcpd.conf like this :

listen = port = 53 user = nobody chroot = /some/directory/ domain = ressources = ssh-home: ,

Start dns2tcp server with /etc/init.d/dns2tcp start Make sure it’s running with ps and listening with netstat.

Client : Don’t forget the client must already be installed on your computer when you are on the restricted network :-) Install it right now : apt-get install dns2tcp on Debian or build it through macports on Mac OS X.

Connect to the restricted network.

Run the command : dns2tcpc -z

If the system is working you should see : Available connection(s) : ssh-home ssh-work

Run the full command now : dns2tcpc -z -l 12345 -r ssh-home is the DNS server that will relay the encapsulated DNS requests to our dns2tcp server. If the network restricts the use of external DNS servers, check your /etc/resolv.conf to get the DNS servers on the local network.

Now dns2tcp will listen on port TCP/12345 (option “-l 12345”) and will give you access to the resource “ssh-home” through that port.

Now connect to your SSH server through dns2tcp on port TCP/12345 : ssh user@localhost -p 12345 -D 1080

You should connect to your home server !

The “-D 1080” option will create a SOCKS proxy on your local machine on port TCP/1080.

Now set up your browser or any other program (like Pidgin if you want to chat) to use the SOCKS proxy at address and port 1080. You can also set the systemwide parameter for SOCKS proxy from the preferences panel of your OS.

You should now be able to browse the internet.

You can store a config file on the client computer if you don’t want to type the command everytime.. this is the config corresponding to the command :

/home/USER/.dns2tcprc :

domain = ressource = ssh-home local_port = 12345 server =

This way, you just need to run dns2tcpc without argument. If you store the config file somewhere else, run dns2tcpc -f /where/the/config/resides/dns2tcp.conf

Please note : Your traffic is encapsulated inside small DNS packets (some firewalls can drop unusually large DNS packets), is encrypted because of SSH, etc. This adds overhead, which makes browsing the web a bit slow but still convenient. I’ve been able to reach 25 KB/s down and 20 KB/s BUT I haven’t been able to transfer large files though, it was taking forever to attach a 3 MB pictures to a mail in Gmail (wifi + UDP + small packets is a terrible mix) A good idea is to use mobile versions of websites, they load faster. To give you an idea, it can take up to a minute to display maps on Google Maps. Since you are going through the SOCKS proxy created by the SSH connection, your traffic is encrypted and wifi users can’t snoop on you. Obviously you can define anything as a resource in dns2tcp, for example you can point to a public web proxy but your traffic wouldn’t be encrypted ! The owner of the restricted network may notice unusually high DNS traffic while you are surfing (especially if you’re the only person using the wifi network in the hotel).

Thanks for reading this post!

Did you find an issue in this article?

- click on the following Github link
- log into Github with your account
- click on the line number containing the error
- click on the "..." button
- choose "Reference in new issue"
- add a title and your comment
- click "Submit new issue"

Your feedback is much appreciated! πŸ€œπŸΌπŸ€›πŸΌ

You can also drop me a line below!