Moved to #15213 (moved).
Brainstorming and planning for a DNS-based pluggable transport.
Encode data in recursive DNS queries and responses. Your local recursive resolver sends your packets to the right place. A dns bridge would be an authoritative name server for a particular domain; users would configure a domain rather than an IP address in their Bridge lines. Tools already exist to do DNS tunneling, for example iodine and dnscat2. Probably requires a reliability layer and periodic polling by the client.
Brainstorming options for a reliability layer:
- dnscat2 protocol: uses SYN, FIN, SEQ, ACK. Independent of DNS. (dnscat2 also has a separate procedure for encoding data as DNS requests/responses.)
- KCP
- libsctp or other user-space SCTP
Demo of encoding/decoding DNS with Scapy:
>>> from scapy.all import *
>>> str(DNS(rd=True, qd=DNSQR(qtype="A", qname="example.com"))).encode("base64")
'AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE=\n'$ echo -n AAABAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE= | base64 -d | curl -H 'Content-Type: application/dns-udpwireformat' --data-binary @- https://cloudflare-dns.com/dns-query -o - | base64
AACBgAABAAEAAAAAB2V4YW1wbGUDY29tAAABAAHADAABAAEAAAiRAARduNgi>>> DNS("AACBgAABAAEAAAAAB2V4YW1wbGUDY29tAAABAAHADAABAAEAAAiRAARduNgi")
<DNS id=16705 qr=0L opcode=8L aa=0L tc=1L rd=1L ra=0L z=1L ad=0L cd=0L rcode=server-failure qdcount=26433 ancount=16706 nscount=16705 arcount=17729 qd=_ an=_ ns=_ ar=_ |<Raw load='AAAAB2V4YW1wbGUDY29tAAABAAHADAABAAEAAAiRAARduNgi' |>>Mailing list discussions
- [anti-censorship-team] How to run Tor Browser through a DoH/DoT tunnel\ https://lists.torproject.org/pipermail/anti-censorship-team/2020-April/000080.html
- [tor-dev] obfsproxy dns transport\ https://lists.torproject.org/pipermail/tor-dev/2014-February/006250.html (Feb 2014)
- using OzymanDNS to access Tor via DNS\ https://lists.torproject.org/pipermail/tor-talk/2006-January/007124.html (Jan 2006) https://web.archive.org/web/20090421124725/http://afs.eecs.harvard.edu:80/~goodell/blossom/tor-via-dns.html