Iodine is a IP over dns server and client. For another way of doing things (tcp-forward instead of IP forwarding), see DebianNotes/dns2tcp.


sudo iodine -f -P PASSWORD <optional_dns_server>


First, you need to have a domian name you control, say Let's say that this is hosted on some third-party servers Let's say you want to use a subdomain of this for ipdns. Set up a NS record for the subdomain. Here is the raw output you can input wherever it goes:  1800    IN      NS

Here is my runit run script. There is no other configuration besides what is on the command line:

( sleep 5 ; sudo sh ) &

exec iodined -f -c -P PASSWORD -p 53535 -D 2>&1

(iodine blanks the password from the ps listing, verify it does so on your system.)

This will create the tun device dns0. ~/ is my system-wide iptables initialization script. It is set to run in the background, five seconds after iodine starts, since iodine must start and create the dns0 device before you can set up iptables rules referring to it. All you need is the usual stuff for a NAT lan,

iptables -A FORWARD -i dns0 -j ACCEPT
iptables -t nat -A POSTROUTING -s -j MASQUERADE

but of course make sure you don't repeatedly run the commands and fill up your tables with duplicate rules. You can, of course, set up whatever routing you might like.

Port problem

Running iodine as a straight up server produced a minor problem. It was answering queries from a different port than it was queried on. Some DNS servers were fine with this, but some were not. One sign of this problem was dig or hostname returning an error when the server was queried directly. Another sign was public DNS servers, when recursively querying the iodine server, not working, or working the first time but not any further times.

I got around this by relaying through dnsmasq. I run dnsmasq anyway, and I just had dnsmasq relay that subdomain to iodine, using this config:


This would, of course, make dnsmasq cache some that doesn't need to be cached, but since you are putting that burden on the rest of the internet, too... you can probably deal with it.

DebianNotes/Iodine (last edited 2011-03-09 00:45:20 by RichardDarst)