In the realm of network security and data transmission, unconventional methods sometimes become essential to bypass restrictions and maintain connectivity. Iodine, a DNS tunnel tool, is one such method that allows TCP traffic to be encapsulated within DNS queries. This technique is particularly useful for circumventing captive portals or accessing networks with stringent restrictions. In this article, we explore the performance of Iodine when used in conjunction with DNS-over-HTTPS (DoH), a more secure method of DNS resolution.
Test Setup
To evaluate the performance of Iodine over DoH, I set up a basic Debian virtual machine using Vagrant. Iodine was installed on this VM, and an Iodine server was configured separately. The Iodine server, which I had previously configured, serves as the endpoint for the DNS tunnel, but the focus here is on the client-side performance when integrated with DoH.
Baseline Performance with Raw Mode
Before introducing DoH into the equation, it’s important to establish a baseline. In raw mode, Iodine bypasses the DNS resolver entirely, sending DNS traffic directly to the Iodine server. This mode is optimal for bandwidth, as it eliminates the overhead associated with DNS query resolution.
Using the iperf tool to measure network throughput, the raw mode of Iodine demonstrated an impressive bandwidth, easily surpassing 50 Mbps. This performance is notable, especially considering the constraints typically associated with DNS-based communication.
Query Mode Performance
The raw mode, while impressive, isn’t always feasible—especially in environments with enforced DNS resolvers, such as captive portals. In such cases, Iodine must operate in query mode, where traffic is encapsulated in numerous small DNS queries. This mode introduces significant overhead, as Iodine needs to determine the optimal query type and fragment size during the initialization phase.
When testing in query mode, the performance dropped drastically. The throughput fell from over 50 Mbps in raw mode to a mere 350-450 Kbps. While this bandwidth might suffice for basic tasks such as downloading small documents or checking emails, it is far from sufficient for more demanding applications like streaming or large file transfers.
Integrating DNS-over-HTTPS (DoH)
DNS-over-HTTPS (DoH) is designed to enhance privacy and security by encrypting DNS queries within HTTPS requests. This method prevents DNS-based attacks and mitigates privacy concerns, as the queries are not transmitted in plaintext over UDP. Instead, they are encrypted and sent to DoH servers like those operated by Cloudflare.
For this test, I used dnscrypt-proxy, a tool that acts as a local DNS resolver, forwarding DNS queries to a DoH server. After configuring dnscrypt-proxy on my system and directing all DNS traffic through it, I tested the functionality with basic DNS queries, confirming that the setup was working correctly.
Iodine Performance Over DoH
Now, for the critical part—testing Iodine’s performance when combined with DoH. Unfortunately, the results were disappointing. Setting up the tunnel over DoH proved to be challenging, with multiple attempts required before a stable connection was established.
Once connected, the performance was significantly hindered. Bandwidth dropped to a range of 30-90 Kbps, far lower than what was achieved in query mode without DoH. The issue stems from the nature of DoH itself—each DNS query Iodine sends must be encapsulated within an HTTPS request, which introduces considerable latency. As observed in the dnscrypt-proxy tests, the round-trip time (RTT) for these queries ranged between 18ms and 78ms, contributing to the sluggish performance.
Conclusion
The experiment revealed that while Iodine can function over a DoH-based DNS resolver, the performance degradation is severe. The bandwidth reduction makes this combination impractical for anything beyond the most basic network tasks. The overhead introduced by encrypting DNS queries within HTTPS requests, coupled with the inherent latency of DoH, results in a significant bottleneck.
For those considering using Iodine over DoH in restrictive environments, it’s important to weigh the trade-offs. While DoH offers enhanced security and privacy, it comes at the cost of performance. In most cases, the severely limited bandwidth would make such a setup unfeasible for practical use. For better performance, alternatives or less restrictive DNS environments should be considered.
In summary, while the combination of Iodine and DoH is technically possible, the real-world application is limited due to the substantial performance drawbacks.
