A DNS tunneling tool for TCP traffic, written in Go.
Copyright (c) 2024 Barrett Lyon. All rights reserved. MIT License
Blind allows you to tunnel TCP traffic through DNS queries, enabling connectivity in restricted network environments. It consists of a client and server component that work together to establish a bidirectional communication channel using DNS protocols.
- TCP over DNS tunneling
- Support for both client and server modes
- Automatic session management
- Resilient connection handling
- Debug logging
- Works with ssh
go install github.com/doxx/blind@latest
Or build from source:
git clone https://github.com/doxx/blind.git
cd blind
go build
- Simple SSH Tunnel:
# On DNS server (public internet)
sudo ./blind -server-listen 0.0.0.0:53 -server-dest 127.0.0.1:22
# On client machine (behind firewall)
./blind -client-listen 127.0.0.1:2222 -client-dest dns-server.com:53
# Connect via SSH
ssh -p 2222 user@127.0.0.1
- Debug Logging:
./blind -client-listen 127.0.0.1:2222 \
-client-dest dns.example.com:53 \
-debug
- HTTP Proxy Tunnel:
# Server side (forwarding to local HTTP proxy)
sudo ./blind -server-listen 0.0.0.0:53 -server-dest 127.0.0.1:3128 -debug
# Client side
./blind -client-listen 127.0.0.1:8080 -client-dest dns.example.com:53
# Configure browser to use 127.0.0.1:8080 as HTTP proxy
- Database Connection Tunnel:
# Server side (forwarding to PostgreSQL)
sudo ./blind -server-listen 0.0.0.0:53 -server-dest db.internal:5432
# Client side
./blind -client-listen 127.0.0.1:5432 -client-dest dns.example.com:53
# Connect to database
psql -h 127.0.0.1 -p 5432 -U dbuser dbname
Create a systemd service file for automatic startup:
# /etc/systemd/system/blind.service
[Unit]
Description=Blind DNS Tunnel Service
After=network.target
[Service]
Type=simple
User=root
ExecStart=/usr/local/bin/blind -server-listen 0.0.0.0:53 -server-dest 10.0.0.1:22
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
Enable and start the service:
sudo systemctl enable blind
sudo systemctl start blind
sudo systemctl status blind
FROM golang:1.21-alpine
WORKDIR /app
COPY . .
RUN go build -o blind
FROM alpine:latest
COPY --from=0 /app/blind /usr/local/bin/
EXPOSE 53/udp
ENTRYPOINT ["blind"]
Run the Docker container:
# Server mode
docker run -p 53:53/udp blind -server-listen 0.0.0.0:53 -server-dest target:22
# Client mode
docker run -p 2222:2222 blind -client-listen 0.0.0.0:2222 -client-dest dns.example.com:53
MIT License - See LICENSE file for details
Barrett Lyon