This tool is for penetration testing only. Never use a DNS resolver connected to the Internet on your IS.
Our VPN infrastructure is hosted on the Amazon EC2 & OVH clouds
open-source software: Java server, Flex client for Adobe AIR and Perl client are available on GitHub
Introduction
The feature list follows. To know how to configure and use those features, please refer to the documentation page.
As you can see on the following picture, the interface layout depends on the type of Android device: phone or tablet.
Availability
VPN-over-DNS is only available on Google Play. This is the Android marketplace managed by Google, previously named the Android Market. Click on the following image to download VPN-over-DNS:
DNS requests
The DNS requests sent by the client application only use "IN A" query type. No use of "IN TXT" or other less common query types, because they could be too easily filtered. Application-level messages are scattered into many DNS queries and the downstream is GZIP-compressed. Application-level messages are multiplexed on top of the VPN session, such that several messages can be processed simultaneously. The low-level protocol layer handles a pool of up to 20 simultaneous running queries, for optimal flow-control. In case of network congestion, queries discarded by the network are rescheduled when some timeout occurs.
Internationalization
Two languages are supported: English and French.
Skins
You can configure the GUI with any of the two available skins: Shiny for standard users and Geek specifically designed to meet geek requirements.
Security
The VPN between your mobile device and our server farm is not ciphered, but your mailbox provider credentials are never transfered on the DNS tunnel. Your VPN-over-DNS credentials (the login & password you choose when you create your VPN account) and your mailbox provider credentials (the email & password used to connect to your mail provider) are exchanged with our servers over a secured SSL/TLS session. This session is secured by means of our X.509 certificate signed by UserTrust/Comodo.
Mail User Agent
You have 3 ways to read and send mails :
- using the native Mail User Agent integrated with VPN-over-DNS. It is optimized for speed and integrated with the following four major mailbox providers: GMail from Google, HotMail/Live from Microsoft, Yahoo! Mail from Yahoo! and FastMail from Opera. Limited to your 20 last new mails. Each mail content is limited to its text part only, truncated to 64 kilo bytes max. MIME attachments and HTML MIME parts inside mails are removed. The subject length is truncated to 4 kilo bytes max. The headers are removed, except for "From", "To", "Cc", "Date" and "Subject" headers. At the moment you check your mails, the server farm connects to your mailbox provider through IMAPs ou POP3s and downloads up to 20 new mails. When the download is complete, your new mails are stored in a cloud database and sent to your mobile device through our specific protocol on top of DNS queries. In case of a network outage while mails are sent back to your device, mails stored on the cloud database will be sent next time you set up the tunnel.
- using a web mail portal. If your mail provider is not one of the fourth supported by our native Mail User Agent, or if you want to get advanced features like attachements, other MIME capabilities, conversation threads filtering & multiple mailboxes handling, you may connect to your web mail portal using the VPN-over-DNS tunnel. For this purpose, you need to use our VPN-encapsulated proxy on localhost, port 8081.
- using your prefered Mail User Agent. If you prefer using a SMTPs/POP3s/IMAPs mail agent, to get advanced features like attachements, other MIME capabilities, conversation threads filtering & multiple mailboxes handling, you may use the TCP port redirection feature with VPN-over-DNS running in the background. This way, you can use any Mail User Agent.
Web Browsing
You have 4 ways to browser the Internet :
- using the native web browser integrated with VPN-over-DNS. It is optimized for speed: no support for images, Cookies, JavaScript, Cascading Style Sheets, nor SSL features. It is mainly a text-mode Browser, like Lynx on Unix/Linux. Works well with Bing, the search engine from Microsoft. Does not work with Google, since Cookies suppport is mandatory for Google. Also works well with many web sites.
- using an external browser. Instead of using the native web browser, you can use an external browser like "Chrome" or "Internet" ("Internet" is the name of the default Android browser), with the same limitations as above: no support for images, Cookies, JavaScript, Cascading Style Sheets, nor SSL features. As fast as using the native browser, but with many improvements: tabs, zoom modes and bookmarks, for instance, depending on the specific external browser you choose.
- using an external browser with an optimized VPN-encapsulated proxy. You can configure a proxy on top of the VPN channel, for use by your external browser. The first proxy we provide can be accessed on localhost, port 8080. It supports cookies and web forms ("POST" queries), but does not allow images, CSS, JavaScript and SSL features. Such a way, you will be able to connect to Google, and make queries on sites like Wikipedia. Most of the general purpose web sites will be available, with high download rate.
- using an external browser with a full-featured VPN-encapsulated proxy. The second proxy we provide on localhost, port 8081, supports images, CSS, JavaScript and SSL features. By this way, you can connect to any web server. Of course, the download rate will be rather slow.
Here is a table comparing the features available with each web browsing use-case:
SSH
You can securely access your own server using SSH, by means of port redirection (see next section). Just let VPN-over-DNS run in the background and use ConnectBot (the leading Android SSH implementation) or any other SSH client to connect to your server. Moreover, you can do SSH tunneling this way, adding port redirection at the SSH layer, connecting to services offered by your private infrastructure.
TCP port redirection
The VPN-over-DNS application can handle TCP port redirections on top of DNS requests, the same way a SSH client can manage TCP port redirections on top of a SSH session. An initial set of redirections is pre-configured, some for internal needs, some others for common usages and you can also define your own redirections.
Tunnel sharing
VPN-over-DNS, installed on your Android device, can share the web proxies (or any other port redirected service) to your iPad or your laptop: just connect your iPad or your laptop to the same local Wi-Fi network (for instance, the one with the captive portal you want to bypass), and configure the proxy of your iPad or laptop to the IP of your Android device, and to port 8080 or 8081 depending of the VPN-over-DNS proxy you prefer (half-featured fast proxy or full-featured low-bandwidth proxy).
New mobile app from the same developer See our new amazing app for iOS: WiFi Map Explorer
Server and clients are now open-source: GPLv3 Explore the source tree on GitHub