ospab
/
ostp
mirror of https://github.com/ospab/ostp.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Page: DNS Tunneling
Pages
Building from Source Building from Source_ru Configuration Configuration_ru DNS Tunneling DNS Tunneling_ru FAQ FAQ_ru GUI Client GUI Client_ru Home Home_ru Installation Installation_ru Management API Management API_ru Protocol Design Protocol Design_ru Share Links Share Links_ru
2 DNS Tunneling
ospab edited this page 2026-06-19 15:02:57 +03:00
Table of Contents

DNS Tunneling with OSTP (Native dnstt)

OSTP natively implements the dnstt (DNS Tunnel) protocol. This allows you to encapsulate encrypted OSTP traffic inside standard DNS queries (TXT and NULL records), which can bypass restrictive firewalls or captive portals that only allow UDP port 53.

Unlike other tools, you do not need to install a standalone dnstt-server or dnstt-client. The OSTP server has a built-in dnstt listener, and the client natively encodes payloads.

Prerequisites

  1. A domain name (e.g., yourdomain.com).
  2. You need to configure NS records to delegate a sub-domain to your server's IP address.

Step 1: DNS Setup

  1. Go to your domain registrar's DNS panel.
  2. Create an A record pointing to your server's IP address:
    • Type: A
    • Name: tunsrv
    • Value: YOUR_SERVER_IP
  3. Create an NS record delegating the tunneling sub-domain to that A record:
    • Type: NS
    • Name: t
    • Value: tunsrv.yourdomain.com

This means any DNS query for *.t.yourdomain.com will be sent directly to your server!

Step 2: Generate Keys

DNS Tunneling uses its own Ed25519 keypair to prevent abuse. You must generate a pubkey/privkey pair (using the dnstt-server -gen-key tool or OSTP API).

Step 3: Server Configuration

Add the dns inbound to your server's config.json. The server must run with sufficient privileges to bind to port 53 (e.g., using sudo setcap 'cap_net_bind_service=+ep' /path/to/ostp).

{
  "mode": "server",
  "inbounds": [
    // Your normal OSTP listener
    {
      "type": "ostp",
      "tag": "ostp-in",
      "listen": "0.0.0.0",
      "port": 50000,
      "access_keys": ["YOUR_SECRET_KEY"]
    },
    // The native dnstt listener
    {
      "type": "dns",
      "tag": "dns-in",
      "listen": "0.0.0.0:53",
      "domain": "t.yourdomain.com",
      "pubkey": "YOUR_PUBKEY_HERE",
      "privkey": "YOUR_PRIVKEY_HERE"
    }
  ],
  "outbounds": [
    { "type": "direct", "tag": "direct" }
  ]
}

Step 4: Client Configuration

On the client, configure your ostp outbound to use the dns transport. You must specify the exact domain, a public resolver (like 1.1.1.1 or 8.8.8.8), and the server's public key.

"outbounds": [
  {
    "type": "ostp",
    "tag": "proxy",
    "server": "YOUR_SERVER_IP", // Used for logical routing
    "port": 50000,
    "access_key": "YOUR_SECRET_KEY",
    "transport": {
      "type": "dns",
      "domain": "t.yourdomain.com",
      "resolver": "1.1.1.1",
      "pubkey": "YOUR_PUBKEY_HERE"
    }
  }
]

Security Considerations

Because OSTP traffic does not look like standard DNS queries (the TXT records contain high-entropy base32 noise), advanced DPI systems might flag it as an anomaly if they inspect the contents of DNS TXT records. However, for bypassing captive portals (hotel Wi-Fi, airplane Wi-Fi) or simple firewalls, it is incredibly effective.

OSTP Wiki

English

Русский