A tool to tunnel UDP datagrams over DNS. This is most useful when coupled with something like Wireguard, to tunnel your internet traffic in a nice and lightweight fashion. Use this to bypass firewalls, such as hotspot paywalls and air-gapped networks, so long as you can resolve public DNS.


  • Datagram fragmentation and re-assembly to support large datagrams.
  • Avoids caching issues.
  • Bypasses basic mitigations, such as case-mixing.
  • Encrypted “control-channel” packets, using a pre-shared key.
  • Multiple simultaneous clients and sessions per-client.

Data is not encrypted or otherwise protected over the wire — you should use a protocol such as wireguard to provide cryptographic properties.

DNSmuggle only uses encryption when the client asks the server to open a channel. Right now, this is theoretically vulnerable to replays, but only to re-open the same destination. The encryption prevents a malicious actor from asking the server to dial arbitrary addresses.


# Make server
go build cmd/server.go

# Make client
go build cmd/client.go

Set up your domain

You’ll want a nice and short domain for this, as space is valuable. Configure the root NS record to an A record that resolves to your tunnel server. Depending on your registrar and TLD, you may need to configure glue records.

Run server

./server -listenAddr -domain example.com -psk hunter2 --nameserver ns1.example.com

Run client

./client -dialAddr -domain example.com -psk hunter2 -resolver -listenAddr

Now, on your client machine, a listener will open on When it receives packets, it will make an encrypted DNS request to open a channel, asking the server to dial (server-side). Data will then be encoded and flow through the DNS tunnel bi-directionally.


View Github