-
Notifications
You must be signed in to change notification settings - Fork 1
DNS Tunneling
OSTP operates over UDP and perfectly masks its traffic as random noise. In some environments (like captive portals, restricted corporate networks, or public Wi-Fi hotspots), standard ports may be blocked, but DNS queries (UDP port 53) are often allowed through the firewall.
You can exploit this by running OSTP over UDP port 53, effectively bypassing the firewall. This is often referred to as "DNS Tunneling" or "Port 53 bypass".
- A VPS where no other DNS server (like
systemd-resolved,bind9,dnsmasq) is listening on the public IP at port53. - OSTP server installed and configured.
You need to change the listen directive in your server's config.json to bind to port 53.
If you are running the server as a non-root user on Linux, binding to port 53 (a privileged port) will result in a "Permission denied" error. You must either run OSTP as root or grant the binary the CAP_NET_BIND_SERVICE capability:
sudo setcap 'cap_net_bind_service=+ep' /path/to/ostpRestart your OSTP server.
On the client side, update your outbounds to point to port 53:
"outbounds": [
{
"type": "ostp",
"tag": "proxy",
"server": "YOUR_SERVER_IP",
"port": 53,
"access_key": "YOUR_SECRET_KEY",
"transport": { "type": "udp" }
}
]Because OSTP traffic does not look like standard DNS queries (it is pure random noise without standard DNS packet structures), advanced DPI (Deep Packet Inspection) systems may detect that this is not real DNS traffic and block it. However, simple port-based firewalls and standard captive portals will allow the connection without issues.
{ "mode": "server", "listen": "0.0.0.0:53", "access_keys": ["YOUR_SECRET_KEY"] }