Mentiodns » Historique » Version 13
sacha, 25/06/2018 17:41
1 | 1 | sacha | h1. Mentiodns |
---|---|---|---|
2 | |||
3 | Validation des DNS à partir d'une liste sur un unbound et un DNS grand FAI et comparaison des résultats ;) |
||
4 | |||
5 | 4 | sacha | h2. Noeud actifs |
6 | |||
7 | |_. Nom |_. Bloc | |
||
8 | | Mezzanine | domain_names.com_sortedad | |
||
9 | | Millicent | domain_names.com_sortedab | |
||
10 | 9 | sacha | | Sacha | domain_names.org_sortedaa | |
11 | | Sacha | domain_names.org_sortedab | |
||
12 | | Sacha | domain_names.org_sortedab | |
||
13 | 10 | sacha | | Sacha | domain_names.org_sortedac | |
14 | | Sacha | domain_names.org_sortedac | |
||
15 | 4 | sacha | | Taziden | domain_names.com_sortedac | |
16 | |||
17 | h2. Mentio |
||
18 | |||
19 | <pre> |
||
20 | #-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+-# |
||
21 | # MENTIODNS : Check for lying DNS (France) # |
||
22 | #--------------------------------------------# |
||
23 | 13 | sacha | # Version 1.6 - conf file # |
24 | # Version 1.5 - test Dig resolving # |
||
25 | # Version 1.4 - Socat SSL sending results # |
||
26 | # Version 1.3 - tld optioN # |
||
27 | 1 | sacha | # Version 1.2 - Round robin on DNS_ISP_LIST # |
28 | 13 | sacha | # For each request # |
29 | 4 | sacha | # Version 1.1 - Allow resume on basename # |
30 | # Version 1.0 - Parallel process with DIG # |
||
31 | #--------------------------------------------# |
||
32 | 1 | sacha | # (c) Sacha at Aquilenet.fr part of FFDN.org # |
33 | #--------------------------------------------# |
||
34 | |||
35 | # This shity script intend to bruteforce the ISP lying DNS Servers to identify which one |
||
36 | 9 | sacha | # is going on Ministry of Interior Blocking page and compare the IP result from your favorite DNS server |
37 | 13 | sacha | # Use this script with the following paramters |
38 | # 1 - domain names file (file with list of domain names whithout the tld |
||
39 | 9 | sacha | # 2 - position number if it is not given the script will start at the begining |
40 | 1 | sacha | # If you relanch the script it will check if it has a counter for the given file to resume |
41 | # Blacklisted sites in $BLACKLIST_LOG file |
||
42 | 13 | sacha | # Diff ip from a domain name are in $DIFF_LOG |
43 | 1 | sacha | |
44 | 13 | sacha | # 1st launch creating config file |
45 | |||
46 | # Parameters: |
||
47 | # $1 MODE: client server local |
||
48 | # $2 File source: list of domain names whithout tld |
||
49 | # $3 tld: com, org, ... |
||
50 | # $4 count number (if none from zero or from count file based on file name) |
||
51 | |||
52 | 1 | sacha | ############################# |
53 | 13 | sacha | HOMEDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) |
54 | MENTIOCONF="$HOMEDIR/mentio.conf" |
||
55 | # Number of parallel requests thruw dig |
||
56 | parallel=10 |
||
57 | 1 | sacha | ############################# |
58 | |||
59 | #-------------------------------------- |
||
60 | 13 | sacha | ### CHECK CONFIG |
61 | if [ ! -f $MENTIOCONF ]; then |
||
62 | echo "==================================================================" |
||
63 | echo "MENTIODNS" |
||
64 | echo "------------------------------------------------------------------" |
||
65 | echo "1st time configuring" |
||
66 | echo -n "IP UNBOUND ? " |
||
67 | read DNS_MY |
||
68 | 1 | sacha | |
69 | 13 | sacha | echo 'HOMEDIR="'$HOMEDIR'"' > $MENTIOCONF |
70 | echo 'DNS_MY="'$DNS_MY'"' >> $MENTIOCONF |
||
71 | IP_PUB=`curl ifconfig.io` |
||
72 | ASN=`whois -h whois.cymru.com $IP_PUB |cut -d' ' -f1|sed -n "2p"` |
||
73 | DNS_LIST="$HOMEDIR/mentio-DNS_ISP_LIST" |
||
74 | DNS_ISP_LIST=`grep $ASN $DNS_LIST|cut -d' ' -f3-` |
||
75 | echo 'DNS_ISP_LIST="'$DNS_ISP_LIST'"' >> $MENTIOCONF |
||
76 | echo "------------------------------------------------------------------" |
||
77 | echo " CONFIGURATION FILE:" |
||
78 | echo " please check and relaunch" |
||
79 | echo "------------------------------------------------------------------" |
||
80 | cat $MENTIOCONF |
||
81 | echo "------------------------------------------------------------------" |
||
82 | exit 1 |
||
83 | fi |
||
84 | 1 | sacha | |
85 | 13 | sacha | ### Get parameters from config file |
86 | source $MENTIOCONF |
||
87 | |||
88 | #------------------------------------- |
||
89 | ### PARAMETERS to execute the script |
||
90 | # Mode Log export with socat "client" "server" "local" |
||
91 | MODE=$1 |
||
92 | # $2 DNS source file name |
||
93 | DNS_SOURCE=$2 |
||
94 | # $3 TLD name (com, org...) |
||
95 | tld=$3 |
||
96 | 1 | sacha | # line counter from the dns source file, nothing for auto-resuming |
97 | 13 | sacha | COUNT=$4 |
98 | 4 | sacha | |
99 | 13 | sacha | if [ $MODE == "server" ]; then |
100 | socat -v -u openssl-listen:65522,fork,reuseaddr,cert=mentio_ssl-server.pem,cafile=mentio_ssl-client.crt OPEN:$HOMEDIR/DNS_DIFF,creat,append |
||
101 | exit 1 |
||
102 | fi |
||
103 | |||
104 | #-------------------------------------- |
||
105 | ### SOCAT |
||
106 | SERVER="10.11.12.22:65522" |
||
107 | SENDSOCAT="socat stdio openssl-connect:$SERVER,verify=0,cert=$HOMEDIR/mentio_ssl-client.pem,cafile=$HOMEDIR/mentio_ssl-server.crt" |
||
108 | #-------------------------------------- |
||
109 | ### COLORS |
||
110 | 1 | sacha | RED='\e[31m' |
111 | GREEN='\e[32m' |
||
112 | YELLOW='\e[33m' |
||
113 | 13 | sacha | GRAY='\e[90m' |
114 | 1 | sacha | NC='\033[0m' # No Color |
115 | 13 | sacha | #-------------------------------------- |
116 | 4 | sacha | DNS_SOURCE_BASENAME=`basename $DNS_SOURCE` |
117 | DIFF_LOG="$HOMEDIR/DNS_DIFF" |
||
118 | BLACKLIST_LOG="$HOMEDIR/DNS_BLACKLISTED" |
||
119 | 1 | sacha | lines=`wc -l $DNS_SOURCE|awk -F " " '{print $1}'` |
120 | countfile="$HOMEDIR/DNS_Count-$DNS_SOURCE_BASENAME" |
||
121 | 13 | sacha | dateus=`date +%Y%m%d-%H%M%S` |
122 | #-------------------------------------- |
||
123 | DIG_FAST="+nodnssec +short +timeout=1 +tries=2" |
||
124 | DIG_SLOW="+nodnssec +short +timeout=5 +tries=3 " |
||
125 | #-------------------------------------- |
||
126 | 1 | sacha | |
127 | _check(){ |
||
128 | i=0 |
||
129 | url="" |
||
130 | while [ $i -lt $parallel ] |
||
131 | do |
||
132 | n=`expr $count + $i` |
||
133 | 13 | sacha | ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1` |
134 | 1 | sacha | url="$url @$ISP_DNS `awk -v n="${n}" 'NR==n {print;exit}' $DNS_SOURCE`.$tld" |
135 | i=`expr $i + 1` |
||
136 | done |
||
137 | } |
||
138 | |||
139 | 13 | sacha | |
140 | 1 | sacha | #-------------------------------------- |
141 | if [ -z $COUNT ]; then |
||
142 | 13 | sacha | if [ -f $countfile ]; then |
143 | count=`cat $countfile` |
||
144 | else |
||
145 | count=0 |
||
146 | echo $count > $countfile |
||
147 | fi |
||
148 | 4 | sacha | else count=$COUNT |
149 | echo $count > $countfile |
||
150 | fi |
||
151 | #-------------------------------------- |
||
152 | |||
153 | while [ "$count" != "$lines" ]; do |
||
154 | echo $count > $countfile |
||
155 | _check |
||
156 | site="$url" |
||
157 | echo "-------------------------------------------------------------------------------" |
||
158 | 13 | sacha | echo "#$count $dateus SITE:$site" |
159 | if nomentio=`dig @$DNS_MY $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio" ]; then |
||
160 | echo -e "$GRAY Unknown zone $site $NC" |
||
161 | fi |
||
162 | if mentio=`dig $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio" ]; then |
||
163 | echo -e "$GRAY Unknown zone $site $NC" |
||
164 | fi |
||
165 | |||
166 | 4 | sacha | if [ -n "$nomentio" ] && [ -n "$mentio" ]; then |
167 | if [ "$nomentio" != "$mentio" ]; then |
||
168 | 13 | sacha | for i in $site; do |
169 | if nomentio1=`dig $DIG_FAST @$DNS_MY $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio1" ]; then |
||
170 | echo -e "$GRAY Unknown zone $i $NC" |
||
171 | fi |
||
172 | ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1` |
||
173 | if mentio1=`dig $DIG_FAST @$ISP_DNS $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio1" ]; then |
||
174 | echo -e "$GRAY Unknown zone $i $NC" |
||
175 | fi |
||
176 | if [ "$nomentio1" != "$mentio1" ]; then |
||
177 | if [[ $mentio1 == 90.85.* ]]; then |
||
178 | if [ $MODE == "client" ]; then |
||
179 | echo "!!! $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" | $SENDSOCAT |
||
180 | fi |
||
181 | echo -e "$RED !!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" |
||
182 | echo "!!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $BLACKLIST_LOG |
||
183 | else |
||
184 | if [ $MODE == "client" ]; then |
||
185 | echo ">>> $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" | $SENDSOCAT |
||
186 | fi |
||
187 | echo -e "$YELLOW >>> SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" |
||
188 | echo ">>> $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $DIFF_LOG |
||
189 | fi |
||
190 | fi |
||
191 | done |
||
192 | 1 | sacha | else |
193 | 13 | sacha | echo -e "$GREEN#$count SITE:$site $NC" |
194 | 3 | sacha | fi |
195 | 1 | sacha | fi |
196 | |||
197 | count=`expr $count + $parallel` |
||
198 | |||
199 | done |
||
200 | 7 | sacha | </pre> |
201 | 3 | sacha | |
202 | 2 | sacha | h2. Test (valide au 14/06/18) |
203 | |||
204 | 1 | sacha | dig +short shahamat1.com |
205 | 7 | sacha | 90.85.16.52 |
206 | 3 | sacha | |
207 | 1 | sacha | h2. Liste de serveurs DNS FAI Français |
208 | |||
209 | h3. Free - ASN12322 |
||
210 | 11 | sacha | |
211 | 12 | sacha | 212.27.40.240 |
212 | 11 | sacha | 212.27.40.241 |
213 | 212.27.40.244 |
||
214 | 212.27.40.245 |
||
215 | 7 | sacha | |
216 | 3 | sacha | h3. Bouygues - ASN5410 |
217 | 1 | sacha | |
218 | 194.158.122.10 |
||
219 | 194.158.122.15 |
||
220 | |||
221 | h3. SFR/Numericable - ASN5410 |
||
222 | |||
223 | 89.2.0.1 |
||
224 | 89.2.0.2 |
||
225 | |||
226 | h3. SFR - ASN15557 |
||
227 | |||
228 | 109.0.66.10 |
||
229 | 109.0.66.20 |
||
230 | |||
231 | h3. Orange - ASN3215 |
||
232 | |||
233 | 2 | sacha | 80.10.246.1 |
234 | 3 | sacha | 80.10.246.2 |
235 | 1 | sacha | 80.10.246.3 |
236 | 80.10.246.5 |
||
237 | 6 | sacha | 80.10.246.7 |
238 | 80.10.246.129 |
||
239 | 80.10.246.130 |
||
240 | 80.10.246.132 |
||
241 | 80.10.246.134 |
||
242 | 8 | sacha | 80.10.246.136 |
243 | 81.253.149.1 |
||
244 | 81.253.149.2 |
||
245 | 81.253.149.6 |
||
246 | 1 | sacha | 81.253.149.9 |
247 | 11 | sacha | 81.253.149.10 |
248 | 1 | sacha | |
249 | h3. OBS (ouverts) |
||
250 | |||
251 | 194.2.0.20 |
||
252 | 194.2.0.50 |
||
253 | |||
254 | h2. Vigies de la neutralité |
||
255 | |||
256 | https://ooni.torproject.org |
||
257 | https://respectmynet.eu |
||
258 | |||
259 | h2. Cadre légal |
||
260 | |||
261 | https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000801164&fastPos;=2&fastReqId;=606073666&categorieLien;=cid&oldAction;=rechTexte#LEGIARTI000029756525 |
||
262 | le décret https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=LEGITEXT000030315036&dateTexte;=20150305&categorieLien;=cid#LEGITEXT000030315036 |
||
263 | https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=JORFTEXT000030195477&dateTexte;=20180619 |