Mentiodns » Historique » Révision 14
Révision 13 (sacha, 25/06/2018 17:41) → Révision 14/59 (sacha, 25/06/2018 19:17)
h1. Mentiodns Validation des DNS à partir d'une liste sur un unbound et un DNS grand FAI et comparaison des résultats ;) h2. Noeud actifs |_. Nom |_. Bloc | | Mezzanine | domain_names.com_sortedad | | Millicent | domain_names.com_sortedab | | Sacha | domain_names.org_sortedaa | | Sacha | domain_names.org_sortedab | | Sacha | domain_names.org_sortedab | | Sacha | domain_names.org_sortedac | | Sacha | domain_names.org_sortedac | | Taziden | domain_names.com_sortedac | h2. Mentio <pre> #-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+-# # MENTIODNS : Check for lying DNS (France) # #--------------------------------------------# # Version 1.6 - conf file &some checks & doc# # # Version 1.5 - test Dig resolving # # Version 1.4 - Socat SSL sending results # # Version 1.3 - tld optioN # # Version 1.2 - Round robin on DNS_ISP_LIST # # For each request # # Version 1.1 - Allow resume on basename # # Version 1.0 - Parallel process with DIG # #--------------------------------------------# # (c) Sacha at Aquilenet.fr part of FFDN.org # #--------------------------------------------# # This shity script intend to bruteforce the ISP lying DNS Servers to identify which one # is going on Ministry of Interior Blocking page and compare the IP result from your favorite DNS server # Use this script with the following paramters # 1 - domain names file (file with list of domain names whithout the tld # 2 - position number if it is not given the script will start at the begining # If you relanch the script it will check if it has a counter for the given file to resume # Blacklisted sites in $BLACKLIST_LOG file # Diff ip from a domain name are in $DIFF_LOG # 1st launch creating config file # Copy generated certificates: # FILENAME=mentio_ssl-server # openssl genrsa -out $FILENAME.key 1024 # openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt # cat $FILENAME.key $FILENAME.crt >$FILENAME.pem # FILENAME=mentio_ssl-client # ... # Parameters: # $1 MODE: client server local # $2 File source: list of domain names whithout tld # $3 tld: com, org, ... # $4 count number (if none from zero or from count file based on file name) ############################# HOMEDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) MENTIOCONF="$HOMEDIR/mentio.conf" # Number of parallel requests thruw dig parallel=10 ############################# #-------------------------------------- ### CHECK CONFIG if [ ! -f $MENTIOCONF ]; then echo "==================================================================" echo "MENTIODNS" echo "------------------------------------------------------------------" echo "1st time configuring" echo -n "IP UNBOUND ? " read DNS_MY echo 'HOMEDIR="'$HOMEDIR'"' > $MENTIOCONF echo 'DNS_MY="'$DNS_MY'"' >> $MENTIOCONF IP_PUB=`curl ifconfig.io` ASN=`whois -h whois.cymru.com $IP_PUB |cut -d' ' -f1|sed -n "2p"` DNS_LIST="$HOMEDIR/mentio-DNS_ISP_LIST" DNS_ISP_LIST=`grep $ASN $DNS_LIST|cut -d' ' -f3-` echo 'DNS_ISP_LIST="'$DNS_ISP_LIST'"' >> $MENTIOCONF echo "------------------------------------------------------------------" echo " CONFIGURATION FILE:" echo " please check and relaunch" echo "------------------------------------------------------------------" cat $MENTIOCONF echo "------------------------------------------------------------------" exit 1 fi if [ $# -lt 3 ]; then echo "==================================================================" echo "MENTIODNS" echo "------------------------------------------------------------------" echo "Missing Parameter, please enter:" echo echo "mentio-check client|server|local filename tld (count number)" echo exit 1 fi ### Get parameters from config file source $MENTIOCONF #------------------------------------- ### PARAMETERS to execute the script # Mode Log export with socat "client" "server" "local" MODE=$1 # $2 DNS source file name DNS_SOURCE=$2 # $3 TLD name (com, org...) tld=$3 # line counter from the dns source file, nothing for auto-resuming COUNT=$4 if [ $MODE == "server" ]; then socat -v -u openssl-listen:65522,fork,reuseaddr,cert=mentio_ssl-server.pem,cafile=mentio_ssl-client.crt OPEN:$HOMEDIR/DNS_DIFF,creat,append exit 1 fi #-------------------------------------- ### SOCAT SERVER="10.11.12.22:65522" SENDSOCAT="socat stdio openssl-connect:$SERVER,verify=0,cert=$HOMEDIR/mentio_ssl-client.pem,cafile=$HOMEDIR/mentio_ssl-server.crt" #-------------------------------------- ### COLORS RED='\e[31m' GREEN='\e[32m' YELLOW='\e[33m' GRAY='\e[90m' NC='\033[0m' # No Color #-------------------------------------- DNS_SOURCE_BASENAME=`basename $DNS_SOURCE` DIFF_LOG="$HOMEDIR/DNS_DIFF" BLACKLIST_LOG="$HOMEDIR/DNS_BLACKLISTED" lines=`wc -l $DNS_SOURCE|awk -F " " '{print $1}'` countfile="$HOMEDIR/DNS_Count-$DNS_SOURCE_BASENAME" dateus=`date +%Y%m%d-%H%M%S` #-------------------------------------- DIG_FAST="+nodnssec +short +timeout=1 +tries=2" DIG_SLOW="+nodnssec +short +timeout=5 +tries=3 " #-------------------------------------- _check(){ i=0 url="" while [ $i -lt $parallel ] do n=`expr $count + $i` ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1` url="$url @$ISP_DNS `awk -v n="${n}" 'NR==n {print;exit}' $DNS_SOURCE`.$tld" i=`expr $i + 1` done } #-------------------------------------- if [ -z $COUNT ]; then if [ -f $countfile ]; then count=`cat $countfile` else count=0 echo $count > $countfile fi else count=$COUNT echo $count > $countfile fi #-------------------------------------- while [ "$count" != "$lines" ]; do echo $count > $countfile _check site="$url" echo "-------------------------------------------------------------------------------" echo "#$count $dateus SITE:$site" if nomentio=`dig @$DNS_MY $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio" ]; then echo -e "$GRAY Unknown zone $site $NC" fi if mentio=`dig $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio" ]; then echo -e "$GRAY Unknown zone $site $NC" fi if [ -n "$nomentio" ] && [ -n "$mentio" ]; then if [ "$nomentio" != "$mentio" ]; then for i in $site; do if nomentio1=`dig $DIG_FAST @$DNS_MY $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio1" ]; then echo -e "$GRAY Unknown zone $i $NC" fi ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1` if mentio1=`dig $DIG_FAST @$ISP_DNS $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio1" ]; then echo -e "$GRAY Unknown zone $i $NC" fi if [ "$nomentio1" != "$mentio1" ]; then if [[ $mentio1 == 90.85.* ]]; then if [ $MODE == "client" ]; then echo "!!! $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" | $SENDSOCAT fi echo -e "$RED !!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" echo "!!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $BLACKLIST_LOG else if [ $MODE == "client" ]; then echo ">>> $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" | $SENDSOCAT fi echo -e "$YELLOW >>> SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" echo ">>> $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $DIFF_LOG fi fi done else echo -e "$GREEN#$count SITE:$site $NC" fi fi count=`expr $count + $parallel` done </pre> h2. Test (valide au 14/06/18) dig +short shahamat1.com 90.85.16.52 h2. Liste de serveurs DNS FAI Français h3. Free - ASN12322 212.27.40.240 212.27.40.241 212.27.40.244 212.27.40.245 h3. Bouygues - ASN5410 194.158.122.10 194.158.122.15 h3. SFR/Numericable - ASN5410 89.2.0.1 89.2.0.2 h3. SFR - ASN15557 109.0.66.10 109.0.66.20 h3. Orange - ASN3215 80.10.246.1 80.10.246.2 80.10.246.3 80.10.246.5 80.10.246.7 80.10.246.129 80.10.246.130 80.10.246.132 80.10.246.134 80.10.246.136 81.253.149.1 81.253.149.2 81.253.149.6 81.253.149.9 81.253.149.10 h3. OBS (ouverts) 194.2.0.20 194.2.0.50 h2. Vigies de la neutralité https://ooni.torproject.org https://respectmynet.eu h2. Cadre légal https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000801164&fastPos;=2&fastReqId;=606073666&categorieLien;=cid&oldAction;=rechTexte#LEGIARTI000029756525 le décret https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=LEGITEXT000030315036&dateTexte;=20150305&categorieLien;=cid#LEGITEXT000030315036 https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=JORFTEXT000030195477&dateTexte;=20180619