Projet

Général

Profil

Mentiodns » Historique » Révision 18

Révision 17 (sacha, 25/06/2018 21:42) → Révision 18/59 (sacha, 25/06/2018 22:13)

h1. Mentiodns 

 Validation des DNS à partir d'une liste sur un unbound et un DNS grand FAI et comparaison des résultats ;) 

 h2. Noeud actifs 

 |_. Nom |_. Bloc | 
 | Dam64 | domain_names.com_sortedaf| 
 | Dam64 | domain_names.com_sortedag| 
 | Mezzanine | domain_names.com_sortedad | 
 | Millicent | domain_names.com_sortedab | 
 | Sacha | domain_names.org_sortedaa | 
 | Sacha | domain_names.org_sortedab | 
 | Sacha | domain_names.org_sortedab | 
 | Sacha | domain_names.org_sortedac | 
 | Sacha | domain_names.org_sortedac | 
 | Taz Taziden | domain_names.com_sortedac | 
 | Taz | domain_names.com_sortedae | 


 

 h2. Mentio 

 <pre> 
 #-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+-# 
 #    MENTIODNS : Check for lying DNS (France)    # 
 #--------------------------------------------# 
 #    Version 1.6 - conf file                     #  
 #    Version 1.5 - test Dig resolving            # 
 #    Version 1.4 - Socat SSL sending results     #  
 #    Version 1.3 - tld optioN                    # 
 #    Version 1.2 - Round robin on DNS_ISP_LIST # 
 # 		  For each request 	      # 
 #    Version 1.1 - Allow resume on basename      # 
 #    Version 1.0 - Parallel process with DIG     # 
 #--------------------------------------------# 
 # (c) Sacha at Aquilenet.fr part of FFDN.org # 
 #--------------------------------------------# 

 # This shity script intend to bruteforce the ISP lying DNS Servers to identify which one 
 # is going on Ministry of Interior Blocking page and compare the IP result from your favorite DNS server 
 # Use this script with the following parameters  
 # $1 MODE: client server local 
 # $2 File source: list of domain names whithout tld 
 # $3 tld: com, org, ... 
 # $4 count number (if none from zero or from count file based on file name) 


 # If you relanch the script it will check if it has a counter for the given file to resume 
 # Blacklisted sites in $BLACKLIST_LOG file 
 # Diff ip from a domain name are in $DIFF_LOG  

 # 1st launch creating config file 

 # Copy generated certificates: 
 # FILENAME=mentio_ssl-server  
 # openssl genrsa -out $FILENAME.key 1024 
 # openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt 
 # cat $FILENAME.key $FILENAME.crt >$FILENAME.pem 
 # FILENAME=mentio_ssl-client 
 # ... 

 ########################################################## 
 HOMEDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) 
 MENTIOCONF="$HOMEDIR/mentio.conf" 
 # Number of parallel requests thruw dig 
 parallel=10 
 # Socat server 
 SERVER="taz.im:65522" 
 ########################################################## 


 ########################################################## 
 ### CHECK CONFIG 
 if [ ! -f $MENTIOCONF ]; then 
 echo "==================================================================" 
 echo "MENTIODNS" 
 echo "------------------------------------------------------------------"  
 echo "1st time configuring" 
 echo -n "IP UNBOUND ? " 
 read DNS_MY 

 echo 'HOMEDIR="'$HOMEDIR'"' > $MENTIOCONF 
 echo 'DNS_MY="'$DNS_MY'"' >> $MENTIOCONF 
 IP_PUB=`curl ifconfig.io` 
 ASN=`whois -h whois.cymru.com $IP_PUB |cut -d' ' -f1|sed -n "2p"` 
 DNS_LIST="$HOMEDIR/mentio-DNS_ISP_LIST" 
 DNS_ISP_LIST=`grep $ASN $DNS_LIST|cut -d' ' -f3-` 
 echo 'DNS_ISP_LIST="'$DNS_ISP_LIST'"' >> $MENTIOCONF 
 echo "------------------------------------------------------------------" 
 echo " CONFIGURATION FILE:" 
 echo " please check and relaunch" 
 echo "------------------------------------------------------------------" 
 cat $MENTIOCONF 
 echo "------------------------------------------------------------------" 
 exit 1 
 fi 
 ########################################################## 


 ########################################################## 
 ### PARAMETERS to execute the script 
 # Mode Log export with socat "client" "server" "local" 

 MODE=$1 

 if [ $MODE == "server" ]; then 
 socat -v -u openssl-listen:65522,fork,reuseaddr,cert=mentio_ssl-server.pem,cafile=mentio_ssl-client.crt OPEN:$HOMEDIR/MENTIO-DNS_DIFF,creat,append 
 exit 1 
 fi 
 ########################################################## 


 ########################################################## 
 ### Check if commandline parameters are less than 3 

 if [ $# -lt 3 ]; then 
 echo "==================================================================" 
 echo "MENTIODNS" 
 echo "------------------------------------------------------------------" 
 echo "Missing Parameter, please enter:" 
 echo 
 echo "mentio-check client|server|local filename tld (count number)" 
 echo 
 exit 1 
 fi 
 ########################################################## 


 ########################################################## 
 ### Get parameters 

 # From config file 
 source $MENTIOCONF 

 # From command line 
 # $2 DNS source file name 
 DNS_SOURCE=$2 
 # $3 TLD name (com, org...) 
 tld=$3 
 # line counter from the dns source file, nothing for auto-resuming 
 COUNT=$4 

 ########################################################## 
 ### SOCAT 
 SENDSOCAT="socat stdio openssl-connect:$SERVER,verify=0,cert=$HOMEDIR/mentio_ssl-client.pem,cafile=$HOMEDIR/mentio_ssl-server.crt" 
 ########################################################## 
 ### COLORS  
 RED='\e[31m' 
 GREEN='\e[32m' 
 YELLOW='\e[33m' 
 GRAY='\e[90m' 
 NC='\033[0m' # No Color 
 ########################################################## 
 ### Various variables 
 DNS_SOURCE_BASENAME=`basename $DNS_SOURCE` 
 DIFF_LOG="$HOMEDIR/DNS_DIFF" 
 BLACKLIST_LOG="$HOMEDIR/DNS_BLACKLISTED" 
 lines=`wc -l $DNS_SOURCE|awk -F " " '{print $1}'` 
 countfile="$HOMEDIR/DNS_Count-$DNS_SOURCE_BASENAME" 
 dateus=`date +%Y%m%d-%H%M%S` 
 ########################################################## 
 ### Dig parameters 
 DIG_FAST="+nodnssec +short +timeout=1 +tries=2" 
 DIG_SLOW="+nodnssec +short +timeout=5 +tries=3 " 
 ########################################################## 


 ########################################################## 
 ### Generate list for dig: round robin from dns list 
 ### Like (@DNS-server domain) x parallel  
 _check(){ 
 i=0 
 url="" 
 while [ $i -lt $parallel ] 
 do 
 n=`expr $count + $i` 
 ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1` 
 url="$url @$ISP_DNS `awk -v n="${n}" 'NR==n {print;exit}' $DNS_SOURCE`.$tld" 
 i=`expr $i + 1` 
 done 
 } 
 ########################################################## 


 ########################################################## 
 ### Counter: create one if not existing, use existing instead 
 if [ -z $COUNT ]; then 
	 if [ -f $countfile ]; then 
	 count=`cat $countfile` 
	 else 
	 count=0 
	 echo $count > $countfile 
	 fi 
 else count=$COUNT 
 echo $count > $countfile 
 fi 
 ########################################################## 


 ########################################################## 
 ### MAIN LOOP 

 while [ "$count" != "$lines" ]; do 
 echo $count > $countfile 
 _check 
 site="$url" 
 echo "-------------------------------------------------------------------------------" 
 echo "#$count $dateus SITE:$site" 
 if nomentio=`dig @$DNS_MY $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio" ]; then 
	 echo -e "$GRAY Unknown zone $site $NC"  
 fi 
 if mentio=`dig $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio" ]; then 
	 echo -e "$GRAY Unknown zone $site $NC" 
 fi 

 if [ -n "$nomentio" ] && [ -n "$mentio" ]; then 
     if [ "$nomentio" != "$mentio" ]; then 
	 for i in $site; do 
		 if nomentio1=`dig $DIG_FAST @$DNS_MY $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio1" ]; then 
			 echo -e "$GRAY Unknown zone $i $NC" 
		 fi 
		 ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1` 
		 if mentio1=`dig $DIG_FAST @$ISP_DNS $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio1" ]; then 
			 echo -e "$GRAY Unknown zone $i $NC" 
		 fi 
			 if [ "$nomentio1" != "$mentio1" ]; then 
        			 if [[ $mentio1 == 90.85.* ]]; then 
		                         if [ $MODE == "client" ]; then 
                		        	 echo "!!! $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" | $SENDSOCAT 
                        		 fi 
					 echo -e "$RED !!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" 
					 echo "!!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $BLACKLIST_LOG 
				 else 
                        			 if [ $MODE == "client" ]; then 
                        				 echo ">>> $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" | $SENDSOCAT 
                        			 fi                    
					 echo -e "$YELLOW >>> SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" 
					 echo ">>> $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $DIFF_LOG 
				 fi 
			 fi 
	 done 
     else 
     echo -e "$GREEN#$count    SITE:$site    $NC" 
     fi 
 fi 

 count=`expr $count + $parallel` 

 done 
 ########################################################## 



 </pre> 

 h2. Test (valide au 14/06/18) 

  dig +short shahamat1.com 
  90.85.16.52 

 h2. Liste de serveurs DNS FAI Français 

 h3. Free - ASN12322 

 212.27.40.240 
 212.27.40.241 
 212.27.40.244 
 212.27.40.245 

 h3. Bouygues - ASN5410 

 194.158.122.10 
 194.158.122.15 

 h3. SFR/Numericable - ASN5410 

 89.2.0.1 
 89.2.0.2 

 h3. SFR - ASN15557 

 109.0.66.10 
 109.0.66.20 

 h3. Orange - ASN3215 

 80.10.246.1 
 80.10.246.2 
 80.10.246.3 
 80.10.246.5 
 80.10.246.7 
 80.10.246.129 
 80.10.246.130 
 80.10.246.132 
 80.10.246.134 
 80.10.246.136 
 81.253.149.1 
 81.253.149.2 
 81.253.149.6 
 81.253.149.9 
 81.253.149.10 

 h3. OBS (ouverts) 

 194.2.0.20 
 194.2.0.50 

 h2. Vigies de la neutralité 

 https://ooni.torproject.org 
 https://respectmynet.eu 

 h2. Cadre légal 

 https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000801164&fastPos;=2&fastReqId;=606073666&categorieLien;=cid&oldAction;=rechTexte#LEGIARTI000029756525         
 le décret https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=LEGITEXT000030315036&dateTexte;=20150305&categorieLien;=cid#LEGITEXT000030315036   
 https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=JORFTEXT000030195477&dateTexte;=20180619 

 h2. Unbound 

 <pre> 
 server: 
  verbosity: 1 
  interface: 127.0.0.1 
  do-ip4: yes 
  do-ip6: no 
  do-udp: yes 
  do-tcp: no 
  access-control: 127.0.0.0/8 allow  
  access-control: 0.0.0.0/0 refuse 
  logfile: /var/log/unbound 
  hide-identity: yes 
  hide-version: yes 
  harden-glue: yes 
  use-caps-for-id: yes 
  do-not-query-localhost: yes 
 </pre> 


 h2. Ansible divers 

 Copy file: 

  ansible mentio -m copy -a "src=mentio-check6 dest=~/MENTIODNS/" 


 Copy file single host: 

  ansible mentio --limit dam -m copy -a "src=mentio-check6 dest=~/MENTIODNS/" 

 ansible-playbook /etc/ansible/playbooks/mentio.yml  


 <pre> 
 --- 

 - hosts: mentio  
   sudo: no 
   tasks: 
     - name: copyfiles  
       copy: 
         src: "{{ item.src }}" 
         dest: "{{ item.dest }}" 
       with_items: 
         - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio-check6',dest: '~/MENTIODNS/' } 
         - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio-DNS_ISP_LIST',dest: '~/MENTIODNS/' } 
         - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.crt',dest: '~/MENTIODNS/' } 
         - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.key',dest: '~/MENTIODNS/' } 
         - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.pem',dest: '~/MENTIODNS/' } 
         - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-server.crt',dest: '~/MENTIODNS/' } 


 </pre>