Mentiodns » Historique » Révision 22
Révision 21 (sacha, 25/06/2018 22:38) → Révision 22/59 (sacha, 25/06/2018 22:45)
h1. Mentiodns
Validation des DNS à partir d'une liste sur un unbound et un DNS grand FAI et comparaison des résultats ;)
h2. Noeud actifs
|_. Nom |_. Bloc |
| Dam64 | domain_names.com_sortedaf|
| Dam64 | domain_names.com_sortedag|
| Dam64 | domain_names.com_sortedah|
| Dam64 | domain_names.com_sortedai|
| Mezzanine | domain_names.com_sortedad |
| Millicent | domain_names.com_sortedab |
| Millicent | domain_names.com_sortedah |
| Millicent | domain_names.com_sortedai |
| Millicent | domain_names.com_sortedaj |
| Sacha | domain_names.org_sortedaa |
| Sacha | domain_names.org_sortedab |
| Sacha | domain_names.org_sortedab |
| Sacha | domain_names.org_sortedac |
| Sacha | domain_names.org_sortedac |
| Taz | domain_names.com_sortedac |
| Taz | domain_names.com_sortedae |
h2. Mentio
Packages: curl dig python socat tmux unbound whois
<pre>
#-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+-#
# MENTIODNS : Check for lying DNS (France) #
#--------------------------------------------#
# Version 1.6 - conf file #
# Version 1.5 - test Dig resolving #
# Version 1.4 - Socat SSL sending results #
# Version 1.3 - tld optioN #
# Version 1.2 - Round robin on DNS_ISP_LIST #
# For each request #
# Version 1.1 - Allow resume on basename #
# Version 1.0 - Parallel process with DIG #
#--------------------------------------------#
# (c) Sacha at Aquilenet.fr part of FFDN.org #
#--------------------------------------------#
# This shity script intend to bruteforce the ISP lying DNS Servers to identify which one
# is going on Ministry of Interior Blocking page and compare the IP result from your favorite DNS server
# Use this script with the following parameters
# $1 MODE: client server local
# $2 File source: list of domain names whithout tld
# $3 tld: com, org, ...
# $4 count number (if none from zero or from count file based on file name)
# If you relanch the script it will check if it has a counter for the given file to resume
# Blacklisted sites in $BLACKLIST_LOG file
# Diff ip from a domain name are in $DIFF_LOG
# 1st launch creating config file
# Copy generated certificates:
# FILENAME=mentio_ssl-server
# openssl genrsa -out $FILENAME.key 1024
# openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt
# cat $FILENAME.key $FILENAME.crt >$FILENAME.pem
# FILENAME=mentio_ssl-client
# ...
##########################################################
HOMEDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
MENTIOCONF="$HOMEDIR/mentio.conf"
# Number of parallel requests thruw dig
parallel=10
# Socat server
SERVER="taz.im:65522"
##########################################################
##########################################################
### CHECK CONFIG
if [ ! -f $MENTIOCONF ]; then
echo "=================================================================="
echo "MENTIODNS"
echo "------------------------------------------------------------------"
echo "1st time configuring"
echo -n "IP UNBOUND ? "
read DNS_MY
echo 'HOMEDIR="'$HOMEDIR'"' > $MENTIOCONF
echo 'DNS_MY="'$DNS_MY'"' >> $MENTIOCONF
IP_PUB=`curl ifconfig.io`
ASN=`whois -h whois.cymru.com $IP_PUB |cut -d' ' -f1|sed -n "2p"`
DNS_LIST="$HOMEDIR/mentio-DNS_ISP_LIST"
DNS_ISP_LIST=`grep $ASN $DNS_LIST|cut -d' ' -f3-`
echo 'DNS_ISP_LIST="'$DNS_ISP_LIST'"' >> $MENTIOCONF
echo "------------------------------------------------------------------"
echo " CONFIGURATION FILE:"
echo " please check and relaunch"
echo "------------------------------------------------------------------"
cat $MENTIOCONF
echo "------------------------------------------------------------------"
exit 1
fi
##########################################################
##########################################################
### PARAMETERS to execute the script
# Mode Log export with socat "client" "server" "local"
MODE=$1
if [ $MODE == "server" ]; then
socat -v -u openssl-listen:65522,fork,reuseaddr,cert=mentio_ssl-server.pem,cafile=mentio_ssl-client.crt OPEN:$HOMEDIR/MENTIO-DNS_DIFF,creat,append
exit 1
fi
##########################################################
##########################################################
### Check if commandline parameters are less than 3
if [ $# -lt 3 ]; then
echo "=================================================================="
echo "MENTIODNS"
echo "------------------------------------------------------------------"
echo "Missing Parameter, please enter:"
echo
echo "mentio-check client|server|local filename tld (count number)"
echo
exit 1
fi
##########################################################
##########################################################
### Get parameters
# From config file
source $MENTIOCONF
# From command line
# $2 DNS source file name
DNS_SOURCE=$2
# $3 TLD name (com, org...)
tld=$3
# line counter from the dns source file, nothing for auto-resuming
COUNT=$4
##########################################################
### SOCAT
SENDSOCAT="socat stdio openssl-connect:$SERVER,verify=0,cert=$HOMEDIR/mentio_ssl-client.pem,cafile=$HOMEDIR/mentio_ssl-server.crt"
##########################################################
### COLORS
RED='\e[31m'
GREEN='\e[32m'
YELLOW='\e[33m'
GRAY='\e[90m'
NC='\033[0m' # No Color
##########################################################
### Various variables
DNS_SOURCE_BASENAME=`basename $DNS_SOURCE`
DIFF_LOG="$HOMEDIR/DNS_DIFF"
BLACKLIST_LOG="$HOMEDIR/DNS_BLACKLISTED"
lines=`wc -l $DNS_SOURCE|awk -F " " '{print $1}'`
countfile="$HOMEDIR/DNS_Count-$DNS_SOURCE_BASENAME"
dateus=`date +%Y%m%d-%H%M%S`
##########################################################
### Dig parameters
DIG_FAST="+nodnssec +short +timeout=1 +tries=2"
DIG_SLOW="+nodnssec +short +timeout=5 +tries=3 "
##########################################################
##########################################################
### Generate list for dig: round robin from dns list
### Like (@DNS-server domain) x parallel
_check(){
i=0
url=""
while [ $i -lt $parallel ]
do
n=`expr $count + $i`
ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1`
url="$url @$ISP_DNS `awk -v n="${n}" 'NR==n {print;exit}' $DNS_SOURCE`.$tld"
i=`expr $i + 1`
done
}
##########################################################
##########################################################
### Counter: create one if not existing, use existing instead
if [ -z $COUNT ]; then
if [ -f $countfile ]; then
count=`cat $countfile`
else
count=0
echo $count > $countfile
fi
else count=$COUNT
echo $count > $countfile
fi
##########################################################
##########################################################
### MAIN LOOP
while [ "$count" != "$lines" ]; do
echo $count > $countfile
_check
site="$url"
echo "-------------------------------------------------------------------------------"
echo "#$count $dateus SITE:$site"
if nomentio=`dig @$DNS_MY $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio" ]; then
echo -e "$GRAY Unknown zone $site $NC"
fi
if mentio=`dig $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio" ]; then
echo -e "$GRAY Unknown zone $site $NC"
fi
if [ -n "$nomentio" ] && [ -n "$mentio" ]; then
if [ "$nomentio" != "$mentio" ]; then
for i in $site; do
if nomentio1=`dig $DIG_FAST @$DNS_MY $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio1" ]; then
echo -e "$GRAY Unknown zone $i $NC"
fi
ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1`
if mentio1=`dig $DIG_FAST @$ISP_DNS $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio1" ]; then
echo -e "$GRAY Unknown zone $i $NC"
fi
if [ "$nomentio1" != "$mentio1" ]; then
if [[ $mentio1 == 90.85.* ]]; then
if [ $MODE == "client" ]; then
echo "!!! $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" | $SENDSOCAT
fi
echo -e "$RED !!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC"
echo "!!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $BLACKLIST_LOG
else
if [ $MODE == "client" ]; then
echo ">>> $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" | $SENDSOCAT
fi
echo -e "$YELLOW >>> SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC"
echo ">>> $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $DIFF_LOG
fi
fi
done
else
echo -e "$GREEN#$count SITE:$site $NC"
fi
fi
count=`expr $count + $parallel`
done
##########################################################
</pre>
h2. Test (valide au 14/06/18)
dig +short shahamat1.com
90.85.16.52
h2. Liste de serveurs DNS FAI Français
h3. Free - ASN12322
212.27.40.240
212.27.40.241
212.27.40.244
212.27.40.245
h3. Bouygues - ASN5410
194.158.122.10
194.158.122.15
h3. SFR/Numericable - ASN5410
89.2.0.1
89.2.0.2
h3. SFR - ASN15557
109.0.66.10
109.0.66.20
h3. Orange - ASN3215
80.10.246.1
80.10.246.2
80.10.246.3
80.10.246.5
80.10.246.7
80.10.246.129
80.10.246.130
80.10.246.132
80.10.246.134
80.10.246.136
81.253.149.1
81.253.149.2
81.253.149.6
81.253.149.9
81.253.149.10
h3. OBS (ouverts)
194.2.0.20
194.2.0.50
h2. Vigies de la neutralité
https://ooni.torproject.org
https://respectmynet.eu
h2. Cadre légal
https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000801164&fastPos;=2&fastReqId;=606073666&categorieLien;=cid&oldAction;=rechTexte#LEGIARTI000029756525
le décret https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=LEGITEXT000030315036&dateTexte;=20150305&categorieLien;=cid#LEGITEXT000030315036
https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=JORFTEXT000030195477&dateTexte;=20180619
h2. Unbound
<pre>
server:
verbosity: 1
interface: 127.0.0.1
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: no
access-control: 127.0.0.0/8 allow
access-control: 0.0.0.0/0 refuse
logfile: /var/log/unbound
hide-identity: yes
hide-version: yes
harden-glue: yes
use-caps-for-id: yes
do-not-query-localhost: yes
</pre>
h2. Ansible divers
Copy file:
ansible mentio -m copy -a "src=mentio-check6 dest=~/MENTIODNS/"
Copy file single host:
ansible mentio --limit dam -m copy -a "src=mentio-check6 dest=~/MENTIODNS/"
ansible-playbook /etc/ansible/playbooks/mentio.yml
<pre>
---
- hosts: mentio
sudo: no
tasks:
- name: copyfiles
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio-check6',dest: '~/MENTIODNS/' }
- { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio-DNS_ISP_LIST',dest: '~/MENTIODNS/' }
- { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.crt',dest: '~/MENTIODNS/' }
- { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.key',dest: '~/MENTIODNS/' }
- { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.pem',dest: '~/MENTIODNS/' }
- { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-server.crt',dest: '~/MENTIODNS/' }
</pre>