Projet

Général

Profil

Mentiodns » Historique » Version 24

sacha, 25/06/2018 23:25

1 1 sacha
h1. Mentiodns
2
3
Validation des DNS à partir d'une liste sur un unbound et un DNS grand FAI et comparaison des résultats ;)
4
5 4 sacha
h2. Noeud actifs
6
7
|_. Nom |_. Bloc |
8 23 sacha
| dam | domain_names.com_sortedaf|
9
| dam | domain_names.com_sortedag|
10
| dam | domain_names.com_sortedah|
11
| dam | domain_names.com_sortedai|
12 24 sacha
| mezzanine | domain_names.com_sortedad |
13
| mezzanine | domain_names.com_sortedao |
14
| mezzanine | domain_names.com_sortedap |
15
| mezzanine | domain_names.com_sortedaq |
16
| 1000i100 | domain_names.com_sortedab |
17
| 1000i100 | domain_names.com_sortedaj |
18
| 1000i100 | domain_names.com_sortedak |
19
| 1000i100 | domain_names.com_sortedal |
20 1 sacha
| Sacha | domain_names.org_sortedaa |
21 9 sacha
| Sacha | domain_names.org_sortedab |
22
| Sacha | domain_names.org_sortedab |
23
| Sacha | domain_names.org_sortedac |
24 1 sacha
| Sacha | domain_names.org_sortedac |
25 24 sacha
| tazi | domain_names.com_sortedac |
26
| tazi | domain_names.com_sortedae |
27
| tazi | domain_names.com_sortedam |
28
| tazi | domain_names.com_sortedan |
29 18 sacha
30 4 sacha
h2. Mentio
31
32 19 sacha
Packages: curl dig python socat tmux unbound whois 
33
34 4 sacha
<pre>
35
#-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+-#
36
#  MENTIODNS : Check for lying DNS (France)  #
37
#--------------------------------------------#
38 16 sacha
#  Version 1.6 - conf file                   # 
39 13 sacha
#  Version 1.5 - test Dig resolving          #
40
#  Version 1.4 - Socat SSL sending results   # 
41
#  Version 1.3 - tld optioN                  #
42 1 sacha
#  Version 1.2 - Round robin on DNS_ISP_LIST #
43 13 sacha
#		 For each request	     #
44 4 sacha
#  Version 1.1 - Allow resume on basename    #
45
#  Version 1.0 - Parallel process with DIG   #
46
#--------------------------------------------#
47 1 sacha
# (c) Sacha at Aquilenet.fr part of FFDN.org #
48
#--------------------------------------------#
49
50
# This shity script intend to bruteforce the ISP lying DNS Servers to identify which one
51
# is going on Ministry of Interior Blocking page and compare the IP result from your favorite DNS server
52 16 sacha
# Use this script with the following parameters 
53
# $1 MODE: client server local
54
# $2 File source: list of domain names whithout tld
55
# $3 tld: com, org, ...
56
# $4 count number (if none from zero or from count file based on file name)
57
58
59 1 sacha
# If you relanch the script it will check if it has a counter for the given file to resume
60
# Blacklisted sites in $BLACKLIST_LOG file
61 13 sacha
# Diff ip from a domain name are in $DIFF_LOG 
62 1 sacha
63 13 sacha
# 1st launch creating config file
64 1 sacha
65 14 sacha
# Copy generated certificates:
66
# FILENAME=mentio_ssl-server 
67 1 sacha
# openssl genrsa -out $FILENAME.key 1024
68 13 sacha
# openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt
69 1 sacha
# cat $FILENAME.key $FILENAME.crt >$FILENAME.pem
70 13 sacha
# FILENAME=mentio_ssl-client
71
# ...
72
73 16 sacha
##########################################################
74 1 sacha
HOMEDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
75 13 sacha
MENTIOCONF="$HOMEDIR/mentio.conf"
76
# Number of parallel requests thruw dig
77
parallel=10
78 17 sacha
# Socat server
79
SERVER="taz.im:65522"
80 16 sacha
##########################################################
81 1 sacha
82 16 sacha
83
##########################################################
84 13 sacha
### CHECK CONFIG
85
if [ ! -f $MENTIOCONF ]; then
86
echo "=================================================================="
87
echo "MENTIODNS"
88
echo "------------------------------------------------------------------" 
89
echo "1st time configuring"
90
echo -n "IP UNBOUND ? "
91
read DNS_MY
92 1 sacha
93 13 sacha
echo 'HOMEDIR="'$HOMEDIR'"' > $MENTIOCONF
94
echo 'DNS_MY="'$DNS_MY'"' >> $MENTIOCONF
95 1 sacha
IP_PUB=`curl ifconfig.io`
96 13 sacha
ASN=`whois -h whois.cymru.com $IP_PUB |cut -d' ' -f1|sed -n "2p"`
97 1 sacha
DNS_LIST="$HOMEDIR/mentio-DNS_ISP_LIST"
98
DNS_ISP_LIST=`grep $ASN $DNS_LIST|cut -d' ' -f3-`
99
echo 'DNS_ISP_LIST="'$DNS_ISP_LIST'"' >> $MENTIOCONF
100
echo "------------------------------------------------------------------"
101
echo " CONFIGURATION FILE:"
102
echo " please check and relaunch"
103
echo "------------------------------------------------------------------"
104
cat $MENTIOCONF
105
echo "------------------------------------------------------------------"
106
exit 1
107
fi
108 16 sacha
##########################################################
109 1 sacha
110 16 sacha
111
##########################################################
112
### PARAMETERS to execute the script
113
# Mode Log export with socat "client" "server" "local"
114
115
MODE=$1
116
117
if [ $MODE == "server" ]; then
118
socat -v -u openssl-listen:65522,fork,reuseaddr,cert=mentio_ssl-server.pem,cafile=mentio_ssl-client.crt OPEN:$HOMEDIR/MENTIO-DNS_DIFF,creat,append
119
exit 1
120
fi
121
##########################################################
122
123
124
##########################################################
125
### Check if commandline parameters are less than 3
126
127 1 sacha
if [ $# -lt 3 ]; then
128
echo "=================================================================="
129
echo "MENTIODNS"
130
echo "------------------------------------------------------------------"
131 14 sacha
echo "Missing Parameter, please enter:"
132 13 sacha
echo
133 1 sacha
echo "mentio-check client|server|local filename tld (count number)"
134 13 sacha
echo
135
exit 1
136
fi
137 16 sacha
##########################################################
138 13 sacha
139 16 sacha
140
##########################################################
141
### Get parameters
142
143
# From config file
144 1 sacha
source $MENTIOCONF
145 13 sacha
146 16 sacha
# From command line
147 1 sacha
# $2 DNS source file name
148 13 sacha
DNS_SOURCE=$2
149 1 sacha
# $3 TLD name (com, org...)
150 13 sacha
tld=$3
151 1 sacha
# line counter from the dns source file, nothing for auto-resuming
152
COUNT=$4
153 16 sacha
154 13 sacha
##########################################################
155
### SOCAT
156
SENDSOCAT="socat stdio openssl-connect:$SERVER,verify=0,cert=$HOMEDIR/mentio_ssl-client.pem,cafile=$HOMEDIR/mentio_ssl-server.crt"
157 16 sacha
##########################################################
158 13 sacha
### COLORS 
159
RED='\e[31m'
160
GREEN='\e[32m'
161
YELLOW='\e[33m'
162 1 sacha
GRAY='\e[90m'
163
NC='\033[0m' # No Color
164 16 sacha
##########################################################
165
### Various variables
166 13 sacha
DNS_SOURCE_BASENAME=`basename $DNS_SOURCE`
167 1 sacha
DIFF_LOG="$HOMEDIR/DNS_DIFF"
168
BLACKLIST_LOG="$HOMEDIR/DNS_BLACKLISTED"
169
lines=`wc -l $DNS_SOURCE|awk -F " " '{print $1}'`
170 13 sacha
countfile="$HOMEDIR/DNS_Count-$DNS_SOURCE_BASENAME"
171 4 sacha
dateus=`date +%Y%m%d-%H%M%S`
172 16 sacha
##########################################################
173
### Dig parameters
174 1 sacha
DIG_FAST="+nodnssec +short +timeout=1 +tries=2"
175
DIG_SLOW="+nodnssec +short +timeout=5 +tries=3 "
176 16 sacha
##########################################################
177 13 sacha
178 16 sacha
179
##########################################################
180
### Generate list for dig: round robin from dns list
181
### Like (@DNS-server domain) x parallel 
182 1 sacha
_check(){
183
i=0
184 13 sacha
url=""
185
while [ $i -lt $parallel ]
186 1 sacha
do
187
n=`expr $count + $i`
188
ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1`
189
url="$url @$ISP_DNS `awk -v n="${n}" 'NR==n {print;exit}' $DNS_SOURCE`.$tld"
190
i=`expr $i + 1`
191
done
192
}
193 16 sacha
##########################################################
194 1 sacha
195
196 16 sacha
##########################################################
197
### Counter: create one if not existing, use existing instead
198 1 sacha
if [ -z $COUNT ]; then
199 13 sacha
	if [ -f $countfile ]; then
200 1 sacha
	count=`cat $countfile`
201
	else
202 13 sacha
	count=0
203
	echo $count > $countfile
204
	fi
205
else count=$COUNT
206
echo $count > $countfile
207 4 sacha
fi
208 16 sacha
##########################################################
209 4 sacha
210 16 sacha
211
##########################################################
212
### MAIN LOOP
213
214 4 sacha
while [ "$count" != "$lines" ]; do
215
echo $count > $countfile
216
_check
217 13 sacha
site="$url"
218
echo "-------------------------------------------------------------------------------"
219
echo "#$count $dateus SITE:$site"
220
if nomentio=`dig @$DNS_MY $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio" ]; then
221
	echo -e "$GRAY Unknown zone $site $NC" 
222
fi
223
if mentio=`dig $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio" ]; then
224
	echo -e "$GRAY Unknown zone $site $NC"
225 4 sacha
fi
226
227 13 sacha
if [ -n "$nomentio" ] && [ -n "$mentio" ]; then
228
    if [ "$nomentio" != "$mentio" ]; then
229
	for i in $site; do
230 1 sacha
		if nomentio1=`dig $DIG_FAST @$DNS_MY $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio1" ]; then
231 13 sacha
			echo -e "$GRAY Unknown zone $i $NC"
232
		fi
233
		ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1`
234
		if mentio1=`dig $DIG_FAST @$ISP_DNS $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio1" ]; then
235
			echo -e "$GRAY Unknown zone $i $NC"
236
		fi
237
			if [ "$nomentio1" != "$mentio1" ]; then
238
        			if [[ $mentio1 == 90.85.* ]]; then
239
		                        if [ $MODE == "client" ]; then
240
                		        	echo "!!! $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" | $SENDSOCAT
241
                        		fi
242
					echo -e "$RED !!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC"
243
					echo "!!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $BLACKLIST_LOG
244
				else
245
                        			if [ $MODE == "client" ]; then
246
                        				echo ">>> $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" | $SENDSOCAT
247
                        			fi                   
248
					echo -e "$YELLOW >>> SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC"
249
					echo ">>> $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $DIFF_LOG
250
				fi
251
			fi
252 1 sacha
	done
253 13 sacha
    else
254 3 sacha
    echo -e "$GREEN#$count  SITE:$site  $NC"
255 1 sacha
    fi
256
fi
257
258
count=`expr $count + $parallel`
259
260 14 sacha
done
261 1 sacha
##########################################################
262 17 sacha
263 14 sacha
264 7 sacha
265 3 sacha
</pre>
266 2 sacha
267
h2. Test (valide au 14/06/18)
268 1 sacha
269 7 sacha
 dig +short shahamat1.com
270 3 sacha
 90.85.16.52
271 1 sacha
272
h2. Liste de serveurs DNS FAI Français
273
274 11 sacha
h3. Free - ASN12322
275 12 sacha
276 11 sacha
212.27.40.240
277
212.27.40.241
278
212.27.40.244
279 7 sacha
212.27.40.245
280 3 sacha
281 1 sacha
h3. Bouygues - ASN5410
282
283
194.158.122.10
284
194.158.122.15
285
286
h3. SFR/Numericable - ASN5410
287
288
89.2.0.1
289
89.2.0.2
290
291
h3. SFR - ASN15557
292
293
109.0.66.10
294
109.0.66.20
295
296
h3. Orange - ASN3215
297 2 sacha
298 3 sacha
80.10.246.1
299 1 sacha
80.10.246.2
300
80.10.246.3
301 6 sacha
80.10.246.5
302
80.10.246.7
303
80.10.246.129
304
80.10.246.130
305
80.10.246.132
306 8 sacha
80.10.246.134
307
80.10.246.136
308
81.253.149.1
309
81.253.149.2
310 1 sacha
81.253.149.6
311 11 sacha
81.253.149.9
312 1 sacha
81.253.149.10
313
314
h3. OBS (ouverts)
315
316
194.2.0.20
317
194.2.0.50
318
319
h2. Vigies de la neutralité
320
321
https://ooni.torproject.org
322
https://respectmynet.eu
323
324
h2. Cadre légal
325
326
https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000801164&fastPos;=2&fastReqId;=606073666&categorieLien;=cid&oldAction;=rechTexte#LEGIARTI000029756525        
327
le décret https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=LEGITEXT000030315036&dateTexte;=20150305&categorieLien;=cid#LEGITEXT000030315036  
328
https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=JORFTEXT000030195477&dateTexte;=20180619
329 18 sacha
330
h2. Unbound
331
332
<pre>
333
server:
334
 verbosity: 1
335
 interface: 127.0.0.1
336
 do-ip4: yes
337
 do-ip6: no
338
 do-udp: yes
339
 do-tcp: no
340
 access-control: 127.0.0.0/8 allow 
341
 access-control: 0.0.0.0/0 refuse
342
 logfile: /var/log/unbound
343
 hide-identity: yes
344
 hide-version: yes
345
 harden-glue: yes
346
 use-caps-for-id: yes
347
 do-not-query-localhost: yes
348
</pre>
349
350 15 sacha
351
h2. Ansible divers
352
353
Copy file:
354
355
 ansible mentio -m copy -a "src=mentio-check6 dest=~/MENTIODNS/"
356
357
358
Copy file single host:
359
360
 ansible mentio --limit dam -m copy -a "src=mentio-check6 dest=~/MENTIODNS/"
361
362
ansible-playbook /etc/ansible/playbooks/mentio.yml 
363
364
365
<pre>
366
---
367
368
- hosts: mentio 
369
  sudo: no
370
  tasks:
371
    - name: copyfiles 
372
      copy:
373
        src: "{{ item.src }}"
374
        dest: "{{ item.dest }}"
375
      with_items:
376
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio-check6',dest: '~/MENTIODNS/' }
377
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio-DNS_ISP_LIST',dest: '~/MENTIODNS/' }
378
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.crt',dest: '~/MENTIODNS/' }
379
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.key',dest: '~/MENTIODNS/' }
380
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.pem',dest: '~/MENTIODNS/' }
381
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-server.crt',dest: '~/MENTIODNS/' }
382
383
384 1 sacha
</pre>