Projet

Général

Profil

Mentiodns » Historique » Version 26

sacha, 25/06/2018 23:39

1 1 sacha
h1. Mentiodns
2
3
Validation des DNS à partir d'une liste sur un unbound et un DNS grand FAI et comparaison des résultats ;)
4
5 4 sacha
h2. Noeud actifs
6
7
|_. Nom |_. Bloc |
8 23 sacha
| dam | domain_names.com_sortedaf|
9
| dam | domain_names.com_sortedag|
10
| dam | domain_names.com_sortedah|
11
| dam | domain_names.com_sortedai|
12 24 sacha
| mezzanine | domain_names.com_sortedad |
13
| mezzanine | domain_names.com_sortedao |
14
| mezzanine | domain_names.com_sortedap |
15
| mezzanine | domain_names.com_sortedaq |
16
| 1000i100 | domain_names.com_sortedab |
17
| 1000i100 | domain_names.com_sortedaj |
18
| 1000i100 | domain_names.com_sortedak |
19
| 1000i100 | domain_names.com_sortedal |
20 26 sacha
| sacha | domain_names.org_sortedaa |
21
| sacha | domain_names.org_sortedab |
22
| sacha | domain_names.org_sortedac |
23
| sacha | domain_names.org_sortedad |
24 24 sacha
| tazi | domain_names.com_sortedac |
25
| tazi | domain_names.com_sortedae |
26
| tazi | domain_names.com_sortedam |
27
| tazi | domain_names.com_sortedan |
28 18 sacha
29 4 sacha
h2. Mentio
30
31 19 sacha
Packages: curl dig python socat tmux unbound whois 
32
33 4 sacha
<pre>
34
#-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+-#
35
#  MENTIODNS : Check for lying DNS (France)  #
36
#--------------------------------------------#
37 16 sacha
#  Version 1.6 - conf file                   # 
38 13 sacha
#  Version 1.5 - test Dig resolving          #
39
#  Version 1.4 - Socat SSL sending results   # 
40
#  Version 1.3 - tld optioN                  #
41 1 sacha
#  Version 1.2 - Round robin on DNS_ISP_LIST #
42 13 sacha
#		 For each request	     #
43 4 sacha
#  Version 1.1 - Allow resume on basename    #
44
#  Version 1.0 - Parallel process with DIG   #
45
#--------------------------------------------#
46 1 sacha
# (c) Sacha at Aquilenet.fr part of FFDN.org #
47
#--------------------------------------------#
48
49
# This shity script intend to bruteforce the ISP lying DNS Servers to identify which one
50
# is going on Ministry of Interior Blocking page and compare the IP result from your favorite DNS server
51 16 sacha
# Use this script with the following parameters 
52
# $1 MODE: client server local
53
# $2 File source: list of domain names whithout tld
54
# $3 tld: com, org, ...
55
# $4 count number (if none from zero or from count file based on file name)
56
57
58 1 sacha
# If you relanch the script it will check if it has a counter for the given file to resume
59
# Blacklisted sites in $BLACKLIST_LOG file
60 13 sacha
# Diff ip from a domain name are in $DIFF_LOG 
61 1 sacha
62 13 sacha
# 1st launch creating config file
63 1 sacha
64 14 sacha
# Copy generated certificates:
65
# FILENAME=mentio_ssl-server 
66 1 sacha
# openssl genrsa -out $FILENAME.key 1024
67 13 sacha
# openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt
68 1 sacha
# cat $FILENAME.key $FILENAME.crt >$FILENAME.pem
69 13 sacha
# FILENAME=mentio_ssl-client
70
# ...
71
72 16 sacha
##########################################################
73 1 sacha
HOMEDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
74 13 sacha
MENTIOCONF="$HOMEDIR/mentio.conf"
75
# Number of parallel requests thruw dig
76
parallel=10
77 17 sacha
# Socat server
78
SERVER="taz.im:65522"
79 16 sacha
##########################################################
80 1 sacha
81 16 sacha
82
##########################################################
83 13 sacha
### CHECK CONFIG
84
if [ ! -f $MENTIOCONF ]; then
85
echo "=================================================================="
86
echo "MENTIODNS"
87
echo "------------------------------------------------------------------" 
88
echo "1st time configuring"
89
echo -n "IP UNBOUND ? "
90
read DNS_MY
91 1 sacha
92 13 sacha
echo 'HOMEDIR="'$HOMEDIR'"' > $MENTIOCONF
93
echo 'DNS_MY="'$DNS_MY'"' >> $MENTIOCONF
94 1 sacha
IP_PUB=`curl ifconfig.io`
95 13 sacha
ASN=`whois -h whois.cymru.com $IP_PUB |cut -d' ' -f1|sed -n "2p"`
96 1 sacha
DNS_LIST="$HOMEDIR/mentio-DNS_ISP_LIST"
97
DNS_ISP_LIST=`grep $ASN $DNS_LIST|cut -d' ' -f3-`
98
echo 'DNS_ISP_LIST="'$DNS_ISP_LIST'"' >> $MENTIOCONF
99
echo "------------------------------------------------------------------"
100
echo " CONFIGURATION FILE:"
101
echo " please check and relaunch"
102
echo "------------------------------------------------------------------"
103
cat $MENTIOCONF
104
echo "------------------------------------------------------------------"
105
exit 1
106
fi
107 16 sacha
##########################################################
108 1 sacha
109 16 sacha
110
##########################################################
111
### PARAMETERS to execute the script
112
# Mode Log export with socat "client" "server" "local"
113
114
MODE=$1
115
116
if [ $MODE == "server" ]; then
117
socat -v -u openssl-listen:65522,fork,reuseaddr,cert=mentio_ssl-server.pem,cafile=mentio_ssl-client.crt OPEN:$HOMEDIR/MENTIO-DNS_DIFF,creat,append
118
exit 1
119
fi
120
##########################################################
121
122
123
##########################################################
124
### Check if commandline parameters are less than 3
125
126 1 sacha
if [ $# -lt 3 ]; then
127
echo "=================================================================="
128
echo "MENTIODNS"
129
echo "------------------------------------------------------------------"
130 14 sacha
echo "Missing Parameter, please enter:"
131 13 sacha
echo
132 1 sacha
echo "mentio-check client|server|local filename tld (count number)"
133 13 sacha
echo
134
exit 1
135
fi
136 16 sacha
##########################################################
137 13 sacha
138 16 sacha
139
##########################################################
140
### Get parameters
141
142
# From config file
143 1 sacha
source $MENTIOCONF
144 13 sacha
145 16 sacha
# From command line
146 1 sacha
# $2 DNS source file name
147 13 sacha
DNS_SOURCE=$2
148 1 sacha
# $3 TLD name (com, org...)
149 13 sacha
tld=$3
150 1 sacha
# line counter from the dns source file, nothing for auto-resuming
151
COUNT=$4
152 16 sacha
153 13 sacha
##########################################################
154
### SOCAT
155
SENDSOCAT="socat stdio openssl-connect:$SERVER,verify=0,cert=$HOMEDIR/mentio_ssl-client.pem,cafile=$HOMEDIR/mentio_ssl-server.crt"
156 16 sacha
##########################################################
157 13 sacha
### COLORS 
158
RED='\e[31m'
159
GREEN='\e[32m'
160
YELLOW='\e[33m'
161 1 sacha
GRAY='\e[90m'
162
NC='\033[0m' # No Color
163 16 sacha
##########################################################
164
### Various variables
165 13 sacha
DNS_SOURCE_BASENAME=`basename $DNS_SOURCE`
166 1 sacha
DIFF_LOG="$HOMEDIR/DNS_DIFF"
167
BLACKLIST_LOG="$HOMEDIR/DNS_BLACKLISTED"
168
lines=`wc -l $DNS_SOURCE|awk -F " " '{print $1}'`
169 13 sacha
countfile="$HOMEDIR/DNS_Count-$DNS_SOURCE_BASENAME"
170 4 sacha
dateus=`date +%Y%m%d-%H%M%S`
171 16 sacha
##########################################################
172
### Dig parameters
173 1 sacha
DIG_FAST="+nodnssec +short +timeout=1 +tries=2"
174
DIG_SLOW="+nodnssec +short +timeout=5 +tries=3 "
175 16 sacha
##########################################################
176 13 sacha
177 16 sacha
178
##########################################################
179
### Generate list for dig: round robin from dns list
180
### Like (@DNS-server domain) x parallel 
181 1 sacha
_check(){
182
i=0
183 13 sacha
url=""
184
while [ $i -lt $parallel ]
185 1 sacha
do
186
n=`expr $count + $i`
187
ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1`
188
url="$url @$ISP_DNS `awk -v n="${n}" 'NR==n {print;exit}' $DNS_SOURCE`.$tld"
189
i=`expr $i + 1`
190
done
191
}
192 16 sacha
##########################################################
193 1 sacha
194
195 16 sacha
##########################################################
196
### Counter: create one if not existing, use existing instead
197 1 sacha
if [ -z $COUNT ]; then
198 13 sacha
	if [ -f $countfile ]; then
199 1 sacha
	count=`cat $countfile`
200
	else
201 13 sacha
	count=0
202
	echo $count > $countfile
203
	fi
204
else count=$COUNT
205
echo $count > $countfile
206 4 sacha
fi
207 16 sacha
##########################################################
208 4 sacha
209 16 sacha
210
##########################################################
211
### MAIN LOOP
212
213 4 sacha
while [ "$count" != "$lines" ]; do
214
echo $count > $countfile
215
_check
216 13 sacha
site="$url"
217
echo "-------------------------------------------------------------------------------"
218
echo "#$count $dateus SITE:$site"
219
if nomentio=`dig @$DNS_MY $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio" ]; then
220
	echo -e "$GRAY Unknown zone $site $NC" 
221
fi
222
if mentio=`dig $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio" ]; then
223
	echo -e "$GRAY Unknown zone $site $NC"
224 4 sacha
fi
225
226 13 sacha
if [ -n "$nomentio" ] && [ -n "$mentio" ]; then
227
    if [ "$nomentio" != "$mentio" ]; then
228
	for i in $site; do
229 1 sacha
		if nomentio1=`dig $DIG_FAST @$DNS_MY $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio1" ]; then
230 13 sacha
			echo -e "$GRAY Unknown zone $i $NC"
231
		fi
232
		ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1`
233
		if mentio1=`dig $DIG_FAST @$ISP_DNS $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio1" ]; then
234
			echo -e "$GRAY Unknown zone $i $NC"
235
		fi
236
			if [ "$nomentio1" != "$mentio1" ]; then
237
        			if [[ $mentio1 == 90.85.* ]]; then
238
		                        if [ $MODE == "client" ]; then
239
                		        	echo "!!! $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" | $SENDSOCAT
240
                        		fi
241
					echo -e "$RED !!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC"
242
					echo "!!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $BLACKLIST_LOG
243
				else
244
                        			if [ $MODE == "client" ]; then
245
                        				echo ">>> $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" | $SENDSOCAT
246
                        			fi                   
247
					echo -e "$YELLOW >>> SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC"
248
					echo ">>> $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $DIFF_LOG
249
				fi
250
			fi
251 1 sacha
	done
252 13 sacha
    else
253 3 sacha
    echo -e "$GREEN#$count  SITE:$site  $NC"
254 1 sacha
    fi
255
fi
256
257
count=`expr $count + $parallel`
258
259 14 sacha
done
260 1 sacha
##########################################################
261 17 sacha
262 14 sacha
263 7 sacha
264 3 sacha
</pre>
265 2 sacha
266
h2. Test (valide au 14/06/18)
267 1 sacha
268 7 sacha
 dig +short shahamat1.com
269 3 sacha
 90.85.16.52
270 1 sacha
271
h2. Liste de serveurs DNS FAI Français
272
273 11 sacha
h3. Free - ASN12322
274 12 sacha
275 11 sacha
212.27.40.240
276
212.27.40.241
277
212.27.40.244
278 7 sacha
212.27.40.245
279 3 sacha
280 1 sacha
h3. Bouygues - ASN5410
281
282
194.158.122.10
283
194.158.122.15
284
285
h3. SFR/Numericable - ASN5410
286
287
89.2.0.1
288
89.2.0.2
289
290
h3. SFR - ASN15557
291
292
109.0.66.10
293
109.0.66.20
294
295
h3. Orange - ASN3215
296 2 sacha
297 3 sacha
80.10.246.1
298 1 sacha
80.10.246.2
299
80.10.246.3
300 6 sacha
80.10.246.5
301
80.10.246.7
302
80.10.246.129
303
80.10.246.130
304
80.10.246.132
305 8 sacha
80.10.246.134
306
80.10.246.136
307
81.253.149.1
308
81.253.149.2
309 1 sacha
81.253.149.6
310 11 sacha
81.253.149.9
311 1 sacha
81.253.149.10
312
313
h3. OBS (ouverts)
314
315
194.2.0.20
316
194.2.0.50
317
318
h2. Vigies de la neutralité
319
320
https://ooni.torproject.org
321
https://respectmynet.eu
322
323
h2. Cadre légal
324
325
https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000801164&fastPos;=2&fastReqId;=606073666&categorieLien;=cid&oldAction;=rechTexte#LEGIARTI000029756525        
326
le décret https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=LEGITEXT000030315036&dateTexte;=20150305&categorieLien;=cid#LEGITEXT000030315036  
327
https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=JORFTEXT000030195477&dateTexte;=20180619
328 18 sacha
329
h2. Unbound
330
331
<pre>
332
server:
333
 verbosity: 1
334
 interface: 127.0.0.1
335
 do-ip4: yes
336
 do-ip6: no
337
 do-udp: yes
338
 do-tcp: no
339
 access-control: 127.0.0.0/8 allow 
340
 access-control: 0.0.0.0/0 refuse
341
 logfile: /var/log/unbound
342
 hide-identity: yes
343
 hide-version: yes
344
 harden-glue: yes
345
 use-caps-for-id: yes
346
 do-not-query-localhost: yes
347
</pre>
348
349 15 sacha
350
h2. Ansible divers
351
352
Copy file:
353
354
 ansible mentio -m copy -a "src=mentio-check6 dest=~/MENTIODNS/"
355
356
357
Copy file single host:
358
359
 ansible mentio --limit dam -m copy -a "src=mentio-check6 dest=~/MENTIODNS/"
360
361
ansible-playbook /etc/ansible/playbooks/mentio.yml 
362
363
364
<pre>
365
---
366
367
- hosts: mentio 
368
  sudo: no
369
  tasks:
370
    - name: copyfiles 
371
      copy:
372
        src: "{{ item.src }}"
373
        dest: "{{ item.dest }}"
374
      with_items:
375
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio-check6',dest: '~/MENTIODNS/' }
376
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio-DNS_ISP_LIST',dest: '~/MENTIODNS/' }
377
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.crt',dest: '~/MENTIODNS/' }
378
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.key',dest: '~/MENTIODNS/' }
379
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.pem',dest: '~/MENTIODNS/' }
380
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-server.crt',dest: '~/MENTIODNS/' }
381
382
383 1 sacha
</pre>