Mentiodns » Historique » Version 26
sacha, 25/06/2018 23:39
| 1 | 1 | sacha | h1. Mentiodns |
|---|---|---|---|
| 2 | |||
| 3 | Validation des DNS à partir d'une liste sur un unbound et un DNS grand FAI et comparaison des résultats ;) |
||
| 4 | |||
| 5 | 4 | sacha | h2. Noeud actifs |
| 6 | |||
| 7 | |_. Nom |_. Bloc | |
||
| 8 | 23 | sacha | | dam | domain_names.com_sortedaf| |
| 9 | | dam | domain_names.com_sortedag| |
||
| 10 | | dam | domain_names.com_sortedah| |
||
| 11 | | dam | domain_names.com_sortedai| |
||
| 12 | 24 | sacha | | mezzanine | domain_names.com_sortedad | |
| 13 | | mezzanine | domain_names.com_sortedao | |
||
| 14 | | mezzanine | domain_names.com_sortedap | |
||
| 15 | | mezzanine | domain_names.com_sortedaq | |
||
| 16 | | 1000i100 | domain_names.com_sortedab | |
||
| 17 | | 1000i100 | domain_names.com_sortedaj | |
||
| 18 | | 1000i100 | domain_names.com_sortedak | |
||
| 19 | | 1000i100 | domain_names.com_sortedal | |
||
| 20 | 26 | sacha | | sacha | domain_names.org_sortedaa | |
| 21 | | sacha | domain_names.org_sortedab | |
||
| 22 | | sacha | domain_names.org_sortedac | |
||
| 23 | | sacha | domain_names.org_sortedad | |
||
| 24 | 24 | sacha | | tazi | domain_names.com_sortedac | |
| 25 | | tazi | domain_names.com_sortedae | |
||
| 26 | | tazi | domain_names.com_sortedam | |
||
| 27 | | tazi | domain_names.com_sortedan | |
||
| 28 | 18 | sacha | |
| 29 | 4 | sacha | h2. Mentio |
| 30 | |||
| 31 | 19 | sacha | Packages: curl dig python socat tmux unbound whois |
| 32 | |||
| 33 | 4 | sacha | <pre> |
| 34 | #-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+-# |
||
| 35 | # MENTIODNS : Check for lying DNS (France) # |
||
| 36 | #--------------------------------------------# |
||
| 37 | 16 | sacha | # Version 1.6 - conf file # |
| 38 | 13 | sacha | # Version 1.5 - test Dig resolving # |
| 39 | # Version 1.4 - Socat SSL sending results # |
||
| 40 | # Version 1.3 - tld optioN # |
||
| 41 | 1 | sacha | # Version 1.2 - Round robin on DNS_ISP_LIST # |
| 42 | 13 | sacha | # For each request # |
| 43 | 4 | sacha | # Version 1.1 - Allow resume on basename # |
| 44 | # Version 1.0 - Parallel process with DIG # |
||
| 45 | #--------------------------------------------# |
||
| 46 | 1 | sacha | # (c) Sacha at Aquilenet.fr part of FFDN.org # |
| 47 | #--------------------------------------------# |
||
| 48 | |||
| 49 | # This shity script intend to bruteforce the ISP lying DNS Servers to identify which one |
||
| 50 | # is going on Ministry of Interior Blocking page and compare the IP result from your favorite DNS server |
||
| 51 | 16 | sacha | # Use this script with the following parameters |
| 52 | # $1 MODE: client server local |
||
| 53 | # $2 File source: list of domain names whithout tld |
||
| 54 | # $3 tld: com, org, ... |
||
| 55 | # $4 count number (if none from zero or from count file based on file name) |
||
| 56 | |||
| 57 | |||
| 58 | 1 | sacha | # If you relanch the script it will check if it has a counter for the given file to resume |
| 59 | # Blacklisted sites in $BLACKLIST_LOG file |
||
| 60 | 13 | sacha | # Diff ip from a domain name are in $DIFF_LOG |
| 61 | 1 | sacha | |
| 62 | 13 | sacha | # 1st launch creating config file |
| 63 | 1 | sacha | |
| 64 | 14 | sacha | # Copy generated certificates: |
| 65 | # FILENAME=mentio_ssl-server |
||
| 66 | 1 | sacha | # openssl genrsa -out $FILENAME.key 1024 |
| 67 | 13 | sacha | # openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt |
| 68 | 1 | sacha | # cat $FILENAME.key $FILENAME.crt >$FILENAME.pem |
| 69 | 13 | sacha | # FILENAME=mentio_ssl-client |
| 70 | # ... |
||
| 71 | |||
| 72 | 16 | sacha | ########################################################## |
| 73 | 1 | sacha | HOMEDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) |
| 74 | 13 | sacha | MENTIOCONF="$HOMEDIR/mentio.conf" |
| 75 | # Number of parallel requests thruw dig |
||
| 76 | parallel=10 |
||
| 77 | 17 | sacha | # Socat server |
| 78 | SERVER="taz.im:65522" |
||
| 79 | 16 | sacha | ########################################################## |
| 80 | 1 | sacha | |
| 81 | 16 | sacha | |
| 82 | ########################################################## |
||
| 83 | 13 | sacha | ### CHECK CONFIG |
| 84 | if [ ! -f $MENTIOCONF ]; then |
||
| 85 | echo "==================================================================" |
||
| 86 | echo "MENTIODNS" |
||
| 87 | echo "------------------------------------------------------------------" |
||
| 88 | echo "1st time configuring" |
||
| 89 | echo -n "IP UNBOUND ? " |
||
| 90 | read DNS_MY |
||
| 91 | 1 | sacha | |
| 92 | 13 | sacha | echo 'HOMEDIR="'$HOMEDIR'"' > $MENTIOCONF |
| 93 | echo 'DNS_MY="'$DNS_MY'"' >> $MENTIOCONF |
||
| 94 | 1 | sacha | IP_PUB=`curl ifconfig.io` |
| 95 | 13 | sacha | ASN=`whois -h whois.cymru.com $IP_PUB |cut -d' ' -f1|sed -n "2p"` |
| 96 | 1 | sacha | DNS_LIST="$HOMEDIR/mentio-DNS_ISP_LIST" |
| 97 | DNS_ISP_LIST=`grep $ASN $DNS_LIST|cut -d' ' -f3-` |
||
| 98 | echo 'DNS_ISP_LIST="'$DNS_ISP_LIST'"' >> $MENTIOCONF |
||
| 99 | echo "------------------------------------------------------------------" |
||
| 100 | echo " CONFIGURATION FILE:" |
||
| 101 | echo " please check and relaunch" |
||
| 102 | echo "------------------------------------------------------------------" |
||
| 103 | cat $MENTIOCONF |
||
| 104 | echo "------------------------------------------------------------------" |
||
| 105 | exit 1 |
||
| 106 | fi |
||
| 107 | 16 | sacha | ########################################################## |
| 108 | 1 | sacha | |
| 109 | 16 | sacha | |
| 110 | ########################################################## |
||
| 111 | ### PARAMETERS to execute the script |
||
| 112 | # Mode Log export with socat "client" "server" "local" |
||
| 113 | |||
| 114 | MODE=$1 |
||
| 115 | |||
| 116 | if [ $MODE == "server" ]; then |
||
| 117 | socat -v -u openssl-listen:65522,fork,reuseaddr,cert=mentio_ssl-server.pem,cafile=mentio_ssl-client.crt OPEN:$HOMEDIR/MENTIO-DNS_DIFF,creat,append |
||
| 118 | exit 1 |
||
| 119 | fi |
||
| 120 | ########################################################## |
||
| 121 | |||
| 122 | |||
| 123 | ########################################################## |
||
| 124 | ### Check if commandline parameters are less than 3 |
||
| 125 | |||
| 126 | 1 | sacha | if [ $# -lt 3 ]; then |
| 127 | echo "==================================================================" |
||
| 128 | echo "MENTIODNS" |
||
| 129 | echo "------------------------------------------------------------------" |
||
| 130 | 14 | sacha | echo "Missing Parameter, please enter:" |
| 131 | 13 | sacha | echo |
| 132 | 1 | sacha | echo "mentio-check client|server|local filename tld (count number)" |
| 133 | 13 | sacha | echo |
| 134 | exit 1 |
||
| 135 | fi |
||
| 136 | 16 | sacha | ########################################################## |
| 137 | 13 | sacha | |
| 138 | 16 | sacha | |
| 139 | ########################################################## |
||
| 140 | ### Get parameters |
||
| 141 | |||
| 142 | # From config file |
||
| 143 | 1 | sacha | source $MENTIOCONF |
| 144 | 13 | sacha | |
| 145 | 16 | sacha | # From command line |
| 146 | 1 | sacha | # $2 DNS source file name |
| 147 | 13 | sacha | DNS_SOURCE=$2 |
| 148 | 1 | sacha | # $3 TLD name (com, org...) |
| 149 | 13 | sacha | tld=$3 |
| 150 | 1 | sacha | # line counter from the dns source file, nothing for auto-resuming |
| 151 | COUNT=$4 |
||
| 152 | 16 | sacha | |
| 153 | 13 | sacha | ########################################################## |
| 154 | ### SOCAT |
||
| 155 | SENDSOCAT="socat stdio openssl-connect:$SERVER,verify=0,cert=$HOMEDIR/mentio_ssl-client.pem,cafile=$HOMEDIR/mentio_ssl-server.crt" |
||
| 156 | 16 | sacha | ########################################################## |
| 157 | 13 | sacha | ### COLORS |
| 158 | RED='\e[31m' |
||
| 159 | GREEN='\e[32m' |
||
| 160 | YELLOW='\e[33m' |
||
| 161 | 1 | sacha | GRAY='\e[90m' |
| 162 | NC='\033[0m' # No Color |
||
| 163 | 16 | sacha | ########################################################## |
| 164 | ### Various variables |
||
| 165 | 13 | sacha | DNS_SOURCE_BASENAME=`basename $DNS_SOURCE` |
| 166 | 1 | sacha | DIFF_LOG="$HOMEDIR/DNS_DIFF" |
| 167 | BLACKLIST_LOG="$HOMEDIR/DNS_BLACKLISTED" |
||
| 168 | lines=`wc -l $DNS_SOURCE|awk -F " " '{print $1}'` |
||
| 169 | 13 | sacha | countfile="$HOMEDIR/DNS_Count-$DNS_SOURCE_BASENAME" |
| 170 | 4 | sacha | dateus=`date +%Y%m%d-%H%M%S` |
| 171 | 16 | sacha | ########################################################## |
| 172 | ### Dig parameters |
||
| 173 | 1 | sacha | DIG_FAST="+nodnssec +short +timeout=1 +tries=2" |
| 174 | DIG_SLOW="+nodnssec +short +timeout=5 +tries=3 " |
||
| 175 | 16 | sacha | ########################################################## |
| 176 | 13 | sacha | |
| 177 | 16 | sacha | |
| 178 | ########################################################## |
||
| 179 | ### Generate list for dig: round robin from dns list |
||
| 180 | ### Like (@DNS-server domain) x parallel |
||
| 181 | 1 | sacha | _check(){ |
| 182 | i=0 |
||
| 183 | 13 | sacha | url="" |
| 184 | while [ $i -lt $parallel ] |
||
| 185 | 1 | sacha | do |
| 186 | n=`expr $count + $i` |
||
| 187 | ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1` |
||
| 188 | url="$url @$ISP_DNS `awk -v n="${n}" 'NR==n {print;exit}' $DNS_SOURCE`.$tld" |
||
| 189 | i=`expr $i + 1` |
||
| 190 | done |
||
| 191 | } |
||
| 192 | 16 | sacha | ########################################################## |
| 193 | 1 | sacha | |
| 194 | |||
| 195 | 16 | sacha | ########################################################## |
| 196 | ### Counter: create one if not existing, use existing instead |
||
| 197 | 1 | sacha | if [ -z $COUNT ]; then |
| 198 | 13 | sacha | if [ -f $countfile ]; then |
| 199 | 1 | sacha | count=`cat $countfile` |
| 200 | else |
||
| 201 | 13 | sacha | count=0 |
| 202 | echo $count > $countfile |
||
| 203 | fi |
||
| 204 | else count=$COUNT |
||
| 205 | echo $count > $countfile |
||
| 206 | 4 | sacha | fi |
| 207 | 16 | sacha | ########################################################## |
| 208 | 4 | sacha | |
| 209 | 16 | sacha | |
| 210 | ########################################################## |
||
| 211 | ### MAIN LOOP |
||
| 212 | |||
| 213 | 4 | sacha | while [ "$count" != "$lines" ]; do |
| 214 | echo $count > $countfile |
||
| 215 | _check |
||
| 216 | 13 | sacha | site="$url" |
| 217 | echo "-------------------------------------------------------------------------------" |
||
| 218 | echo "#$count $dateus SITE:$site" |
||
| 219 | if nomentio=`dig @$DNS_MY $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio" ]; then |
||
| 220 | echo -e "$GRAY Unknown zone $site $NC" |
||
| 221 | fi |
||
| 222 | if mentio=`dig $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio" ]; then |
||
| 223 | echo -e "$GRAY Unknown zone $site $NC" |
||
| 224 | 4 | sacha | fi |
| 225 | |||
| 226 | 13 | sacha | if [ -n "$nomentio" ] && [ -n "$mentio" ]; then |
| 227 | if [ "$nomentio" != "$mentio" ]; then |
||
| 228 | for i in $site; do |
||
| 229 | 1 | sacha | if nomentio1=`dig $DIG_FAST @$DNS_MY $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio1" ]; then |
| 230 | 13 | sacha | echo -e "$GRAY Unknown zone $i $NC" |
| 231 | fi |
||
| 232 | ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1` |
||
| 233 | if mentio1=`dig $DIG_FAST @$ISP_DNS $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio1" ]; then |
||
| 234 | echo -e "$GRAY Unknown zone $i $NC" |
||
| 235 | fi |
||
| 236 | if [ "$nomentio1" != "$mentio1" ]; then |
||
| 237 | if [[ $mentio1 == 90.85.* ]]; then |
||
| 238 | if [ $MODE == "client" ]; then |
||
| 239 | echo "!!! $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" | $SENDSOCAT |
||
| 240 | fi |
||
| 241 | echo -e "$RED !!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" |
||
| 242 | echo "!!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $BLACKLIST_LOG |
||
| 243 | else |
||
| 244 | if [ $MODE == "client" ]; then |
||
| 245 | echo ">>> $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" | $SENDSOCAT |
||
| 246 | fi |
||
| 247 | echo -e "$YELLOW >>> SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" |
||
| 248 | echo ">>> $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $DIFF_LOG |
||
| 249 | fi |
||
| 250 | fi |
||
| 251 | 1 | sacha | done |
| 252 | 13 | sacha | else |
| 253 | 3 | sacha | echo -e "$GREEN#$count SITE:$site $NC" |
| 254 | 1 | sacha | fi |
| 255 | fi |
||
| 256 | |||
| 257 | count=`expr $count + $parallel` |
||
| 258 | |||
| 259 | 14 | sacha | done |
| 260 | 1 | sacha | ########################################################## |
| 261 | 17 | sacha | |
| 262 | 14 | sacha | |
| 263 | 7 | sacha | |
| 264 | 3 | sacha | </pre> |
| 265 | 2 | sacha | |
| 266 | h2. Test (valide au 14/06/18) |
||
| 267 | 1 | sacha | |
| 268 | 7 | sacha | dig +short shahamat1.com |
| 269 | 3 | sacha | 90.85.16.52 |
| 270 | 1 | sacha | |
| 271 | h2. Liste de serveurs DNS FAI Français |
||
| 272 | |||
| 273 | 11 | sacha | h3. Free - ASN12322 |
| 274 | 12 | sacha | |
| 275 | 11 | sacha | 212.27.40.240 |
| 276 | 212.27.40.241 |
||
| 277 | 212.27.40.244 |
||
| 278 | 7 | sacha | 212.27.40.245 |
| 279 | 3 | sacha | |
| 280 | 1 | sacha | h3. Bouygues - ASN5410 |
| 281 | |||
| 282 | 194.158.122.10 |
||
| 283 | 194.158.122.15 |
||
| 284 | |||
| 285 | h3. SFR/Numericable - ASN5410 |
||
| 286 | |||
| 287 | 89.2.0.1 |
||
| 288 | 89.2.0.2 |
||
| 289 | |||
| 290 | h3. SFR - ASN15557 |
||
| 291 | |||
| 292 | 109.0.66.10 |
||
| 293 | 109.0.66.20 |
||
| 294 | |||
| 295 | h3. Orange - ASN3215 |
||
| 296 | 2 | sacha | |
| 297 | 3 | sacha | 80.10.246.1 |
| 298 | 1 | sacha | 80.10.246.2 |
| 299 | 80.10.246.3 |
||
| 300 | 6 | sacha | 80.10.246.5 |
| 301 | 80.10.246.7 |
||
| 302 | 80.10.246.129 |
||
| 303 | 80.10.246.130 |
||
| 304 | 80.10.246.132 |
||
| 305 | 8 | sacha | 80.10.246.134 |
| 306 | 80.10.246.136 |
||
| 307 | 81.253.149.1 |
||
| 308 | 81.253.149.2 |
||
| 309 | 1 | sacha | 81.253.149.6 |
| 310 | 11 | sacha | 81.253.149.9 |
| 311 | 1 | sacha | 81.253.149.10 |
| 312 | |||
| 313 | h3. OBS (ouverts) |
||
| 314 | |||
| 315 | 194.2.0.20 |
||
| 316 | 194.2.0.50 |
||
| 317 | |||
| 318 | h2. Vigies de la neutralité |
||
| 319 | |||
| 320 | https://ooni.torproject.org |
||
| 321 | https://respectmynet.eu |
||
| 322 | |||
| 323 | h2. Cadre légal |
||
| 324 | |||
| 325 | https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000801164&fastPos;=2&fastReqId;=606073666&categorieLien;=cid&oldAction;=rechTexte#LEGIARTI000029756525 |
||
| 326 | le décret https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=LEGITEXT000030315036&dateTexte;=20150305&categorieLien;=cid#LEGITEXT000030315036 |
||
| 327 | https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=JORFTEXT000030195477&dateTexte;=20180619 |
||
| 328 | 18 | sacha | |
| 329 | h2. Unbound |
||
| 330 | |||
| 331 | <pre> |
||
| 332 | server: |
||
| 333 | verbosity: 1 |
||
| 334 | interface: 127.0.0.1 |
||
| 335 | do-ip4: yes |
||
| 336 | do-ip6: no |
||
| 337 | do-udp: yes |
||
| 338 | do-tcp: no |
||
| 339 | access-control: 127.0.0.0/8 allow |
||
| 340 | access-control: 0.0.0.0/0 refuse |
||
| 341 | logfile: /var/log/unbound |
||
| 342 | hide-identity: yes |
||
| 343 | hide-version: yes |
||
| 344 | harden-glue: yes |
||
| 345 | use-caps-for-id: yes |
||
| 346 | do-not-query-localhost: yes |
||
| 347 | </pre> |
||
| 348 | |||
| 349 | 15 | sacha | |
| 350 | h2. Ansible divers |
||
| 351 | |||
| 352 | Copy file: |
||
| 353 | |||
| 354 | ansible mentio -m copy -a "src=mentio-check6 dest=~/MENTIODNS/" |
||
| 355 | |||
| 356 | |||
| 357 | Copy file single host: |
||
| 358 | |||
| 359 | ansible mentio --limit dam -m copy -a "src=mentio-check6 dest=~/MENTIODNS/" |
||
| 360 | |||
| 361 | ansible-playbook /etc/ansible/playbooks/mentio.yml |
||
| 362 | |||
| 363 | |||
| 364 | <pre> |
||
| 365 | --- |
||
| 366 | |||
| 367 | - hosts: mentio |
||
| 368 | sudo: no |
||
| 369 | tasks: |
||
| 370 | - name: copyfiles |
||
| 371 | copy: |
||
| 372 | src: "{{ item.src }}" |
||
| 373 | dest: "{{ item.dest }}" |
||
| 374 | with_items: |
||
| 375 | - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio-check6',dest: '~/MENTIODNS/' } |
||
| 376 | - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio-DNS_ISP_LIST',dest: '~/MENTIODNS/' } |
||
| 377 | - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.crt',dest: '~/MENTIODNS/' } |
||
| 378 | - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.key',dest: '~/MENTIODNS/' } |
||
| 379 | - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.pem',dest: '~/MENTIODNS/' } |
||
| 380 | - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-server.crt',dest: '~/MENTIODNS/' } |
||
| 381 | |||
| 382 | |||
| 383 | 1 | sacha | </pre> |