Projet

Général

Profil

Mentiodns » Historique » Version 27

sacha, 26/06/2018 15:02

1 1 sacha
h1. Mentiodns
2
3
Validation des DNS à partir d'une liste sur un unbound et un DNS grand FAI et comparaison des résultats ;)
4
5 4 sacha
h2. Noeud actifs
6
7
|_. Nom |_. Bloc |
8 23 sacha
| dam | domain_names.com_sortedaf|
9
| dam | domain_names.com_sortedag|
10
| dam | domain_names.com_sortedah|
11
| dam | domain_names.com_sortedai|
12 24 sacha
| mezzanine | domain_names.com_sortedad |
13
| mezzanine | domain_names.com_sortedao |
14
| mezzanine | domain_names.com_sortedap |
15
| mezzanine | domain_names.com_sortedaq |
16
| 1000i100 | domain_names.com_sortedab |
17
| 1000i100 | domain_names.com_sortedaj |
18
| 1000i100 | domain_names.com_sortedak |
19
| 1000i100 | domain_names.com_sortedal |
20 26 sacha
| sacha | domain_names.org_sortedaa |
21
| sacha | domain_names.org_sortedab |
22
| sacha | domain_names.org_sortedac |
23
| sacha | domain_names.org_sortedad |
24 24 sacha
| tazi | domain_names.com_sortedac |
25
| tazi | domain_names.com_sortedae |
26
| tazi | domain_names.com_sortedam |
27
| tazi | domain_names.com_sortedan |
28 18 sacha
29 4 sacha
h2. Mentio
30
31 27 sacha
h3. mentio-check6
32
33 19 sacha
Packages: curl dig python socat tmux unbound whois 
34
35 4 sacha
<pre>
36
#-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+-#
37
#  MENTIODNS : Check for lying DNS (France)  #
38
#--------------------------------------------#
39 16 sacha
#  Version 1.6 - conf file                   # 
40 13 sacha
#  Version 1.5 - test Dig resolving          #
41
#  Version 1.4 - Socat SSL sending results   # 
42
#  Version 1.3 - tld optioN                  #
43 1 sacha
#  Version 1.2 - Round robin on DNS_ISP_LIST #
44 13 sacha
#		 For each request	     #
45 4 sacha
#  Version 1.1 - Allow resume on basename    #
46
#  Version 1.0 - Parallel process with DIG   #
47
#--------------------------------------------#
48 1 sacha
# (c) Sacha at Aquilenet.fr part of FFDN.org #
49
#--------------------------------------------#
50
51
# This shity script intend to bruteforce the ISP lying DNS Servers to identify which one
52
# is going on Ministry of Interior Blocking page and compare the IP result from your favorite DNS server
53 16 sacha
# Use this script with the following parameters 
54
# $1 MODE: client server local
55
# $2 File source: list of domain names whithout tld
56
# $3 tld: com, org, ...
57
# $4 count number (if none from zero or from count file based on file name)
58
59
60 1 sacha
# If you relanch the script it will check if it has a counter for the given file to resume
61
# Blacklisted sites in $BLACKLIST_LOG file
62 13 sacha
# Diff ip from a domain name are in $DIFF_LOG 
63 1 sacha
64 13 sacha
# 1st launch creating config file
65 1 sacha
66 14 sacha
# Copy generated certificates:
67
# FILENAME=mentio_ssl-server 
68 1 sacha
# openssl genrsa -out $FILENAME.key 1024
69 13 sacha
# openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt
70 1 sacha
# cat $FILENAME.key $FILENAME.crt >$FILENAME.pem
71 13 sacha
# FILENAME=mentio_ssl-client
72
# ...
73
74 16 sacha
##########################################################
75 1 sacha
HOMEDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
76 13 sacha
MENTIOCONF="$HOMEDIR/mentio.conf"
77
# Number of parallel requests thruw dig
78
parallel=10
79 17 sacha
# Socat server
80
SERVER="taz.im:65522"
81 16 sacha
##########################################################
82 1 sacha
83 16 sacha
84
##########################################################
85 13 sacha
### CHECK CONFIG
86
if [ ! -f $MENTIOCONF ]; then
87
echo "=================================================================="
88
echo "MENTIODNS"
89
echo "------------------------------------------------------------------" 
90
echo "1st time configuring"
91
echo -n "IP UNBOUND ? "
92
read DNS_MY
93 1 sacha
94 13 sacha
echo 'HOMEDIR="'$HOMEDIR'"' > $MENTIOCONF
95
echo 'DNS_MY="'$DNS_MY'"' >> $MENTIOCONF
96 1 sacha
IP_PUB=`curl ifconfig.io`
97 13 sacha
ASN=`whois -h whois.cymru.com $IP_PUB |cut -d' ' -f1|sed -n "2p"`
98 1 sacha
DNS_LIST="$HOMEDIR/mentio-DNS_ISP_LIST"
99
DNS_ISP_LIST=`grep $ASN $DNS_LIST|cut -d' ' -f3-`
100
echo 'DNS_ISP_LIST="'$DNS_ISP_LIST'"' >> $MENTIOCONF
101
echo "------------------------------------------------------------------"
102
echo " CONFIGURATION FILE:"
103
echo " please check and relaunch"
104
echo "------------------------------------------------------------------"
105
cat $MENTIOCONF
106
echo "------------------------------------------------------------------"
107
exit 1
108
fi
109 16 sacha
##########################################################
110 1 sacha
111 16 sacha
112
##########################################################
113
### PARAMETERS to execute the script
114
# Mode Log export with socat "client" "server" "local"
115
116
MODE=$1
117
118
if [ $MODE == "server" ]; then
119
socat -v -u openssl-listen:65522,fork,reuseaddr,cert=mentio_ssl-server.pem,cafile=mentio_ssl-client.crt OPEN:$HOMEDIR/MENTIO-DNS_DIFF,creat,append
120
exit 1
121
fi
122
##########################################################
123
124
125
##########################################################
126
### Check if commandline parameters are less than 3
127
128 1 sacha
if [ $# -lt 3 ]; then
129
echo "=================================================================="
130
echo "MENTIODNS"
131
echo "------------------------------------------------------------------"
132 14 sacha
echo "Missing Parameter, please enter:"
133 13 sacha
echo
134 1 sacha
echo "mentio-check client|server|local filename tld (count number)"
135 13 sacha
echo
136
exit 1
137
fi
138 16 sacha
##########################################################
139 13 sacha
140 16 sacha
141
##########################################################
142
### Get parameters
143
144
# From config file
145 1 sacha
source $MENTIOCONF
146 13 sacha
147 16 sacha
# From command line
148 1 sacha
# $2 DNS source file name
149 13 sacha
DNS_SOURCE=$2
150 1 sacha
# $3 TLD name (com, org...)
151 13 sacha
tld=$3
152 1 sacha
# line counter from the dns source file, nothing for auto-resuming
153
COUNT=$4
154 16 sacha
155 13 sacha
##########################################################
156
### SOCAT
157
SENDSOCAT="socat stdio openssl-connect:$SERVER,verify=0,cert=$HOMEDIR/mentio_ssl-client.pem,cafile=$HOMEDIR/mentio_ssl-server.crt"
158 16 sacha
##########################################################
159 13 sacha
### COLORS 
160
RED='\e[31m'
161
GREEN='\e[32m'
162
YELLOW='\e[33m'
163 1 sacha
GRAY='\e[90m'
164
NC='\033[0m' # No Color
165 16 sacha
##########################################################
166
### Various variables
167 13 sacha
DNS_SOURCE_BASENAME=`basename $DNS_SOURCE`
168 1 sacha
DIFF_LOG="$HOMEDIR/DNS_DIFF"
169
BLACKLIST_LOG="$HOMEDIR/DNS_BLACKLISTED"
170
lines=`wc -l $DNS_SOURCE|awk -F " " '{print $1}'`
171 13 sacha
countfile="$HOMEDIR/DNS_Count-$DNS_SOURCE_BASENAME"
172 4 sacha
dateus=`date +%Y%m%d-%H%M%S`
173 16 sacha
##########################################################
174
### Dig parameters
175 1 sacha
DIG_FAST="+nodnssec +short +timeout=1 +tries=2"
176
DIG_SLOW="+nodnssec +short +timeout=5 +tries=3 "
177 16 sacha
##########################################################
178 13 sacha
179 16 sacha
180
##########################################################
181
### Generate list for dig: round robin from dns list
182
### Like (@DNS-server domain) x parallel 
183 1 sacha
_check(){
184
i=0
185 13 sacha
url=""
186
while [ $i -lt $parallel ]
187 1 sacha
do
188
n=`expr $count + $i`
189
ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1`
190
url="$url @$ISP_DNS `awk -v n="${n}" 'NR==n {print;exit}' $DNS_SOURCE`.$tld"
191
i=`expr $i + 1`
192
done
193
}
194 16 sacha
##########################################################
195 1 sacha
196
197 16 sacha
##########################################################
198
### Counter: create one if not existing, use existing instead
199 1 sacha
if [ -z $COUNT ]; then
200 13 sacha
	if [ -f $countfile ]; then
201 1 sacha
	count=`cat $countfile`
202
	else
203 13 sacha
	count=0
204
	echo $count > $countfile
205
	fi
206
else count=$COUNT
207
echo $count > $countfile
208 4 sacha
fi
209 16 sacha
##########################################################
210 4 sacha
211 16 sacha
212
##########################################################
213
### MAIN LOOP
214
215 4 sacha
while [ "$count" != "$lines" ]; do
216
echo $count > $countfile
217
_check
218 13 sacha
site="$url"
219
echo "-------------------------------------------------------------------------------"
220
echo "#$count $dateus SITE:$site"
221
if nomentio=`dig @$DNS_MY $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio" ]; then
222
	echo -e "$GRAY Unknown zone $site $NC" 
223
fi
224
if mentio=`dig $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio" ]; then
225
	echo -e "$GRAY Unknown zone $site $NC"
226 4 sacha
fi
227
228 13 sacha
if [ -n "$nomentio" ] && [ -n "$mentio" ]; then
229
    if [ "$nomentio" != "$mentio" ]; then
230
	for i in $site; do
231 1 sacha
		if nomentio1=`dig $DIG_FAST @$DNS_MY $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio1" ]; then
232 13 sacha
			echo -e "$GRAY Unknown zone $i $NC"
233
		fi
234
		ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1`
235
		if mentio1=`dig $DIG_FAST @$ISP_DNS $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio1" ]; then
236
			echo -e "$GRAY Unknown zone $i $NC"
237
		fi
238
			if [ "$nomentio1" != "$mentio1" ]; then
239
        			if [[ $mentio1 == 90.85.* ]]; then
240
		                        if [ $MODE == "client" ]; then
241
                		        	echo "!!! $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" | $SENDSOCAT
242
                        		fi
243
					echo -e "$RED !!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC"
244
					echo "!!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $BLACKLIST_LOG
245
				else
246
                        			if [ $MODE == "client" ]; then
247
                        				echo ">>> $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" | $SENDSOCAT
248
                        			fi                   
249
					echo -e "$YELLOW >>> SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC"
250
					echo ">>> $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $DIFF_LOG
251
				fi
252
			fi
253 1 sacha
	done
254 13 sacha
    else
255 3 sacha
    echo -e "$GREEN#$count  SITE:$site  $NC"
256 1 sacha
    fi
257
fi
258
259
count=`expr $count + $parallel`
260
261 14 sacha
done
262 1 sacha
##########################################################
263 17 sacha
264 14 sacha
265 7 sacha
266 2 sacha
</pre>
267 1 sacha
268 27 sacha
h3. mentio-DNS_ISP_LIST
269 1 sacha
270 27 sacha
<pre>
271
Bouygues 5410 194.158.122.10 194.158.122.15
272
Free 12322 212.27.40.240 212.27.40.241 212.27.40.244 212.27.40.245
273
Orange 3215 80.10.246.1 80.10.246.2 80.10.246.3 80.10.246.5 80.10.246.7 80.10.246.129 80.10.246.130 80.10.246.132 80.10.246.134 80.10.246.136 81.253.149.1 81.253.149.2 81.253.149.6 81.253.149.9 81.253.149.10
274
SFR 15557 109.0.66.10 109.0.66.20
275
</pre>
276 1 sacha
277 27 sacha
h3. mentio-monitor
278 1 sacha
279 27 sacha
<pre>
280
hosts="mentio-HOSTS"
281
hosts_tmp="/tmp/mentio-HOSTS.tmp"
282
rm -rf $hosts
283 1 sacha
284
285 27 sacha
GREEN='\e[32m'
286
RED='\e[31m'
287
NC='\033[0m' # No Color  
288 1 sacha
289 27 sacha
while true; do
290
        timeout 300 tail -n 0 -f MENTIO-DNS_DIFF | cut -d ' ' -f3|sort|uniq> $hosts_tmp
291
        mentiohosts=`cat $hosts_tmp`
292
        updates=`echo $mentiohosts|xargs -n 1`
293
        for i in $updates; do
294
                exists=`grep "$i" $hosts`
295
                if [ -z "$exists" ]; then
296
                        echo "ADD $i"
297
                        echo "$i"  >> $hosts 
298
                        sort -o $hosts $hosts
299
                        name=`echo $i|cut -d "." -f1`
300
                fi
301
        done
302 8 sacha
303 27 sacha
dateus=`date +%Y%m%d-%H%M%S`
304
diffs=`diff --side-by-side --suppress-common-lines $hosts $hosts_tmp`
305
echo "======================================================================"
306
if [ -z "$diffs" ]; then
307
 echo -e "$GREEN $dateus - ALL HOSTS UP: $NC"
308
 echo -e "$GREEN `cat $hosts |xargs |sort` $NC"  
309
else
310
 echo -e "$RED $dateus - MISSING HOST: $NC"
311
 echo -e "$RED $diffs $NC"
312
fi
313
done
314
</pre>
315 1 sacha
316 27 sacha
h2. Test (valide au 14/06/18)
317 1 sacha
318 27 sacha
 dig +short shahamat1.com
319
 90.85.16.52
320 1 sacha
321
h2. Vigies de la neutralité
322
323 18 sacha
https://ooni.torproject.org
324
https://respectmynet.eu
325
326
h2. Cadre légal
327
328
https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000801164&fastPos;=2&fastReqId;=606073666&categorieLien;=cid&oldAction;=rechTexte#LEGIARTI000029756525        
329
le décret https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=LEGITEXT000030315036&dateTexte;=20150305&categorieLien;=cid#LEGITEXT000030315036  
330
https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=JORFTEXT000030195477&dateTexte;=20180619
331
332
h2. Unbound
333
334
<pre>
335
server:
336
 verbosity: 1
337
 interface: 127.0.0.1
338
 do-ip4: yes
339
 do-ip6: no
340
 do-udp: yes
341
 do-tcp: no
342
 access-control: 127.0.0.0/8 allow 
343
 access-control: 0.0.0.0/0 refuse
344 15 sacha
 logfile: /var/log/unbound
345
 hide-identity: yes
346
 hide-version: yes
347
 harden-glue: yes
348
 use-caps-for-id: yes
349
 do-not-query-localhost: yes
350
</pre>
351
352
353
h2. Ansible divers
354
355
Copy file:
356
357
 ansible mentio -m copy -a "src=mentio-check6 dest=~/MENTIODNS/"
358
359
360
Copy file single host:
361
362
 ansible mentio --limit dam -m copy -a "src=mentio-check6 dest=~/MENTIODNS/"
363
364
ansible-playbook /etc/ansible/playbooks/mentio.yml 
365
366
367
<pre>
368
---
369
370
- hosts: mentio 
371
  sudo: no
372
  tasks:
373
    - name: copyfiles 
374
      copy:
375
        src: "{{ item.src }}"
376
        dest: "{{ item.dest }}"
377
      with_items:
378 1 sacha
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio-check6',dest: '~/MENTIODNS/' }
379
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio-DNS_ISP_LIST',dest: '~/MENTIODNS/' }
380
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.crt',dest: '~/MENTIODNS/' }
381
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.key',dest: '~/MENTIODNS/' }
382
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.pem',dest: '~/MENTIODNS/' }
383
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-server.crt',dest: '~/MENTIODNS/' }
384
385
386
</pre>