Projet

Général

Profil

Mentiodns » Historique » Version 32

sacha, 06/07/2018 00:30

1 1 sacha
h1. Mentiodns
2
3
Validation des DNS à partir d'une liste sur un unbound et un DNS grand FAI et comparaison des résultats ;)
4
5 4 sacha
h2. Noeud actifs
6
7
|_. Nom |_. Bloc |
8 23 sacha
| dam | domain_names.com_sortedaf|
9
| dam | domain_names.com_sortedag|
10
| dam | domain_names.com_sortedah|
11
| dam | domain_names.com_sortedai|
12 24 sacha
| mezzanine | domain_names.com_sortedad |
13
| mezzanine | domain_names.com_sortedao |
14
| mezzanine | domain_names.com_sortedap |
15
| mezzanine | domain_names.com_sortedaq |
16
| 1000i100 | domain_names.com_sortedab |
17
| 1000i100 | domain_names.com_sortedaj |
18
| 1000i100 | domain_names.com_sortedak |
19
| 1000i100 | domain_names.com_sortedal |
20 26 sacha
| sacha | domain_names.org_sortedaa |
21
| sacha | domain_names.org_sortedab |
22
| sacha | domain_names.org_sortedac |
23
| sacha | domain_names.org_sortedad |
24 24 sacha
| tazi | domain_names.com_sortedac |
25
| tazi | domain_names.com_sortedae |
26
| tazi | domain_names.com_sortedam |
27
| tazi | domain_names.com_sortedan |
28 32 sacha
| louisl | 
29 18 sacha
30 4 sacha
h2. Mentio
31
32 27 sacha
h3. mentio-check6
33
34 19 sacha
Packages: curl dig python socat tmux unbound whois 
35
36 4 sacha
<pre>
37
#-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+-#
38
#  MENTIODNS : Check for lying DNS (France)  #
39
#--------------------------------------------#
40 28 sacha
#  Version 1.6.1 date bug
41 16 sacha
#  Version 1.6 - conf file                   # 
42 13 sacha
#  Version 1.5 - test Dig resolving          #
43
#  Version 1.4 - Socat SSL sending results   # 
44
#  Version 1.3 - tld optioN                  #
45 1 sacha
#  Version 1.2 - Round robin on DNS_ISP_LIST #
46 28 sacha
#                For each request            #
47 4 sacha
#  Version 1.1 - Allow resume on basename    #
48
#  Version 1.0 - Parallel process with DIG   #
49
#--------------------------------------------#
50 1 sacha
# (c) Sacha at Aquilenet.fr part of FFDN.org #
51
#--------------------------------------------#
52
53
# This shity script intend to bruteforce the ISP lying DNS Servers to identify which one
54
# is going on Ministry of Interior Blocking page and compare the IP result from your favorite DNS server
55 16 sacha
# Use this script with the following parameters 
56
# $1 MODE: client server local
57
# $2 File source: list of domain names whithout tld
58
# $3 tld: com, org, ...
59
# $4 count number (if none from zero or from count file based on file name)
60
61
62 1 sacha
# If you relanch the script it will check if it has a counter for the given file to resume
63
# Blacklisted sites in $BLACKLIST_LOG file
64 13 sacha
# Diff ip from a domain name are in $DIFF_LOG 
65 1 sacha
66 13 sacha
# 1st launch creating config file
67 1 sacha
68 14 sacha
# Copy generated certificates:
69
# FILENAME=mentio_ssl-server 
70 1 sacha
# openssl genrsa -out $FILENAME.key 1024
71 13 sacha
# openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt
72 1 sacha
# cat $FILENAME.key $FILENAME.crt >$FILENAME.pem
73 13 sacha
# FILENAME=mentio_ssl-client
74
# ...
75
76 16 sacha
##########################################################
77 1 sacha
HOMEDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
78 13 sacha
MENTIOCONF="$HOMEDIR/mentio.conf"
79 17 sacha
# Number of parallel requests thruw dig
80
parallel=10
81 16 sacha
##########################################################
82 1 sacha
83 16 sacha
84
##########################################################
85 13 sacha
### CHECK CONFIG
86
if [ ! -f $MENTIOCONF ]; then
87
echo "=================================================================="
88
echo "MENTIODNS"
89
echo "------------------------------------------------------------------" 
90
echo "1st time configuring"
91
echo -n "IP UNBOUND ? "
92
read DNS_MY
93 1 sacha
94 13 sacha
echo 'HOMEDIR="'$HOMEDIR'"' > $MENTIOCONF
95
echo 'DNS_MY="'$DNS_MY'"' >> $MENTIOCONF
96 1 sacha
IP_PUB=`curl ifconfig.io`
97 13 sacha
ASN=`whois -h whois.cymru.com $IP_PUB |cut -d' ' -f1|sed -n "2p"`
98 1 sacha
DNS_LIST="$HOMEDIR/mentio-DNS_ISP_LIST"
99
DNS_ISP_LIST=`grep $ASN $DNS_LIST|cut -d' ' -f3-`
100
echo 'DNS_ISP_LIST="'$DNS_ISP_LIST'"' >> $MENTIOCONF
101
echo "------------------------------------------------------------------"
102
echo " CONFIGURATION FILE:"
103
echo " please check and relaunch"
104
echo "------------------------------------------------------------------"
105
cat $MENTIOCONF
106
echo "------------------------------------------------------------------"
107
exit 1
108
fi
109 16 sacha
##########################################################
110 1 sacha
111 16 sacha
112
##########################################################
113
### PARAMETERS to execute the script
114
# Mode Log export with socat "client" "server" "local"
115
116
MODE=$1
117
118
if [ $MODE == "server" ]; then
119
socat -v -u openssl-listen:65522,fork,reuseaddr,cert=mentio_ssl-server.pem,cafile=mentio_ssl-client.crt OPEN:$HOMEDIR/MENTIO-DNS_DIFF,creat,append
120
exit 1
121
fi
122
##########################################################
123
124
125
##########################################################
126
### Check if commandline parameters are less than 3
127
128 1 sacha
if [ $# -lt 3 ]; then
129
echo "=================================================================="
130
echo "MENTIODNS"
131
echo "------------------------------------------------------------------"
132 14 sacha
echo "Missing Parameter, please enter:"
133 13 sacha
echo
134 1 sacha
echo "mentio-check client|server|local filename tld (count number)"
135 13 sacha
echo
136
exit 1
137
fi
138 16 sacha
##########################################################
139 13 sacha
140 16 sacha
141
##########################################################
142
### Get parameters
143
144
# From config file
145 1 sacha
source $MENTIOCONF
146 13 sacha
147 16 sacha
# From command line
148 1 sacha
# $2 DNS source file name
149 13 sacha
DNS_SOURCE=$2
150 1 sacha
# $3 TLD name (com, org...)
151 13 sacha
tld=$3
152 1 sacha
# line counter from the dns source file, nothing for auto-resuming
153
COUNT=$4
154
155 16 sacha
##########################################################
156 13 sacha
### SOCAT
157 29 sacha
SERVER="SOMEIP:65522"
158 13 sacha
SENDSOCAT="socat stdio openssl-connect:$SERVER,verify=0,cert=$HOMEDIR/mentio_ssl-client.pem,cafile=$HOMEDIR/mentio_ssl-server.crt"
159 16 sacha
##########################################################
160 13 sacha
### COLORS 
161
RED='\e[31m'
162
GREEN='\e[32m'
163
YELLOW='\e[33m'
164 1 sacha
GRAY='\e[90m'
165
NC='\033[0m' # No Color
166 16 sacha
##########################################################
167
### Various variables
168 13 sacha
DNS_SOURCE_BASENAME=`basename $DNS_SOURCE`
169 1 sacha
DIFF_LOG="$HOMEDIR/DNS_DIFF"
170
BLACKLIST_LOG="$HOMEDIR/DNS_BLACKLISTED"
171 13 sacha
lines=`wc -l $DNS_SOURCE|awk -F " " '{print $1}'`
172 4 sacha
countfile="$HOMEDIR/DNS_Count-$DNS_SOURCE_BASENAME"
173 16 sacha
##########################################################
174
### Dig parameters
175 1 sacha
DIG_FAST="+nodnssec +short +timeout=1 +tries=2"
176
DIG_SLOW="+nodnssec +short +timeout=5 +tries=3 "
177 16 sacha
##########################################################
178 13 sacha
179 16 sacha
180
##########################################################
181
### Generate list for dig: round robin from dns list
182
### Like (@DNS-server domain) x parallel 
183 1 sacha
_check(){
184
i=0
185 13 sacha
url=""
186
while [ $i -lt $parallel ]
187 1 sacha
do
188
n=`expr $count + $i`
189
ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1`
190
url="$url @$ISP_DNS `awk -v n="${n}" 'NR==n {print;exit}' $DNS_SOURCE`.$tld"
191
i=`expr $i + 1`
192
done
193
}
194 16 sacha
##########################################################
195 1 sacha
196
197 16 sacha
##########################################################
198
### Counter: create one if not existing, use existing instead
199 1 sacha
if [ -z $COUNT ]; then
200 28 sacha
        if [ -f $countfile ]; then
201
        count=`cat $countfile`
202
        else
203
        count=0
204
        echo $count > $countfile
205
        fi
206 13 sacha
else count=$COUNT
207
echo $count > $countfile
208 1 sacha
fi
209 4 sacha
##########################################################
210 16 sacha
211 4 sacha
212 16 sacha
##########################################################
213
### MAIN LOOP
214
215
while [ "$count" != "$lines" ]; do
216 4 sacha
echo $count > $countfile
217
_check
218 28 sacha
dateus=`date +%Y%m%d-%H%M%S`
219 13 sacha
site="$url"
220
echo "-------------------------------------------------------------------------------"
221
echo "#$count $dateus SITE:$site"
222
if nomentio=`dig @$DNS_MY $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio" ]; then
223 28 sacha
        echo -e "$GRAY Unknown zone $site $NC" 
224 13 sacha
fi
225
if mentio=`dig $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio" ]; then
226 28 sacha
        echo -e "$GRAY Unknown zone $site $NC"
227 4 sacha
fi
228 1 sacha
229 4 sacha
if [ -n "$nomentio" ] && [ -n "$mentio" ]; then
230 13 sacha
    if [ "$nomentio" != "$mentio" ]; then
231 28 sacha
        for i in $site; do
232
                if nomentio1=`dig $DIG_FAST @$DNS_MY $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio1" ]; then
233
                        echo -e "$GRAY Unknown zone $i $NC"
234
                fi
235
                ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1`
236
                if mentio1=`dig $DIG_FAST @$ISP_DNS $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio1" ]; then
237
                        echo -e "$GRAY Unknown zone $i $NC"
238
                fi
239
                        if [ "$nomentio1" != "$mentio1" ]; then
240
                                if [[ $mentio1 == 90.85.* ]]; then
241
                                        if [ $MODE == "client" ]; then
242
                                                echo "!!! $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" | $SENDSOCAT
243
                                        fi
244
                                        echo -e "$RED !!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC"
245
                                        echo "!!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $BLACKLIST_LOG
246
                                else
247
                                                if [ $MODE == "client" ]; then
248
                                                        echo ">>> $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" | $SENDSOCAT
249
                                                fi                   
250
                                        echo -e "$YELLOW >>> SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC"
251
                                        echo ">>> $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $DIFF_LOG
252
                                fi
253
                        fi
254
        done
255 1 sacha
    else
256 13 sacha
    echo -e "$GREEN#$count  SITE:$site  $NC"
257 3 sacha
    fi
258 1 sacha
fi
259
260
count=`expr $count + $parallel`
261
262
done
263 14 sacha
##########################################################
264 28 sacha
265 17 sacha
266 14 sacha
267 7 sacha
268 2 sacha
</pre>
269 1 sacha
270 27 sacha
h3. mentio-DNS_ISP_LIST
271 1 sacha
272 27 sacha
<pre>
273
Bouygues 5410 194.158.122.10 194.158.122.15
274
Free 12322 212.27.40.240 212.27.40.241 212.27.40.244 212.27.40.245
275
Orange 3215 80.10.246.1 80.10.246.2 80.10.246.3 80.10.246.5 80.10.246.7 80.10.246.129 80.10.246.130 80.10.246.132 80.10.246.134 80.10.246.136 81.253.149.1 81.253.149.2 81.253.149.6 81.253.149.9 81.253.149.10
276
SFR 15557 109.0.66.10 109.0.66.20
277
</pre>
278 1 sacha
279 27 sacha
h3. mentio-monitor
280 1 sacha
281 27 sacha
<pre>
282
hosts="mentio-HOSTS"
283
hosts_tmp="/tmp/mentio-HOSTS.tmp"
284
rm -rf $hosts
285 1 sacha
286
287 27 sacha
GREEN='\e[32m'
288
RED='\e[31m'
289
NC='\033[0m' # No Color  
290 1 sacha
291 27 sacha
while true; do
292
        timeout 300 tail -n 0 -f MENTIO-DNS_DIFF | cut -d ' ' -f3|sort|uniq> $hosts_tmp
293
        mentiohosts=`cat $hosts_tmp`
294
        updates=`echo $mentiohosts|xargs -n 1`
295
        for i in $updates; do
296
                exists=`grep "$i" $hosts`
297
                if [ -z "$exists" ]; then
298
                        echo "ADD $i"
299
                        echo "$i"  >> $hosts 
300
                        sort -o $hosts $hosts
301
                        name=`echo $i|cut -d "." -f1`
302
                fi
303
        done
304 8 sacha
305 27 sacha
dateus=`date +%Y%m%d-%H%M%S`
306
diffs=`diff --side-by-side --suppress-common-lines $hosts $hosts_tmp`
307
echo "======================================================================"
308
if [ -z "$diffs" ]; then
309
 echo -e "$GREEN $dateus - ALL HOSTS UP: $NC"
310
 echo -e "$GREEN `cat $hosts |xargs |sort` $NC"  
311
else
312
 echo -e "$RED $dateus - MISSING HOST: $NC"
313
 echo -e "$RED $diffs $NC"
314
fi
315
done
316
</pre>
317 1 sacha
318 27 sacha
h2. Test (valide au 14/06/18)
319 1 sacha
320 27 sacha
 dig +short shahamat1.com
321
 90.85.16.52
322 1 sacha
323
h2. Vigies de la neutralité
324
325 18 sacha
https://ooni.torproject.org
326
https://respectmynet.eu
327
328
h2. Cadre légal
329
330
https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000801164&fastPos;=2&fastReqId;=606073666&categorieLien;=cid&oldAction;=rechTexte#LEGIARTI000029756525        
331
le décret https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=LEGITEXT000030315036&dateTexte;=20150305&categorieLien;=cid#LEGITEXT000030315036  
332
https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=JORFTEXT000030195477&dateTexte;=20180619
333
334
h2. Unbound
335
336
<pre>
337
server:
338
 verbosity: 1
339
 interface: 127.0.0.1
340
 do-ip4: yes
341
 do-ip6: no
342
 do-udp: yes
343
 do-tcp: no
344
 access-control: 127.0.0.0/8 allow 
345
 access-control: 0.0.0.0/0 refuse
346 15 sacha
 logfile: /var/log/unbound
347
 hide-identity: yes
348
 hide-version: yes
349
 harden-glue: yes
350
 use-caps-for-id: yes
351
 do-not-query-localhost: yes
352
</pre>
353
354 30 sacha
h2. Lancement
355
356 31 sacha
 tmux new-session -s foo -d "bash mentio-check6 client domain_names.com_sortedac com" \; split-window -h "bash mentio-check6 client domain_names.com_sortedae com" \; split-window -v "bash mentio-check6 client domain_names.com_sortedam com"\; selectp -t 0 \; split-window -v "bash mentio-check6 client domain_names.com_sortedan com"
357 15 sacha
358
h2. Ansible divers
359
360
Copy file:
361
362
 ansible mentio -m copy -a "src=mentio-check6 dest=~/MENTIODNS/"
363
364
365
Copy file single host:
366
367
 ansible mentio --limit dam -m copy -a "src=mentio-check6 dest=~/MENTIODNS/"
368
369
ansible-playbook /etc/ansible/playbooks/mentio.yml 
370
371
372
<pre>
373
---
374
375
- hosts: mentio 
376
  sudo: no
377
  tasks:
378
    - name: copyfiles 
379
      copy:
380
        src: "{{ item.src }}"
381
        dest: "{{ item.dest }}"
382
      with_items:
383 1 sacha
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio-check6',dest: '~/MENTIODNS/' }
384
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio-DNS_ISP_LIST',dest: '~/MENTIODNS/' }
385
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.crt',dest: '~/MENTIODNS/' }
386
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.key',dest: '~/MENTIODNS/' }
387
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.pem',dest: '~/MENTIODNS/' }
388
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-server.crt',dest: '~/MENTIODNS/' }
389
390
391
</pre>