Mentiodns » Historique » Version 32
sacha, 06/07/2018 00:30
1 | 1 | sacha | h1. Mentiodns |
---|---|---|---|
2 | |||
3 | Validation des DNS à partir d'une liste sur un unbound et un DNS grand FAI et comparaison des résultats ;) |
||
4 | |||
5 | 4 | sacha | h2. Noeud actifs |
6 | |||
7 | |_. Nom |_. Bloc | |
||
8 | 23 | sacha | | dam | domain_names.com_sortedaf| |
9 | | dam | domain_names.com_sortedag| |
||
10 | | dam | domain_names.com_sortedah| |
||
11 | | dam | domain_names.com_sortedai| |
||
12 | 24 | sacha | | mezzanine | domain_names.com_sortedad | |
13 | | mezzanine | domain_names.com_sortedao | |
||
14 | | mezzanine | domain_names.com_sortedap | |
||
15 | | mezzanine | domain_names.com_sortedaq | |
||
16 | | 1000i100 | domain_names.com_sortedab | |
||
17 | | 1000i100 | domain_names.com_sortedaj | |
||
18 | | 1000i100 | domain_names.com_sortedak | |
||
19 | | 1000i100 | domain_names.com_sortedal | |
||
20 | 26 | sacha | | sacha | domain_names.org_sortedaa | |
21 | | sacha | domain_names.org_sortedab | |
||
22 | | sacha | domain_names.org_sortedac | |
||
23 | | sacha | domain_names.org_sortedad | |
||
24 | 24 | sacha | | tazi | domain_names.com_sortedac | |
25 | | tazi | domain_names.com_sortedae | |
||
26 | | tazi | domain_names.com_sortedam | |
||
27 | | tazi | domain_names.com_sortedan | |
||
28 | 32 | sacha | | louisl | |
29 | 18 | sacha | |
30 | 4 | sacha | h2. Mentio |
31 | |||
32 | 27 | sacha | h3. mentio-check6 |
33 | |||
34 | 19 | sacha | Packages: curl dig python socat tmux unbound whois |
35 | |||
36 | 4 | sacha | <pre> |
37 | #-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+-# |
||
38 | # MENTIODNS : Check for lying DNS (France) # |
||
39 | #--------------------------------------------# |
||
40 | 28 | sacha | # Version 1.6.1 date bug |
41 | 16 | sacha | # Version 1.6 - conf file # |
42 | 13 | sacha | # Version 1.5 - test Dig resolving # |
43 | # Version 1.4 - Socat SSL sending results # |
||
44 | # Version 1.3 - tld optioN # |
||
45 | 1 | sacha | # Version 1.2 - Round robin on DNS_ISP_LIST # |
46 | 28 | sacha | # For each request # |
47 | 4 | sacha | # Version 1.1 - Allow resume on basename # |
48 | # Version 1.0 - Parallel process with DIG # |
||
49 | #--------------------------------------------# |
||
50 | 1 | sacha | # (c) Sacha at Aquilenet.fr part of FFDN.org # |
51 | #--------------------------------------------# |
||
52 | |||
53 | # This shity script intend to bruteforce the ISP lying DNS Servers to identify which one |
||
54 | # is going on Ministry of Interior Blocking page and compare the IP result from your favorite DNS server |
||
55 | 16 | sacha | # Use this script with the following parameters |
56 | # $1 MODE: client server local |
||
57 | # $2 File source: list of domain names whithout tld |
||
58 | # $3 tld: com, org, ... |
||
59 | # $4 count number (if none from zero or from count file based on file name) |
||
60 | |||
61 | |||
62 | 1 | sacha | # If you relanch the script it will check if it has a counter for the given file to resume |
63 | # Blacklisted sites in $BLACKLIST_LOG file |
||
64 | 13 | sacha | # Diff ip from a domain name are in $DIFF_LOG |
65 | 1 | sacha | |
66 | 13 | sacha | # 1st launch creating config file |
67 | 1 | sacha | |
68 | 14 | sacha | # Copy generated certificates: |
69 | # FILENAME=mentio_ssl-server |
||
70 | 1 | sacha | # openssl genrsa -out $FILENAME.key 1024 |
71 | 13 | sacha | # openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt |
72 | 1 | sacha | # cat $FILENAME.key $FILENAME.crt >$FILENAME.pem |
73 | 13 | sacha | # FILENAME=mentio_ssl-client |
74 | # ... |
||
75 | |||
76 | 16 | sacha | ########################################################## |
77 | 1 | sacha | HOMEDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) |
78 | 13 | sacha | MENTIOCONF="$HOMEDIR/mentio.conf" |
79 | 17 | sacha | # Number of parallel requests thruw dig |
80 | parallel=10 |
||
81 | 16 | sacha | ########################################################## |
82 | 1 | sacha | |
83 | 16 | sacha | |
84 | ########################################################## |
||
85 | 13 | sacha | ### CHECK CONFIG |
86 | if [ ! -f $MENTIOCONF ]; then |
||
87 | echo "==================================================================" |
||
88 | echo "MENTIODNS" |
||
89 | echo "------------------------------------------------------------------" |
||
90 | echo "1st time configuring" |
||
91 | echo -n "IP UNBOUND ? " |
||
92 | read DNS_MY |
||
93 | 1 | sacha | |
94 | 13 | sacha | echo 'HOMEDIR="'$HOMEDIR'"' > $MENTIOCONF |
95 | echo 'DNS_MY="'$DNS_MY'"' >> $MENTIOCONF |
||
96 | 1 | sacha | IP_PUB=`curl ifconfig.io` |
97 | 13 | sacha | ASN=`whois -h whois.cymru.com $IP_PUB |cut -d' ' -f1|sed -n "2p"` |
98 | 1 | sacha | DNS_LIST="$HOMEDIR/mentio-DNS_ISP_LIST" |
99 | DNS_ISP_LIST=`grep $ASN $DNS_LIST|cut -d' ' -f3-` |
||
100 | echo 'DNS_ISP_LIST="'$DNS_ISP_LIST'"' >> $MENTIOCONF |
||
101 | echo "------------------------------------------------------------------" |
||
102 | echo " CONFIGURATION FILE:" |
||
103 | echo " please check and relaunch" |
||
104 | echo "------------------------------------------------------------------" |
||
105 | cat $MENTIOCONF |
||
106 | echo "------------------------------------------------------------------" |
||
107 | exit 1 |
||
108 | fi |
||
109 | 16 | sacha | ########################################################## |
110 | 1 | sacha | |
111 | 16 | sacha | |
112 | ########################################################## |
||
113 | ### PARAMETERS to execute the script |
||
114 | # Mode Log export with socat "client" "server" "local" |
||
115 | |||
116 | MODE=$1 |
||
117 | |||
118 | if [ $MODE == "server" ]; then |
||
119 | socat -v -u openssl-listen:65522,fork,reuseaddr,cert=mentio_ssl-server.pem,cafile=mentio_ssl-client.crt OPEN:$HOMEDIR/MENTIO-DNS_DIFF,creat,append |
||
120 | exit 1 |
||
121 | fi |
||
122 | ########################################################## |
||
123 | |||
124 | |||
125 | ########################################################## |
||
126 | ### Check if commandline parameters are less than 3 |
||
127 | |||
128 | 1 | sacha | if [ $# -lt 3 ]; then |
129 | echo "==================================================================" |
||
130 | echo "MENTIODNS" |
||
131 | echo "------------------------------------------------------------------" |
||
132 | 14 | sacha | echo "Missing Parameter, please enter:" |
133 | 13 | sacha | echo |
134 | 1 | sacha | echo "mentio-check client|server|local filename tld (count number)" |
135 | 13 | sacha | echo |
136 | exit 1 |
||
137 | fi |
||
138 | 16 | sacha | ########################################################## |
139 | 13 | sacha | |
140 | 16 | sacha | |
141 | ########################################################## |
||
142 | ### Get parameters |
||
143 | |||
144 | # From config file |
||
145 | 1 | sacha | source $MENTIOCONF |
146 | 13 | sacha | |
147 | 16 | sacha | # From command line |
148 | 1 | sacha | # $2 DNS source file name |
149 | 13 | sacha | DNS_SOURCE=$2 |
150 | 1 | sacha | # $3 TLD name (com, org...) |
151 | 13 | sacha | tld=$3 |
152 | 1 | sacha | # line counter from the dns source file, nothing for auto-resuming |
153 | COUNT=$4 |
||
154 | |||
155 | 16 | sacha | ########################################################## |
156 | 13 | sacha | ### SOCAT |
157 | 29 | sacha | SERVER="SOMEIP:65522" |
158 | 13 | sacha | SENDSOCAT="socat stdio openssl-connect:$SERVER,verify=0,cert=$HOMEDIR/mentio_ssl-client.pem,cafile=$HOMEDIR/mentio_ssl-server.crt" |
159 | 16 | sacha | ########################################################## |
160 | 13 | sacha | ### COLORS |
161 | RED='\e[31m' |
||
162 | GREEN='\e[32m' |
||
163 | YELLOW='\e[33m' |
||
164 | 1 | sacha | GRAY='\e[90m' |
165 | NC='\033[0m' # No Color |
||
166 | 16 | sacha | ########################################################## |
167 | ### Various variables |
||
168 | 13 | sacha | DNS_SOURCE_BASENAME=`basename $DNS_SOURCE` |
169 | 1 | sacha | DIFF_LOG="$HOMEDIR/DNS_DIFF" |
170 | BLACKLIST_LOG="$HOMEDIR/DNS_BLACKLISTED" |
||
171 | 13 | sacha | lines=`wc -l $DNS_SOURCE|awk -F " " '{print $1}'` |
172 | 4 | sacha | countfile="$HOMEDIR/DNS_Count-$DNS_SOURCE_BASENAME" |
173 | 16 | sacha | ########################################################## |
174 | ### Dig parameters |
||
175 | 1 | sacha | DIG_FAST="+nodnssec +short +timeout=1 +tries=2" |
176 | DIG_SLOW="+nodnssec +short +timeout=5 +tries=3 " |
||
177 | 16 | sacha | ########################################################## |
178 | 13 | sacha | |
179 | 16 | sacha | |
180 | ########################################################## |
||
181 | ### Generate list for dig: round robin from dns list |
||
182 | ### Like (@DNS-server domain) x parallel |
||
183 | 1 | sacha | _check(){ |
184 | i=0 |
||
185 | 13 | sacha | url="" |
186 | while [ $i -lt $parallel ] |
||
187 | 1 | sacha | do |
188 | n=`expr $count + $i` |
||
189 | ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1` |
||
190 | url="$url @$ISP_DNS `awk -v n="${n}" 'NR==n {print;exit}' $DNS_SOURCE`.$tld" |
||
191 | i=`expr $i + 1` |
||
192 | done |
||
193 | } |
||
194 | 16 | sacha | ########################################################## |
195 | 1 | sacha | |
196 | |||
197 | 16 | sacha | ########################################################## |
198 | ### Counter: create one if not existing, use existing instead |
||
199 | 1 | sacha | if [ -z $COUNT ]; then |
200 | 28 | sacha | if [ -f $countfile ]; then |
201 | count=`cat $countfile` |
||
202 | else |
||
203 | count=0 |
||
204 | echo $count > $countfile |
||
205 | fi |
||
206 | 13 | sacha | else count=$COUNT |
207 | echo $count > $countfile |
||
208 | 1 | sacha | fi |
209 | 4 | sacha | ########################################################## |
210 | 16 | sacha | |
211 | 4 | sacha | |
212 | 16 | sacha | ########################################################## |
213 | ### MAIN LOOP |
||
214 | |||
215 | while [ "$count" != "$lines" ]; do |
||
216 | 4 | sacha | echo $count > $countfile |
217 | _check |
||
218 | 28 | sacha | dateus=`date +%Y%m%d-%H%M%S` |
219 | 13 | sacha | site="$url" |
220 | echo "-------------------------------------------------------------------------------" |
||
221 | echo "#$count $dateus SITE:$site" |
||
222 | if nomentio=`dig @$DNS_MY $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio" ]; then |
||
223 | 28 | sacha | echo -e "$GRAY Unknown zone $site $NC" |
224 | 13 | sacha | fi |
225 | if mentio=`dig $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio" ]; then |
||
226 | 28 | sacha | echo -e "$GRAY Unknown zone $site $NC" |
227 | 4 | sacha | fi |
228 | 1 | sacha | |
229 | 4 | sacha | if [ -n "$nomentio" ] && [ -n "$mentio" ]; then |
230 | 13 | sacha | if [ "$nomentio" != "$mentio" ]; then |
231 | 28 | sacha | for i in $site; do |
232 | if nomentio1=`dig $DIG_FAST @$DNS_MY $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio1" ]; then |
||
233 | echo -e "$GRAY Unknown zone $i $NC" |
||
234 | fi |
||
235 | ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1` |
||
236 | if mentio1=`dig $DIG_FAST @$ISP_DNS $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio1" ]; then |
||
237 | echo -e "$GRAY Unknown zone $i $NC" |
||
238 | fi |
||
239 | if [ "$nomentio1" != "$mentio1" ]; then |
||
240 | if [[ $mentio1 == 90.85.* ]]; then |
||
241 | if [ $MODE == "client" ]; then |
||
242 | echo "!!! $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" | $SENDSOCAT |
||
243 | fi |
||
244 | echo -e "$RED !!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" |
||
245 | echo "!!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $BLACKLIST_LOG |
||
246 | else |
||
247 | if [ $MODE == "client" ]; then |
||
248 | echo ">>> $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" | $SENDSOCAT |
||
249 | fi |
||
250 | echo -e "$YELLOW >>> SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" |
||
251 | echo ">>> $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $DIFF_LOG |
||
252 | fi |
||
253 | fi |
||
254 | done |
||
255 | 1 | sacha | else |
256 | 13 | sacha | echo -e "$GREEN#$count SITE:$site $NC" |
257 | 3 | sacha | fi |
258 | 1 | sacha | fi |
259 | |||
260 | count=`expr $count + $parallel` |
||
261 | |||
262 | done |
||
263 | 14 | sacha | ########################################################## |
264 | 28 | sacha | |
265 | 17 | sacha | |
266 | 14 | sacha | |
267 | 7 | sacha | |
268 | 2 | sacha | </pre> |
269 | 1 | sacha | |
270 | 27 | sacha | h3. mentio-DNS_ISP_LIST |
271 | 1 | sacha | |
272 | 27 | sacha | <pre> |
273 | Bouygues 5410 194.158.122.10 194.158.122.15 |
||
274 | Free 12322 212.27.40.240 212.27.40.241 212.27.40.244 212.27.40.245 |
||
275 | Orange 3215 80.10.246.1 80.10.246.2 80.10.246.3 80.10.246.5 80.10.246.7 80.10.246.129 80.10.246.130 80.10.246.132 80.10.246.134 80.10.246.136 81.253.149.1 81.253.149.2 81.253.149.6 81.253.149.9 81.253.149.10 |
||
276 | SFR 15557 109.0.66.10 109.0.66.20 |
||
277 | </pre> |
||
278 | 1 | sacha | |
279 | 27 | sacha | h3. mentio-monitor |
280 | 1 | sacha | |
281 | 27 | sacha | <pre> |
282 | hosts="mentio-HOSTS" |
||
283 | hosts_tmp="/tmp/mentio-HOSTS.tmp" |
||
284 | rm -rf $hosts |
||
285 | 1 | sacha | |
286 | |||
287 | 27 | sacha | GREEN='\e[32m' |
288 | RED='\e[31m' |
||
289 | NC='\033[0m' # No Color |
||
290 | 1 | sacha | |
291 | 27 | sacha | while true; do |
292 | timeout 300 tail -n 0 -f MENTIO-DNS_DIFF | cut -d ' ' -f3|sort|uniq> $hosts_tmp |
||
293 | mentiohosts=`cat $hosts_tmp` |
||
294 | updates=`echo $mentiohosts|xargs -n 1` |
||
295 | for i in $updates; do |
||
296 | exists=`grep "$i" $hosts` |
||
297 | if [ -z "$exists" ]; then |
||
298 | echo "ADD $i" |
||
299 | echo "$i" >> $hosts |
||
300 | sort -o $hosts $hosts |
||
301 | name=`echo $i|cut -d "." -f1` |
||
302 | fi |
||
303 | done |
||
304 | 8 | sacha | |
305 | 27 | sacha | dateus=`date +%Y%m%d-%H%M%S` |
306 | diffs=`diff --side-by-side --suppress-common-lines $hosts $hosts_tmp` |
||
307 | echo "======================================================================" |
||
308 | if [ -z "$diffs" ]; then |
||
309 | echo -e "$GREEN $dateus - ALL HOSTS UP: $NC" |
||
310 | echo -e "$GREEN `cat $hosts |xargs |sort` $NC" |
||
311 | else |
||
312 | echo -e "$RED $dateus - MISSING HOST: $NC" |
||
313 | echo -e "$RED $diffs $NC" |
||
314 | fi |
||
315 | done |
||
316 | </pre> |
||
317 | 1 | sacha | |
318 | 27 | sacha | h2. Test (valide au 14/06/18) |
319 | 1 | sacha | |
320 | 27 | sacha | dig +short shahamat1.com |
321 | 90.85.16.52 |
||
322 | 1 | sacha | |
323 | h2. Vigies de la neutralité |
||
324 | |||
325 | 18 | sacha | https://ooni.torproject.org |
326 | https://respectmynet.eu |
||
327 | |||
328 | h2. Cadre légal |
||
329 | |||
330 | https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000801164&fastPos;=2&fastReqId;=606073666&categorieLien;=cid&oldAction;=rechTexte#LEGIARTI000029756525 |
||
331 | le décret https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=LEGITEXT000030315036&dateTexte;=20150305&categorieLien;=cid#LEGITEXT000030315036 |
||
332 | https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=JORFTEXT000030195477&dateTexte;=20180619 |
||
333 | |||
334 | h2. Unbound |
||
335 | |||
336 | <pre> |
||
337 | server: |
||
338 | verbosity: 1 |
||
339 | interface: 127.0.0.1 |
||
340 | do-ip4: yes |
||
341 | do-ip6: no |
||
342 | do-udp: yes |
||
343 | do-tcp: no |
||
344 | access-control: 127.0.0.0/8 allow |
||
345 | access-control: 0.0.0.0/0 refuse |
||
346 | 15 | sacha | logfile: /var/log/unbound |
347 | hide-identity: yes |
||
348 | hide-version: yes |
||
349 | harden-glue: yes |
||
350 | use-caps-for-id: yes |
||
351 | do-not-query-localhost: yes |
||
352 | </pre> |
||
353 | |||
354 | 30 | sacha | h2. Lancement |
355 | |||
356 | 31 | sacha | tmux new-session -s foo -d "bash mentio-check6 client domain_names.com_sortedac com" \; split-window -h "bash mentio-check6 client domain_names.com_sortedae com" \; split-window -v "bash mentio-check6 client domain_names.com_sortedam com"\; selectp -t 0 \; split-window -v "bash mentio-check6 client domain_names.com_sortedan com" |
357 | 15 | sacha | |
358 | h2. Ansible divers |
||
359 | |||
360 | Copy file: |
||
361 | |||
362 | ansible mentio -m copy -a "src=mentio-check6 dest=~/MENTIODNS/" |
||
363 | |||
364 | |||
365 | Copy file single host: |
||
366 | |||
367 | ansible mentio --limit dam -m copy -a "src=mentio-check6 dest=~/MENTIODNS/" |
||
368 | |||
369 | ansible-playbook /etc/ansible/playbooks/mentio.yml |
||
370 | |||
371 | |||
372 | <pre> |
||
373 | --- |
||
374 | |||
375 | - hosts: mentio |
||
376 | sudo: no |
||
377 | tasks: |
||
378 | - name: copyfiles |
||
379 | copy: |
||
380 | src: "{{ item.src }}" |
||
381 | dest: "{{ item.dest }}" |
||
382 | with_items: |
||
383 | 1 | sacha | - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio-check6',dest: '~/MENTIODNS/' } |
384 | - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio-DNS_ISP_LIST',dest: '~/MENTIODNS/' } |
||
385 | - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.crt',dest: '~/MENTIODNS/' } |
||
386 | - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.key',dest: '~/MENTIODNS/' } |
||
387 | - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.pem',dest: '~/MENTIODNS/' } |
||
388 | - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-server.crt',dest: '~/MENTIODNS/' } |
||
389 | |||
390 | |||
391 | </pre> |