Projet

Général

Profil

Mentiodns » Historique » Version 34

sacha, 06/07/2018 01:59

1 1 sacha
h1. Mentiodns
2
3
Validation des DNS à partir d'une liste sur un unbound et un DNS grand FAI et comparaison des résultats ;)
4
5 4 sacha
h2. Noeud actifs
6
7
|_. Nom |_. Bloc |
8 23 sacha
| dam | domain_names.com_sortedaf|
9
| dam | domain_names.com_sortedag|
10
| dam | domain_names.com_sortedah|
11
| dam | domain_names.com_sortedai|
12 24 sacha
| mezzanine | domain_names.com_sortedad |
13
| mezzanine | domain_names.com_sortedao |
14
| mezzanine | domain_names.com_sortedap |
15
| mezzanine | domain_names.com_sortedaq |
16
| 1000i100 | domain_names.com_sortedab |
17
| 1000i100 | domain_names.com_sortedaj |
18
| 1000i100 | domain_names.com_sortedak |
19
| 1000i100 | domain_names.com_sortedal |
20 26 sacha
| sacha | domain_names.org_sortedaa |
21
| sacha | domain_names.org_sortedab |
22
| sacha | domain_names.org_sortedac |
23
| sacha | domain_names.org_sortedad |
24 24 sacha
| tazi | domain_names.com_sortedac |
25
| tazi | domain_names.com_sortedae |
26
| tazi | domain_names.com_sortedam |
27
| tazi | domain_names.com_sortedan |
28 34 sacha
| louisl | domain_names.com_sortedar |
29
| louisl | domain_names.org_sortedae  |
30
| louisl | domain_names.org_sortedaf |
31
| louisl | domain_names.net_sortedaa |
32
| louisl | domain_names.net_sortedab |
33 18 sacha
34 4 sacha
h2. Mentio
35
36 27 sacha
h3. mentio-check6
37
38 19 sacha
Packages: curl dig python socat tmux unbound whois 
39
40 4 sacha
<pre>
41
#-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+-#
42
#  MENTIODNS : Check for lying DNS (France)  #
43
#--------------------------------------------#
44 28 sacha
#  Version 1.6.1 date bug
45 16 sacha
#  Version 1.6 - conf file                   # 
46 13 sacha
#  Version 1.5 - test Dig resolving          #
47
#  Version 1.4 - Socat SSL sending results   # 
48
#  Version 1.3 - tld optioN                  #
49 1 sacha
#  Version 1.2 - Round robin on DNS_ISP_LIST #
50 28 sacha
#                For each request            #
51 4 sacha
#  Version 1.1 - Allow resume on basename    #
52
#  Version 1.0 - Parallel process with DIG   #
53
#--------------------------------------------#
54 1 sacha
# (c) Sacha at Aquilenet.fr part of FFDN.org #
55
#--------------------------------------------#
56
57
# This shity script intend to bruteforce the ISP lying DNS Servers to identify which one
58
# is going on Ministry of Interior Blocking page and compare the IP result from your favorite DNS server
59 16 sacha
# Use this script with the following parameters 
60
# $1 MODE: client server local
61
# $2 File source: list of domain names whithout tld
62
# $3 tld: com, org, ...
63
# $4 count number (if none from zero or from count file based on file name)
64
65
66 1 sacha
# If you relanch the script it will check if it has a counter for the given file to resume
67
# Blacklisted sites in $BLACKLIST_LOG file
68 13 sacha
# Diff ip from a domain name are in $DIFF_LOG 
69 1 sacha
70 13 sacha
# 1st launch creating config file
71 1 sacha
72 14 sacha
# Copy generated certificates:
73
# FILENAME=mentio_ssl-server 
74 1 sacha
# openssl genrsa -out $FILENAME.key 1024
75 13 sacha
# openssl req -new -key $FILENAME.key -x509 -days 3653 -out $FILENAME.crt
76 1 sacha
# cat $FILENAME.key $FILENAME.crt >$FILENAME.pem
77 13 sacha
# FILENAME=mentio_ssl-client
78
# ...
79
80 16 sacha
##########################################################
81 1 sacha
HOMEDIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
82 13 sacha
MENTIOCONF="$HOMEDIR/mentio.conf"
83 17 sacha
# Number of parallel requests thruw dig
84
parallel=10
85 16 sacha
##########################################################
86 1 sacha
87 16 sacha
88
##########################################################
89 13 sacha
### CHECK CONFIG
90
if [ ! -f $MENTIOCONF ]; then
91
echo "=================================================================="
92
echo "MENTIODNS"
93
echo "------------------------------------------------------------------" 
94
echo "1st time configuring"
95
echo -n "IP UNBOUND ? "
96
read DNS_MY
97 1 sacha
98 13 sacha
echo 'HOMEDIR="'$HOMEDIR'"' > $MENTIOCONF
99
echo 'DNS_MY="'$DNS_MY'"' >> $MENTIOCONF
100 1 sacha
IP_PUB=`curl ifconfig.io`
101 13 sacha
ASN=`whois -h whois.cymru.com $IP_PUB |cut -d' ' -f1|sed -n "2p"`
102 1 sacha
DNS_LIST="$HOMEDIR/mentio-DNS_ISP_LIST"
103
DNS_ISP_LIST=`grep $ASN $DNS_LIST|cut -d' ' -f3-`
104
echo 'DNS_ISP_LIST="'$DNS_ISP_LIST'"' >> $MENTIOCONF
105
echo "------------------------------------------------------------------"
106
echo " CONFIGURATION FILE:"
107
echo " please check and relaunch"
108
echo "------------------------------------------------------------------"
109
cat $MENTIOCONF
110
echo "------------------------------------------------------------------"
111
exit 1
112
fi
113 16 sacha
##########################################################
114 1 sacha
115 16 sacha
116
##########################################################
117
### PARAMETERS to execute the script
118
# Mode Log export with socat "client" "server" "local"
119
120
MODE=$1
121
122
if [ $MODE == "server" ]; then
123
socat -v -u openssl-listen:65522,fork,reuseaddr,cert=mentio_ssl-server.pem,cafile=mentio_ssl-client.crt OPEN:$HOMEDIR/MENTIO-DNS_DIFF,creat,append
124
exit 1
125
fi
126
##########################################################
127
128
129
##########################################################
130
### Check if commandline parameters are less than 3
131
132 1 sacha
if [ $# -lt 3 ]; then
133
echo "=================================================================="
134
echo "MENTIODNS"
135
echo "------------------------------------------------------------------"
136 14 sacha
echo "Missing Parameter, please enter:"
137 13 sacha
echo
138 1 sacha
echo "mentio-check client|server|local filename tld (count number)"
139 13 sacha
echo
140
exit 1
141
fi
142 16 sacha
##########################################################
143 13 sacha
144 16 sacha
145
##########################################################
146
### Get parameters
147
148
# From config file
149 1 sacha
source $MENTIOCONF
150 13 sacha
151 16 sacha
# From command line
152 1 sacha
# $2 DNS source file name
153 13 sacha
DNS_SOURCE=$2
154 1 sacha
# $3 TLD name (com, org...)
155 13 sacha
tld=$3
156 1 sacha
# line counter from the dns source file, nothing for auto-resuming
157
COUNT=$4
158
159 16 sacha
##########################################################
160 13 sacha
### SOCAT
161 29 sacha
SERVER="SOMEIP:65522"
162 13 sacha
SENDSOCAT="socat stdio openssl-connect:$SERVER,verify=0,cert=$HOMEDIR/mentio_ssl-client.pem,cafile=$HOMEDIR/mentio_ssl-server.crt"
163 16 sacha
##########################################################
164 13 sacha
### COLORS 
165
RED='\e[31m'
166
GREEN='\e[32m'
167
YELLOW='\e[33m'
168 1 sacha
GRAY='\e[90m'
169
NC='\033[0m' # No Color
170 16 sacha
##########################################################
171
### Various variables
172 13 sacha
DNS_SOURCE_BASENAME=`basename $DNS_SOURCE`
173 1 sacha
DIFF_LOG="$HOMEDIR/DNS_DIFF"
174
BLACKLIST_LOG="$HOMEDIR/DNS_BLACKLISTED"
175 13 sacha
lines=`wc -l $DNS_SOURCE|awk -F " " '{print $1}'`
176 4 sacha
countfile="$HOMEDIR/DNS_Count-$DNS_SOURCE_BASENAME"
177 16 sacha
##########################################################
178
### Dig parameters
179 1 sacha
DIG_FAST="+nodnssec +short +timeout=1 +tries=2"
180
DIG_SLOW="+nodnssec +short +timeout=5 +tries=3 "
181 16 sacha
##########################################################
182 13 sacha
183 16 sacha
184
##########################################################
185
### Generate list for dig: round robin from dns list
186
### Like (@DNS-server domain) x parallel 
187 1 sacha
_check(){
188
i=0
189 13 sacha
url=""
190
while [ $i -lt $parallel ]
191 1 sacha
do
192
n=`expr $count + $i`
193
ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1`
194
url="$url @$ISP_DNS `awk -v n="${n}" 'NR==n {print;exit}' $DNS_SOURCE`.$tld"
195
i=`expr $i + 1`
196
done
197
}
198 16 sacha
##########################################################
199 1 sacha
200
201 16 sacha
##########################################################
202
### Counter: create one if not existing, use existing instead
203 1 sacha
if [ -z $COUNT ]; then
204 28 sacha
        if [ -f $countfile ]; then
205
        count=`cat $countfile`
206
        else
207
        count=0
208
        echo $count > $countfile
209
        fi
210 13 sacha
else count=$COUNT
211
echo $count > $countfile
212 1 sacha
fi
213 4 sacha
##########################################################
214 16 sacha
215 4 sacha
216 16 sacha
##########################################################
217
### MAIN LOOP
218
219
while [ "$count" != "$lines" ]; do
220 4 sacha
echo $count > $countfile
221
_check
222 28 sacha
dateus=`date +%Y%m%d-%H%M%S`
223 13 sacha
site="$url"
224
echo "-------------------------------------------------------------------------------"
225
echo "#$count $dateus SITE:$site"
226
if nomentio=`dig @$DNS_MY $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio" ]; then
227 28 sacha
        echo -e "$GRAY Unknown zone $site $NC" 
228 13 sacha
fi
229
if mentio=`dig $DIG_SLOW $site|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio" ]; then
230 28 sacha
        echo -e "$GRAY Unknown zone $site $NC"
231 4 sacha
fi
232 1 sacha
233 4 sacha
if [ -n "$nomentio" ] && [ -n "$mentio" ]; then
234 13 sacha
    if [ "$nomentio" != "$mentio" ]; then
235 28 sacha
        for i in $site; do
236
                if nomentio1=`dig $DIG_FAST @$DNS_MY $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$nomentio1" ]; then
237
                        echo -e "$GRAY Unknown zone $i $NC"
238
                fi
239
                ISP_DNS=`echo $DNS_ISP_LIST | xargs -n 1| sort -R | head -n 1`
240
                if mentio1=`dig $DIG_FAST @$ISP_DNS $i|sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4| tr '\r\n' ' '` && [ -z "$mentio1" ]; then
241
                        echo -e "$GRAY Unknown zone $i $NC"
242
                fi
243
                        if [ "$nomentio1" != "$mentio1" ]; then
244
                                if [[ $mentio1 == 90.85.* ]]; then
245
                                        if [ $MODE == "client" ]; then
246
                                                echo "!!! $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC" | $SENDSOCAT
247
                                        fi
248
                                        echo -e "$RED !!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC"
249
                                        echo "!!! $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $BLACKLIST_LOG
250
                                else
251
                                                if [ $MODE == "client" ]; then
252
                                                        echo ">>> $dateus `hostname` SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" | $SENDSOCAT
253
                                                fi                   
254
                                        echo -e "$YELLOW >>> SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1 $NC"
255
                                        echo ">>> $dateus SITE:$i ISPDNS:$ISP_DNS REAL:$nomentio1 MENTIO:$mentio1" >> $DIFF_LOG
256
                                fi
257
                        fi
258
        done
259 1 sacha
    else
260 13 sacha
    echo -e "$GREEN#$count  SITE:$site  $NC"
261 3 sacha
    fi
262 1 sacha
fi
263
264
count=`expr $count + $parallel`
265
266
done
267 14 sacha
##########################################################
268 28 sacha
269 17 sacha
270 14 sacha
271 7 sacha
272 2 sacha
</pre>
273 1 sacha
274 27 sacha
h3. mentio-DNS_ISP_LIST
275 1 sacha
276 27 sacha
<pre>
277
Bouygues 5410 194.158.122.10 194.158.122.15
278
Free 12322 212.27.40.240 212.27.40.241 212.27.40.244 212.27.40.245
279
Orange 3215 80.10.246.1 80.10.246.2 80.10.246.3 80.10.246.5 80.10.246.7 80.10.246.129 80.10.246.130 80.10.246.132 80.10.246.134 80.10.246.136 81.253.149.1 81.253.149.2 81.253.149.6 81.253.149.9 81.253.149.10
280
SFR 15557 109.0.66.10 109.0.66.20
281
</pre>
282 1 sacha
283 27 sacha
h3. mentio-monitor
284 1 sacha
285 27 sacha
<pre>
286
hosts="mentio-HOSTS"
287
hosts_tmp="/tmp/mentio-HOSTS.tmp"
288
rm -rf $hosts
289 1 sacha
290
291 27 sacha
GREEN='\e[32m'
292
RED='\e[31m'
293
NC='\033[0m' # No Color  
294 1 sacha
295 27 sacha
while true; do
296
        timeout 300 tail -n 0 -f MENTIO-DNS_DIFF | cut -d ' ' -f3|sort|uniq> $hosts_tmp
297
        mentiohosts=`cat $hosts_tmp`
298
        updates=`echo $mentiohosts|xargs -n 1`
299
        for i in $updates; do
300
                exists=`grep "$i" $hosts`
301
                if [ -z "$exists" ]; then
302
                        echo "ADD $i"
303
                        echo "$i"  >> $hosts 
304
                        sort -o $hosts $hosts
305
                        name=`echo $i|cut -d "." -f1`
306
                fi
307
        done
308 8 sacha
309 27 sacha
dateus=`date +%Y%m%d-%H%M%S`
310
diffs=`diff --side-by-side --suppress-common-lines $hosts $hosts_tmp`
311
echo "======================================================================"
312
if [ -z "$diffs" ]; then
313
 echo -e "$GREEN $dateus - ALL HOSTS UP: $NC"
314
 echo -e "$GREEN `cat $hosts |xargs |sort` $NC"  
315
else
316
 echo -e "$RED $dateus - MISSING HOST: $NC"
317
 echo -e "$RED $diffs $NC"
318
fi
319
done
320
</pre>
321 1 sacha
322 27 sacha
h2. Test (valide au 14/06/18)
323 1 sacha
324 27 sacha
 dig +short shahamat1.com
325
 90.85.16.52
326 1 sacha
327
h2. Vigies de la neutralité
328
329 18 sacha
https://ooni.torproject.org
330
https://respectmynet.eu
331
332
h2. Cadre légal
333
334
https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000801164&fastPos;=2&fastReqId;=606073666&categorieLien;=cid&oldAction;=rechTexte#LEGIARTI000029756525        
335
le décret https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=LEGITEXT000030315036&dateTexte;=20150305&categorieLien;=cid#LEGITEXT000030315036  
336
https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=FE6BFDED672BF1E2EFC5CA70705CF26E.tplgfr21s_3?cidTexte=JORFTEXT000030195477&dateTexte;=20180619
337
338
h2. Unbound
339
340
<pre>
341
server:
342
 verbosity: 1
343
 interface: 127.0.0.1
344
 do-ip4: yes
345
 do-ip6: no
346
 do-udp: yes
347
 do-tcp: no
348
 access-control: 127.0.0.0/8 allow 
349
 access-control: 0.0.0.0/0 refuse
350 15 sacha
 logfile: /var/log/unbound
351
 hide-identity: yes
352
 hide-version: yes
353
 harden-glue: yes
354
 use-caps-for-id: yes
355
 do-not-query-localhost: yes
356
</pre>
357
358 30 sacha
h2. Lancement
359
360 31 sacha
 tmux new-session -s foo -d "bash mentio-check6 client domain_names.com_sortedac com" \; split-window -h "bash mentio-check6 client domain_names.com_sortedae com" \; split-window -v "bash mentio-check6 client domain_names.com_sortedam com"\; selectp -t 0 \; split-window -v "bash mentio-check6 client domain_names.com_sortedan com"
361 15 sacha
362
h2. Ansible divers
363
364
Copy file:
365
366
 ansible mentio -m copy -a "src=mentio-check6 dest=~/MENTIODNS/"
367
368
369
Copy file single host:
370
371
 ansible mentio --limit dam -m copy -a "src=mentio-check6 dest=~/MENTIODNS/"
372
373
ansible-playbook /etc/ansible/playbooks/mentio.yml 
374
375
376
<pre>
377
---
378
379
- hosts: mentio 
380
  sudo: no
381
  tasks:
382
    - name: copyfiles 
383
      copy:
384
        src: "{{ item.src }}"
385
        dest: "{{ item.dest }}"
386
      with_items:
387 1 sacha
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio-check6',dest: '~/MENTIODNS/' }
388
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio-DNS_ISP_LIST',dest: '~/MENTIODNS/' }
389
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.crt',dest: '~/MENTIODNS/' }
390
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.key',dest: '~/MENTIODNS/' }
391
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-client.pem',dest: '~/MENTIODNS/' }
392
        - { src: '/home/sacha/0nmyway/00_Aquilenet/FFDN/mentiodns.fr/mentio_ssl-server.crt',dest: '~/MENTIODNS/' }
393
394
395
</pre>