blockcheck: use DoH resolvers if DNS spoof is detected

This commit is contained in:
bol-van 2024-10-26 17:45:50 +03:00
parent 6be62d775b
commit 552ddee0da
2 changed files with 48 additions and 4 deletions

View File

@ -53,6 +53,7 @@ NFT_TABLE=blockcheck
DNSCHECK_DNS=${DNSCHECK_DNS:-8.8.8.8 1.1.1.1 77.88.8.1} DNSCHECK_DNS=${DNSCHECK_DNS:-8.8.8.8 1.1.1.1 77.88.8.1}
DNSCHECK_DOM=${DNSCHECK_DOM:-pornhub.com ntc.party rutracker.org www.torproject.org bbc.com} DNSCHECK_DOM=${DNSCHECK_DOM:-pornhub.com ntc.party rutracker.org www.torproject.org bbc.com}
DOH_SERVERS="https://cloudflare-dns.com/dns-query https://dns.google/dns-query https://dns.quad9.net/dns-query https://dns.adguard.com/dns-query https://common.dot.dns.yandex.net/dns-query"
DNSCHECK_DIG1=/tmp/dig1.txt DNSCHECK_DIG1=/tmp/dig1.txt
DNSCHECK_DIG2=/tmp/dig2.txt DNSCHECK_DIG2=/tmp/dig2.txt
DNSCHECK_DIGS=/tmp/digs.txt DNSCHECK_DIGS=/tmp/digs.txt
@ -201,6 +202,35 @@ nft_has_nfq()
} }
return $res return $res
} }
doh_resolve()
{
# $1 - ip version 4/6
# $2 - hostname
# $3 - doh server URL. use $DOH_SERVER if empty
$MDIG --family=$1 --dns-make-query=$2 | curl -s --data-binary @- -H "Content-Type: application/dns-message" "${3:-$DOH_SERVER}" | $MDIG --dns-parse-query
}
doh_find_working()
{
local doh
[ -n "$DOH_SERVER" ] && return 0
echo "* searching working DoH server"
DOH_SERVER=
for doh in $DOH_SERVERS; do
echo -n "$doh : "
if doh_resolve 4 iana.org $doh >/dev/null 2>/dev/null; then
echo OK
DOH_SERVER="$doh"
return 0
else
echo FAIL
fi
done
echo all DoH servers failed
return 1
}
mdig_vars() mdig_vars()
{ {
# $1 - ip version 4/6 # $1 - ip version 4/6
@ -219,7 +249,11 @@ mdig_cache()
mdig_vars "$@" mdig_vars "$@"
[ -n "$count" ] || { [ -n "$count" ] || {
# windows version of mdig outputs 0D0A line ending. remove 0D. # windows version of mdig outputs 0D0A line ending. remove 0D.
if [ "$SECURE_DNS" = 1 ]; then
ips="$(echo $2 | doh_resolve $1 $2 | tr -d '\r' | xargs)"
else
ips="$(echo $2 | "$MDIG" --family=$1 | tr -d '\r' | xargs)" ips="$(echo $2 | "$MDIG" --family=$1 | tr -d '\r' | xargs)"
fi
[ -n "$ips" ] || return 1 [ -n "$ips" ] || return 1
count=0 count=0
for ip in $ips; do for ip in $ips; do
@ -518,7 +552,7 @@ curl_supports_tls13()
[ $? = 2 ] && return 1 [ $? = 2 ] && return 1
# curl can have tlsv1.3 key present but ssl library without TLS 1.3 support # curl can have tlsv1.3 key present but ssl library without TLS 1.3 support
# this is online test because there's no other way to trigger library incompatibility case # this is online test because there's no other way to trigger library incompatibility case
$CURL --tlsv1.3 --max-time $CURL_MAX_TIME -Is -o /dev/null https://w3.org 2>/dev/null $CURL --tlsv1.3 --max-time $CURL_MAX_TIME -Is -o /dev/null https://iana.org 2>/dev/null
r=$? r=$?
[ $r != 4 -a $r != 35 ] [ $r != 4 -a $r != 35 ]
} }
@ -1677,7 +1711,7 @@ pingtest()
dnstest() dnstest()
{ {
# $1 - dns server. empty for system resolver # $1 - dns server. empty for system resolver
"$LOOKUP" w3.org $1 >/dev/null 2>/dev/null "$LOOKUP" iana.org $1 >/dev/null 2>/dev/null
} }
find_working_public_dns() find_working_public_dns()
{ {
@ -1726,6 +1760,10 @@ check_dns()
{ {
local C1 C2 dom local C1 C2 dom
DNS_IS_SPOOFED=0
[ "$SKIP_DNSCHECK" = 1 ] && return 0
echo \* checking DNS echo \* checking DNS
[ -f "$DNSCHECK_DIGS" ] && rm -f "$DNSCHECK_DIGS" [ -f "$DNSCHECK_DIGS" ] && rm -f "$DNSCHECK_DIGS"
@ -1748,6 +1786,8 @@ check_dns()
check_dns_cleanup check_dns_cleanup
echo -- POSSIBLE DNS HIJACK DETECTED. ZAPRET WILL NOT HELP YOU IN CASE DNS IS SPOOFED !!! echo -- POSSIBLE DNS HIJACK DETECTED. ZAPRET WILL NOT HELP YOU IN CASE DNS IS SPOOFED !!!
echo -- DNS CHANGE OR DNSCRYPT MAY BE REQUIRED echo -- DNS CHANGE OR DNSCRYPT MAY BE REQUIRED
DNS_IS_SPOOFED=1
USE_SECURE_DNS=${USE_SECURE_DNS:-1}
return 1 return 1
else else
echo $dom : OK echo $dom : OK
@ -1777,6 +1817,8 @@ check_dns()
echo -- POSSIBLE DNS HIJACK DETECTED. ZAPRET WILL NOT HELP YOU IN CASE DNS IS SPOOFED !!! echo -- POSSIBLE DNS HIJACK DETECTED. ZAPRET WILL NOT HELP YOU IN CASE DNS IS SPOOFED !!!
echo -- DNSCRYPT MAY BE REQUIRED echo -- DNSCRYPT MAY BE REQUIRED
check_dns_cleanup check_dns_cleanup
DNS_IS_SPOOFED=1
USE_SECURE_DNS=${USE_SECURE_DNS:-1}
return 1 return 1
} }
echo all resolved IPs are unique echo all resolved IPs are unique
@ -1825,7 +1867,8 @@ check_already
[ "$UNAME" = CYGWIN ] || require_root [ "$UNAME" = CYGWIN ] || require_root
check_prerequisites check_prerequisites
trap sigint_cleanup INT trap sigint_cleanup INT
[ "$SKIP_DNSCHECK" = 1 ] || check_dns check_dns
[ "$SECURE_DNS" = 1 ] && doh_find_working
check_virt check_virt
ask_params ask_params
trap - INT trap - INT

View File

@ -345,3 +345,4 @@ init.d: openwrt-minimal : tpws launch for low storage openwrt devices
v67: v67:
mdig: --dns-make-query, --dns-parse-query for side-channel resolving (DoH) mdig: --dns-make-query, --dns-parse-query for side-channel resolving (DoH)
blockcheck: use DoH resolvers if DNS spoof is detected