-
Notifications
You must be signed in to change notification settings - Fork 39
/
dnswithtor
306 lines (284 loc) · 9.83 KB
/
dnswithtor
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
#!/usr/bin/env bash
##############################################################################
#
# dnssecwithtor
# -------------------
# Configures Unbound, socat, and Tor, for resolving, validating, and caching
# DNS requests through the Tor network.
#
# see https://labs.nic.cz/page/993/dnssec-validation-over-tor--linux-/
#
# @author Isis Agora Lovecruft, 0x2cdb8b35
# @date 25 August 2012
# @version 0.0.1
#
##############################################################################
TOR_SOCKS_PORT="9050"
PATH_UNBOUND=`which unbound`
PATH_SOCAT=`which socat`
PATH_TOR=`which tor`
PATH_DIG=`which dig`
OARC_RES="149.20.64.20"
CZ_NIC_RES="217.31.204.130"
function check_deps ()
{
FAILZ=""
## XXX TODO offer to get dependencies for user
test -x $PATH_UNBOUND || FAILZ="unbound "
test -x $PATH_SOCAT || FAILZ=$FAILZ"socat "
test -x $PATH_TOR || FAILZ=$FAILZ"tor "
test -x $PATH_DIG || FAILZ=$FAILZ"bind-utils "
if [[ "$FAILZ" != "" ]] ; then
echo "do \"apt-get install $FAILZ"
exit 1
fi
}
function explain_all_of_the_things () {
echo "DNS resolution will follow this chain:"
echo ""
echo "QUERY"
echo " \\-> localhost:53 "
echo " \\-> unbound -> 0.0.0.0:5353 -> 127.0.0.1:5353 "
echo " / "
echo " socat <--------------------------- "
echo " \\-> local SOCKS4a proxy -> 127.0.0.1:$TOR_SOCKS_PORT "
echo " / "
echo " tor <----------------------------------------- "
echo " \\ "
echo " \\-> guard "
echo " \\-> middle "
echo " \\-> exit -> ?.?.?.?:53 <--> recursive DNS resolve"
echo " / "
echo " exit <-------- "
echo " middle <-/ "
echo " guard <-/ "
echo " tor <-/ "
echo " \\ "
echo " \\-> local SOCKS4a proxy "
echo " \\-> socat "
echo " \\-> unbound "
echo " \\-> validation -> local DNS cache "
echo " / "
echo "RESPONSE <------------------------------------- "
echo ""
echo "Totally not confusing at all, right?"
echo ""
echo ""
}
function check_dns ()
{
## Check that recursive, validated DNS resolves correctly without unbound
MSG1="Testing DNS resolution over TCP to recursive validating resolver"
echo "$MSG1 OARC at $OARC_RES ... "; echo;
ANS1=`dig +tcp +dnssec labs.nic.cz @$OARC_RES | grep -C 1 ';; flags'`
echo "$ANS1"; echo;
CHECK1=$(echo $ANS1 | grep "NOERROR" | wc -l)
if [[ "$CHECK1" == "1" ]] ; then
echo "The resolver at $OARC_RES is working correctly."
else
echo "The resolver at $OARC_RES either could not be reached or something else went wrong!"
echo "Please debug your unbound installation and network settings."
echo "Exiting ..."
exit 1
fi
echo "$MSG1 labs.nic.cz at $CZ_NIC_RES"
ANS2=`dig +tcp +dnssec labs.nic.cz @$OARC_RES | grep -C 1 ';; flags'`
echo "$ANS2"; echo;
CHECK2=$(echo $ANS2 | grep "NOERROR" | wc -l)
if [[ "$CHECK2" == "1" ]] ; then
echo "The resolver at $CZ_NIC_RES is working correctly."
else
echo "The resolver at $CZ_NIC_RES either could not be reached or something else went wrong!"
echo "Please debug your unbound installation and network settings."
echo "Exiting ..."
exit 1
fi
}
function check_tor ()
{
echo "Checking that Tor is currently running ... "
CHECK5=$(pgrep tor | wc -l)
if [[ "$CHECK5" == "0" ]] ; then
echo "Process for Tor not found ..."
echo "Tor is not currently running ..."
echo "Starting Tor ..."
if test -x /etc/init.d/tor ; then
sudo /etc/init.d/tor start
else
echo "Could not find init script for Tor ..."
echo "Exiting ..."
exit 1
fi
else
echo "Tor process found ..."
echo "Tor is currently running ..."
fi
}
function check_socat ()
{
if [ "$(pidof socat && echo $?)" != 0 ] ; then
echo "Starting socat tunnel ..."
coproc socat TCP4-LISTEN:5353,bind=localhost,reuseaddr,fork SOCKS4A:localhost:149.20.64.20:53,socksport=$TOR_SOCKS_PORT
fi
}
function kill_socat ()
{
if [ "$(pidof socat >/dev/null 2>&1 && echo $?)" = 0 ] ; then
kill $(pidof socat)
fi
}
function check_socat_conn_tor ()
{
echo "Testing that the socat tunnel is connecting to Tor ..."
ANS4=`dig -p 5353 +tcp +dnssec labs.nic.cz @localhost`
CHECK4=$(echo $ANS4 | grep "NOERROR" | wc -l)
if [[ "$CHECK4" == "0" ]] ; then
echo "Socat was unable to talk to Tor ..."
echo "We currently believe that your SOCKS port is $TOR_SOCKS_PORT."
echo "Please check your torrc to make sure this is correct, if your"
echo "torrc says otherwise, then edit the top line of this script "
echo "to match your torrc."
echo ""
echo "Exiting ..."
else
echo "Socat tunnel is connected to Tor, and a DNS request was completed:"
echo "$ANS4"
echo ""
fi
}
function check_unbound ()
{
echo "Checking that unbound is currently running ... "
CHECK3=`pgrep unbound | wc -l`
if [[ "$CHECK3" == "0" ]] ; then
echo "Process for unbound not found ..."
echo "Unbound is not currently running ..."
echo "Starting unbound ..."
if test -x /etc/init.d/unbound ; then
sudo /etc/init.d/unbound start
else
echo "Could not find init script for unbound ..."
echo "Exiting ..."
exit 1
fi
else
echo "Unbound process found ..."
echo "Unbound is currently running ..."
fi
}
function check_dnssec ()
{
echo "Testing DNS resolution of a DNSSEC query through unbound instance ..."
ANS6=`dig +dnssec labs.nic.cz @localhost`
CHECK6=$(echo $ANS6 | grep "NOERROR" | wc -l)
if [[ "$CHECK6" == "0" ]] ; then
echo "Unbound appears to not be working ..."
echo "Although, we are about to backup the current config for unbound"
echo "and continue with a new config...should we continue doing so?"
select yn in "yes" "no" ; do
case $yn in
yes )
break
;;
no )
echo "Exiting ..."
exit 0
;;
* )
exit 1
;;
esac
done
else
echo "Unbound resolved the query correctly ..."
echo "Checking that DNSSEC answer was validated according to root anchor ..."
CHECK7=$(echo $ANS6 | grep "flags.*ad" | wc -l)
if [[ "$CHECK7" != "1" ]] ; then
echo "DNSSEC flag was missing from query results!"
echo "Maybe you haven't yet configured the root anchor?"
echo "See http://unbound.net/documentation/howto_anchor.html"
else
echo "DNSSEC flags present in query results ..."
echo "DNSSEC validation check passed ..."
fi
fi
}
function backup_unbound_conf ()
{
MAYBECONF=$(locate -l 1 unbound.conf)
MAYBEBACK=$MAYBECONF".orig.bak"
DINOCONF="/etc/unbound/unbound.dinosaur"
if test -x $MAYBECONF ; then
if [[ "$MAYBECONF" == "/etc/unbound/unbound.conf" ]] ; then
echo "Backing up $MAYBECONF to $MAYBEBACK ..."
sudo cp $MAYBECONF $MAYBEBACK
fi
else
echo "Couldn't find /etc/unbound/unbound.conf ..."
echo "Hum. Do you have some strange configuration settings for unbound?"
echo "We weren't able to backup /etc/unbound/unbound.conf, so we're"
echo "going to go ahead and create the new config in its place ..."
fi
}
function make_unbound_conf ()
{
echo "Creating new unbound.conf file ..."
sudo touch $DINOCONF && \
sudo chmod a+rw $DINOCONF
cat > $DINOCONF<<EOF
## generated by DiNoSaur script
server:
interface: 127.0.0.1
port: 53
hide-identity: yes
hide-version: yes
harden-glue: yes
## because Tor only speaks TCP
tcp-upstream: yes
forward-zone:
## forward every query to our socat tunnel to Tor
name: "."
forward-addr: 0.0.0.0@5353
EOF
sudo chmod a-w $DINOCONF
sudo cp $DINOCONF /etc/unbound/unbound.conf
}
if [[ "$#" == "0" ]] ; then
check_deps
check_dns
explain_all_of_the_things
check_tor
check_socat
check_socat_conn_tor
check_unbound
check_dnssec
backup_unbound_conf
make_unbound_conf
echo "Restarting unbound ..."
sudo /etc/init.d/unbound restart
echo "Checking DNSSEC query resolution through unbound -> socat -> Tor ..."
check_dnssec
else
## it wouldn't be a script without it...
cat <<"EOF"
____________________________________
| DiNoSaur! Recursive, validating, |
| caching, DNSSEC-enabled resolution |
| through Unbound, socat, and Tor\! |
------------------------------------
\ . .
\ / `. .' "
\ .---. < > < > .---.
\ | \ \ - ~ ~ - / / |
_____ ..-~ ~-..-~
| (A)| \~~~\.' `./~~~/
--------- \__/ \__/
.' O \ / / \ "
(_____, `._.' | } \/~~~/
`----. / } | / \__/
`-. | / | / `. ,~~|
~-.__| /_ - ~ ^| /- _ `..-'
| / | / ~-. `-. _ _ _
|_____| |_____| ~ - . _ _ _ _ _>
EOF
fi