blockcheck: use DoH resolvers if DNS spoof is detected

blockcheck.sh

@@ -53,6 +53,7 @@ NFT_TABLE=blockcheck
 
 DNSCHECK_DNS=${DNSCHECK_DNS:-8.8.8.8 1.1.1.1 77.88.8.1}
 DNSCHECK_DOM=${DNSCHECK_DOM:-pornhub.com ntc.party rutracker.org www.torproject.org bbc.com}
+DOH_SERVERS="https://cloudflare-dns.com/dns-query https://dns.google/dns-query https://dns.quad9.net/dns-query https://dns.adguard.com/dns-query https://common.dot.dns.yandex.net/dns-query"
 DNSCHECK_DIG1=/tmp/dig1.txt
 DNSCHECK_DIG2=/tmp/dig2.txt
 DNSCHECK_DIGS=/tmp/digs.txt
@@ -201,6 +202,35 @@ nft_has_nfq()
 	}
 	return $res
 }
+
+doh_resolve()
+{
+	# $1 - ip version 4/6
+	# $2 - hostname
+	# $3 - doh server URL. use $DOH_SERVER if empty
+	$MDIG --family=$1 --dns-make-query=$2 | curl -s --data-binary @- -H "Content-Type: application/dns-message" "${3:-$DOH_SERVER}" | $MDIG --dns-parse-query
+}
+doh_find_working()
+{
+	local doh
+
+	[ -n "$DOH_SERVER" ] && return 0
+	echo "* searching working DoH server"
+	DOH_SERVER=
+	for doh in $DOH_SERVERS; do
+		echo -n "$doh : "
+		if doh_resolve 4 iana.org $doh >/dev/null 2>/dev/null; then
+			echo OK
+			DOH_SERVER="$doh"
+			return 0
+		else
+			echo FAIL
+		fi
+	done
+	echo all DoH servers failed
+	return 1
+}
+
 mdig_vars()
 {
 	# $1 - ip version 4/6
@@ -219,7 +249,11 @@ mdig_cache()
 	mdig_vars "$@"
 	[ -n "$count" ] || {
 		# windows version of mdig outputs 0D0A line ending. remove 0D.
+		if [ "$SECURE_DNS" = 1 ]; then
+			ips="$(echo $2 | doh_resolve $1 $2 | tr -d '\r' | xargs)"
+		else
 			ips="$(echo $2 | "$MDIG" --family=$1 | tr -d '\r' | xargs)"
+		fi
 		[ -n "$ips" ] || return 1
 		count=0
 		for ip in $ips; do
@@ -518,7 +552,7 @@ curl_supports_tls13()
 	[ $? = 2 ] && return 1
 	# curl can have tlsv1.3 key present but ssl library without TLS 1.3 support
 	# this is online test because there's no other way to trigger library incompatibility case
-	$CURL --tlsv1.3 --max-time $CURL_MAX_TIME -Is -o /dev/null https://w3.org 2>/dev/null
+	$CURL --tlsv1.3 --max-time $CURL_MAX_TIME -Is -o /dev/null https://iana.org 2>/dev/null
 	r=$?
 	[ $r != 4 -a $r != 35 ]
 }
@@ -1677,7 +1711,7 @@ pingtest()
 dnstest()
 {
 	# $1 - dns server. empty for system resolver
-	"$LOOKUP" w3.org $1 >/dev/null 2>/dev/null
+	"$LOOKUP" iana.org $1 >/dev/null 2>/dev/null
 }
 find_working_public_dns()
 {
@@ -1726,6 +1760,10 @@ check_dns()
 {
 	local C1 C2 dom
 
+	DNS_IS_SPOOFED=0
+
+	[ "$SKIP_DNSCHECK" = 1 ] && return 0
+
 	echo \* checking DNS
 
 	[ -f "$DNSCHECK_DIGS" ] && rm -f "$DNSCHECK_DIGS"
@@ -1748,6 +1786,8 @@ check_dns()
 				check_dns_cleanup
 				echo -- POSSIBLE DNS HIJACK DETECTED. ZAPRET WILL NOT HELP YOU IN CASE DNS IS SPOOFED !!!
 				echo -- DNS CHANGE OR DNSCRYPT MAY BE REQUIRED
+				DNS_IS_SPOOFED=1
+				USE_SECURE_DNS=${USE_SECURE_DNS:-1}
 				return 1
 			else
 				echo $dom : OK
@@ -1777,6 +1817,8 @@ check_dns()
 		echo -- POSSIBLE DNS HIJACK DETECTED. ZAPRET WILL NOT HELP YOU IN CASE DNS IS SPOOFED !!!
 		echo -- DNSCRYPT MAY BE REQUIRED
 		check_dns_cleanup
+		DNS_IS_SPOOFED=1
+		USE_SECURE_DNS=${USE_SECURE_DNS:-1}
 		return 1
 	}
 	echo all resolved IPs are unique
@@ -1825,7 +1867,8 @@ check_already
 [ "$UNAME" = CYGWIN ] || require_root
 check_prerequisites
 trap sigint_cleanup INT
-[ "$SKIP_DNSCHECK" = 1 ] || check_dns
+check_dns
+[ "$SECURE_DNS" = 1 ] && doh_find_working
 check_virt
 ask_params
 trap - INT

docs/changes.txt

@@ -345,3 +345,4 @@ init.d: openwrt-minimal : tpws launch for low storage openwrt devices
 v67:
 
 mdig: --dns-make-query, --dns-parse-query for side-channel resolving (DoH)
+blockcheck: use DoH resolvers if DNS spoof is detected