From 954ddb511824a2ded5cfd64ebfbefae76d9b00f2 Mon Sep 17 00:00:00 2001 From: bol-van Date: Sat, 26 Oct 2024 17:45:50 +0300 Subject: [PATCH] blockcheck: use DoH resolvers if DNS spoof is detected --- blockcheck.sh | 51 ++++++++++++++++++++++++++++++++++++++++++++---- docs/changes.txt | 1 + 2 files changed, 48 insertions(+), 4 deletions(-) diff --git a/blockcheck.sh b/blockcheck.sh index a79844a..5820114 100755 --- a/blockcheck.sh +++ b/blockcheck.sh @@ -53,6 +53,7 @@ NFT_TABLE=blockcheck DNSCHECK_DNS=${DNSCHECK_DNS:-8.8.8.8 1.1.1.1 77.88.8.1} DNSCHECK_DOM=${DNSCHECK_DOM:-pornhub.com ntc.party rutracker.org www.torproject.org bbc.com} +DOH_SERVERS="https://cloudflare-dns.com/dns-query https://dns.google/dns-query https://dns.quad9.net/dns-query https://dns.adguard.com/dns-query https://common.dot.dns.yandex.net/dns-query" DNSCHECK_DIG1=/tmp/dig1.txt DNSCHECK_DIG2=/tmp/dig2.txt DNSCHECK_DIGS=/tmp/digs.txt @@ -201,6 +202,35 @@ nft_has_nfq() } return $res } + +doh_resolve() +{ + # $1 - ip version 4/6 + # $2 - hostname + # $3 - doh server URL. use $DOH_SERVER if empty + $MDIG --family=$1 --dns-make-query=$2 | curl -s --data-binary @- -H "Content-Type: application/dns-message" "${3:-$DOH_SERVER}" | $MDIG --dns-parse-query +} +doh_find_working() +{ + local doh + + [ -n "$DOH_SERVER" ] && return 0 + echo "* searching working DoH server" + DOH_SERVER= + for doh in $DOH_SERVERS; do + echo -n "$doh : " + if doh_resolve 4 iana.org $doh >/dev/null 2>/dev/null; then + echo OK + DOH_SERVER="$doh" + return 0 + else + echo FAIL + fi + done + echo all DoH servers failed + return 1 +} + mdig_vars() { # $1 - ip version 4/6 @@ -219,7 +249,11 @@ mdig_cache() mdig_vars "$@" [ -n "$count" ] || { # windows version of mdig outputs 0D0A line ending. remove 0D. - ips="$(echo $2 | "$MDIG" --family=$1 | tr -d '\r' | xargs)" + if [ "$SECURE_DNS" = 1 ]; then + ips="$(echo $2 | doh_resolve $1 $2 | tr -d '\r' | xargs)" + else + ips="$(echo $2 | "$MDIG" --family=$1 | tr -d '\r' | xargs)" + fi [ -n "$ips" ] || return 1 count=0 for ip in $ips; do @@ -518,7 +552,7 @@ curl_supports_tls13() [ $? = 2 ] && return 1 # curl can have tlsv1.3 key present but ssl library without TLS 1.3 support # this is online test because there's no other way to trigger library incompatibility case - $CURL --tlsv1.3 --max-time $CURL_MAX_TIME -Is -o /dev/null https://w3.org 2>/dev/null + $CURL --tlsv1.3 --max-time $CURL_MAX_TIME -Is -o /dev/null https://iana.org 2>/dev/null r=$? [ $r != 4 -a $r != 35 ] } @@ -1677,7 +1711,7 @@ pingtest() dnstest() { # $1 - dns server. empty for system resolver - "$LOOKUP" w3.org $1 >/dev/null 2>/dev/null + "$LOOKUP" iana.org $1 >/dev/null 2>/dev/null } find_working_public_dns() { @@ -1726,6 +1760,10 @@ check_dns() { local C1 C2 dom + DNS_IS_SPOOFED=0 + + [ "$SKIP_DNSCHECK" = 1 ] && return 0 + echo \* checking DNS [ -f "$DNSCHECK_DIGS" ] && rm -f "$DNSCHECK_DIGS" @@ -1748,6 +1786,8 @@ check_dns() check_dns_cleanup echo -- POSSIBLE DNS HIJACK DETECTED. ZAPRET WILL NOT HELP YOU IN CASE DNS IS SPOOFED !!! echo -- DNS CHANGE OR DNSCRYPT MAY BE REQUIRED + DNS_IS_SPOOFED=1 + USE_SECURE_DNS=${USE_SECURE_DNS:-1} return 1 else echo $dom : OK @@ -1777,6 +1817,8 @@ check_dns() echo -- POSSIBLE DNS HIJACK DETECTED. ZAPRET WILL NOT HELP YOU IN CASE DNS IS SPOOFED !!! echo -- DNSCRYPT MAY BE REQUIRED check_dns_cleanup + DNS_IS_SPOOFED=1 + USE_SECURE_DNS=${USE_SECURE_DNS:-1} return 1 } echo all resolved IPs are unique @@ -1825,7 +1867,8 @@ check_already [ "$UNAME" = CYGWIN ] || require_root check_prerequisites trap sigint_cleanup INT -[ "$SKIP_DNSCHECK" = 1 ] || check_dns +check_dns +[ "$SECURE_DNS" = 1 ] && doh_find_working check_virt ask_params trap - INT diff --git a/docs/changes.txt b/docs/changes.txt index 17815f2..39949eb 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -345,3 +345,4 @@ init.d: openwrt-minimal : tpws launch for low storage openwrt devices v67: mdig: --dns-make-query, --dns-parse-query for side-channel resolving (DoH) +blockcheck: use DoH resolvers if DNS spoof is detected