Commit 2a7d198a authored by Robert Edmonds's avatar Robert Edmonds

New upstream version 0.5.4

parents
Copyright 2012-2014 Sandia Corporation. Under the terms of Contract
DE-AC04-94AL85000 with Sandia Corporation, the U.S. Government retains certain
rights in this software.
Copyright 2014-2016 VeriSign, Inc.
DNSViz is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
DNSViz is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with DNSViz. If not, see <http://www.gnu.org/licenses/>.
This diff is collapsed.
This diff is collapsed.
# ![DNSViz](doc/images/logo-220x100.png)
## Description
DNSViz is a tool suite for analysis and visualization of Domain Name System
(DNS) behavior, including its security extensions (DNSSEC). This tool suite
powers the Web-based analysis available at http://dnsviz.net/
## Installation
### Dependencies
* python (2.7.x) - http://www.python.org/
python 2.7.x is required.
* dnspython (1.11.0 or later) - http://www.dnspython.org/
dnspython is required. Version 1.10.0 is sufficient if you're not issuing
TLSA queries, but more generally version 1.11.0 or greater is required.
* pygraphviz (1.1 or later) - http://pygraphviz.github.io/
pygraphviz is required for most functionality. `dnsviz probe` and `dnsviz grok`
(without the -t option) can be used without pygraphviz installed. Version 1.1
or greater is required because of the support for unicode names and HTML-like
labels, both of which are utilized in the visual output.
* M2Crypto (0.24.0 or later) - https://gitlab.com/m2crypto/m2crypto
M2Crypto is required if cryptographic validation of signatures and digests is
desired (and thus is highly recommended). The current code will display
warnings if the cryptographic elements cannot be verified.
Note that M2Crypto version 0.21.1 or later can be used to validate some
DNSSEC algorithms, but support for the following DNSSEC algorithms is not
available in releases of M2Crypto prior to 0.24.0 without a patch:
3 (DSA-SHA1), 6 (DSA-NSEC3-SHA1), 12 (GOST R 34.10-2001),
13 (ECDSA Curve P-256 with SHA-256), 14 (ECDSA Curve P-384 with SHA-384).
There are two patches included in the `contrib` directory that can be
applied to pre-0.24.0 versions to get this functionality:
`contrib/m2crypto-pre0.23.patch` or `contrib/m2crypto-0.23.patch`. For
example:
```
$ patch -p1 < /path/to/dnsviz-source/contrib/m2crypto-pre0.23.patch
```
### Build and Install
A typical build and install is performed with the following commands:
```
$ python setup.py build
$ sudo python setup.py install
```
To see all installation options, run the following:
```
$ python setup.py --help
```
## Usage
DNSViz is invoked using the `dnsviz` command-line utility. `dnsviz` itself
uses several subcommands: `probe`, `grok`, `graph`, `print`, and `query`. See
the man pages associated with each subcommand, in the form of
"dnsviz-<subcommand> (1)" (e.g., "man dnsviz-probe") for more detailed
documentation and usage.
### dnsviz probe
`dnsviz probe` takes one or more domain names as input and performs a series of
queries to either recursive (default) or authoritative DNS servers, the results
of which are serialized into JSON format.
#### Examples
Analyze the domain name example.com using your configured DNS resolvers (i.e.,
in /etc/resolv.conf) and store the queries and responses in the file named
"example.com.json":
```
$ dnsviz probe example.com > example.com.json
```
Same thing:
```
$ dnsviz probe -o example.com.json example.com
```
Analyze the domain name example.com by querying its authoritative servers
directly:
```
$ dnsviz probe -A -o example.com.json example.com
```
Analyze the domain name example.com by querying explicitly-defined
authoritative servers, rather than learning the servers through referrals from
the IANA root servers:
```
$ dnsviz probe -A \
-x example.com:a.iana-servers.org=199.43.132.53,a.iana-servers.org=2001:500:8c::53 \
-x example.com:b.iana-servers.org=199.43.133.53,b.iana-servers.org=2001:500:8d::53 \
-o example.com.json example.com
```
Same, but have `dnsviz probe` resolve the names:
```
$ dnsviz probe -A \
-x example.com:a.iana-servers.org,b.iana-servers.org \
-o example.com.json example.com
```
Analyze the domain name example.com and its entire ancestry by querying
authoritative servers and following delegations, starting at the root:
```
$ dnsviz probe -A -a . -o example.com.json example.com
```
Analyze multiple names in parallel (four threads) using explicit recursive
resolvers (replace *192.0.1.2* and *2001:db8::1* with legitimate resolver
addresses):
```
$ dnsviz probe -s 192.0.2.1,2001:db8::1 -t 4 -o multiple.json \
example.com sandia.gov verisignlabs.com dnsviz.net
```
### dnsviz grok
`dnsviz grok` takes serialized query results in JSON format (i.e., output from
`dnsviz probe`) as input and assesses specified domain names based on their
corresponding content in the input. The output is also serialized into JSON
format.
#### Examples
Process the query/response output produced by `dnsviz probe`, and store the
serialized results in a file named "example.com-chk.json":
```
$ dnsviz grok < example.com.json > example.com-chk.json
```
Same thing:
```
$ dnsviz grok -r example.com.json -o example.com-chk.json example.com
```
Same thing, but with "pretty", formatted JSON:
```
$ dnsviz grok -p -r example.com.json -o example.com-chk.json
```
Show only info-level information: descriptions, statuses, warnings, and errors:
```
$ dnsviz grok -p -l info -r example.com.json -o example.com-chk.json
```
Show descriptions only if there are related warnings or errors:
```
$ dnsviz grok -p -l warning -r example.com.json -o example.com-chk.json
```
Show descriptions only if there are related errors:
```
$ dnsviz grok -p -l error -r example.com.json -o example.com-chk.json
```
Use root key as DNSSEC trust anchor, to additionally indicate
authentication status of responses:
```
$ dig +noall +answer . dnskey | awk '$5 % 2 { print $0 }' > tk.txt
$ dnsviz grok -p -l info -t tk.txt -r example.com.json -o example.com-chk.json
```
Pipe `dnsviz probe` output directly to `dnsviz grok`:
```
$ dnsviz probe example.com | \
dnsviz grok -p -l info -o example.com-chk.json
```
Same thing, but save the raw output (for re-use) along the way:
```
$ dnsviz probe example.com | tee example.com.json | \
dnsviz grok -p -l info -o example.com-chk.json
```
Assess multiple names at once with error level:
```
$ dnsviz grok -p -l error -r multiple.json -o example.com-chk.json
```
### dnsviz graph
`dnsviz graph` takes serialized query results in JSON format (i.e., output from
`dnsviz probe`) as input and assesses specified domain names based on their
corresponding content in the input. The output is an image file, a `dot`
(directed graph) file, or an HTML file, depending on the options passed.
#### Examples
Process the query/response output produced by `dnsviz probe`, and produce a
graph visually representing the results in a png file named "example.com.png".
```
$ dnsviz graph -Tpng < example.com.json > example.com.png
```
Same thing:
```
$ dnsviz graph -Tpng -o example.com.png example.com < example.com.json
```
Same thing, but produce interactive HTML format:
interactive HTML output in a file named "example.com.html":
```
$ dnsviz graph -Thtml < example.com.json > example.com.html
```
Same thing (filename is derived from domain name and output format):
```
$ dnsviz graph -Thtml -O -r example.com.json
```
Use alternate DNSSEC trust anchor:
```
$ dig +noall +answer example.com dnskey | awk '$5 % 2 { print $0 }' > tk.txt
$ dnsviz graph -Thtml -O -r example.com.json -t tk.txt
```
Pipe `dnsviz probe` output directly to `dnsviz graph`:
```
$ dnsviz probe example.com | \
dnsviz graph -Thtml -O
```
Same thing, but save the raw output (for re-use) along the way:
```
$ dnsviz probe example.com | tee example.com.json | \
dnsviz graph -Thtml -O
```
Process analysis of multiple domain names, creating an image for each name
processed:
```
$ dnsviz graph -Thtml -O -r multiple.json
```
Process analysis of multiple domain names, creating a single image for all
names.
```
$ dnsviz graph -Thtml -r multiple.json > multiple.html
```
### dnsviz print
`dnsviz print` takes serialized query results in JSON format (i.e., output from
`dnsviz probe`) as input and assesses specified domain names based on their
corresponding content in the input. The output is textual output suitable for
file or terminal display.
#### Examples
Process the query/response output produced by `dnsviz probe`, and output the
results to the terminal:
```
$ dnsviz print < example.com.json
```
Use alternate DNSSEC trust anchor:
```
$ dig +noall +answer example.com dnskey | awk '$5 % 2 { print $0 }' > tk.txt
$ dnsviz print -r example.com.json -t tk.txt
```
Pipe `dnsviz probe` output directly to `dnsviz print`:
```
$ dnsviz probe example.com | \
dnsviz print
```
Same thing, but save the raw output (for re-use) along the way:
```
$ dnsviz probe example.com | tee example.com.json | \
dnsviz print
```
### dnsviz query
`dnsviz query` is a wrapper that couples the functionality of `dnsviz probe`
and `dnsviz print` into a tool with minimal dig-like usage, used to make
analysis queries and return the textual output to terminal or file output in
one go.
#### Examples
Analyze the domain name example.com using the first of your configured DNS
resolvers (i.e., in /etc/resolv.conf):
```
$ dnsviz query example.com
```
Same, but specify an alternate trust anchor:
```
$ dnsviz query +trusted-key=tk.txt example.com
```
Analyze example.com through the recurisve resolver at 192.0.2.1:
```
$ dnsviz query @192.0.2.1 +trusted-key=tk.txt example.com
```
#!/usr/bin/env python
#
# This file is a part of DNSViz, a tool suite for DNS/DNSSEC monitoring,
# analysis, and visualization.
# Created by Casey Deccio (casey@deccio.net)
#
# Copyright 2015-2016 VeriSign, Inc.
#
# DNSViz is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# DNSViz is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with DNSViz. If not, see <http://www.gnu.org/licenses/>.
#
import importlib
import sys
def check_deps():
# check dnspython dependency
try:
import dns.name
except ImportError:
sys.stderr.write('Error: dnspython does not appear to be installed\n')
sys.exit(1)
def usage(err=None):
if err is not None:
err += '\n\n'
else:
err = ''
sys.stderr.write('''%sUsage: dnsviz <command> [args]
Commands:
probe - issue diagnostic DNS queries
grok - assess diagnostic DNS queries
graph - graph the assessment of diagnostic DNS queries
print - process diagnostic DNS queries to textual output
query - assess a DNS query
help [<command>]
- show usage for a command
''' % (err))
def main():
check_deps()
if len(sys.argv) < 2:
usage()
sys.exit(0)
if sys.argv[1] == 'help':
if len(sys.argv) < 3:
usage()
sys.exit(0)
command = sys.argv[2]
else:
command = sys.argv[1]
# first try importing just the commands module to make sure
# dnsviz is properly reachable with the current path
import dnsviz.commands
# now try importing the module for the actual command
try:
mod = importlib.import_module('dnsviz.commands.%s' % command)
except ImportError:
# if there are more than two frames in the stack trace,
# then the command was legit, but there was an ImportError
# raised while running that command.
exc_frame = sys.exc_info()[2]
if exc_frame.tb_next.tb_next is not None:
raise
usage('Invalid command: %s' % command)
sys.exit(1)
if sys.argv[1] == 'help':
mod.usage()
else:
mod.main(sys.argv[1:])
if __name__ == "__main__":
main()
This diff is collapsed.
/*
* This file is a part of DNSViz, a tool suite for DNS/DNSSEC monitoring,
* analysis, and visualization.
* Created by Casey Deccio (casey@deccio.net)
*
* Copyright 2016 VeriSign, Inc.
*
* DNSViz is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* DNSViz is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with DNSViz. If not, see <http://www.gnu.org/licenses/>.
*/
var ORIGINS = new Array();
var WEBSOCKET_GUID = '258EAFA5-E914-47DA-95CA-C5AB0DC85B11';
var WEBSOCKET_VERSION = 13;
var PROTOCOL = 'dns-looking-glass';
function setupSocket(webSocket, filename) {
var crypto = require('crypto');
var fs = require('fs');
var net = require('net');
var path = require('path');
var os = require('os');
// Create a (hopefully) unique filename for the UNIX domain socket
var sockname;
var sha1 = crypto.createHash('sha1');
sha1.update(filename, 'ascii');
sockname = path.join(os.tmpdir(), sha1.digest('hex'));
var srv = net.createServer();
srv.on('connection', function(socket) {
// if there are any errors with the new connection,
// then write them to the console before closing.
socket.on('error', function(e) {
console.error('Socket ' + e.toString());
});
// once connected, send UNIX domain socket data
// to webSocket, and vice-versa
socket.on('data', function(data) {
webSocket.write(data);
});
// (use function for this one, so it can be removed later)
var sendDataToSocket = function(data) {
socket.write(data);
};
webSocket.on('data', sendDataToSocket);
// when the socket is closed, don't send data from
// the webSocket to it anymore
socket.on('close', function() {
webSocket.removeListener('data', sendDataToSocket);
});
});
// if there is an error on either the webSocket or the listening socket
// then report it to the console
srv.on('error', function(e) {
console.error('Listen Socket ' + e.toString());
webSocket.end();
});
webSocket.on('error', function(e) {
console.error('WebSocket ' + e.toString());
srv.close();
});
// when the Web client closes its end of the webSocket, close the server
webSocket.on('end', function() {
srv.close();
});
srv.listen(sockname, function(e) {
fs.chmod(sockname, 0660);
});
}
function checkHeaders(key, origin, version, protocols) {
var msg = '';
if (key == null) {
return {
code: 400,
msg: 'Bad Request',
extraHeader: '',
content: 'Key not found'
};
}
if (origin == null) {
return {
code: 400,
msg: 'Bad Request',
extraHeader: '',
content: 'Origin not found'
};
}
var origin_match = false;
for (var i = 0; i < ORIGINS.length; i++) {
if (origin == ORIGINS[i]) {
origin_match = true;
break;
}
}
if (!origin_match) {
return {
code: 403,
msg: 'Forbidden',
extraHeader: '',
content: 'Invalid origin'
};
}
if (version == null) {
return {
code: 400,
msg: 'Bad Request',
extraHeader: '',
content: 'Version not found'
};
}
if (version != WEBSOCKET_VERSION) {
return {
code: 426,
msg: 'Upgrade Required',
extraHeader: 'Sec-WebSocket-Version: ' + WEBSOCKET_VERSION + '\r\n',
content: 'Unsupported version'
};
}
/*TODO protocols*/
return null;
}
function handleUpgrade(req, socket, head) {
var key = req.headers['sec-websocket-key'];
var origin = req.headers['origin'];
var version = req.headers['sec-websocket-version'];
var protocols = req.headers['sec-websocket-protocol'];
var error = checkHeaders(key, origin, version, protocols);
if (error != null) {
var errorResponse = 'HTTP/1.1 ' + error.code + ' ' + error.msg + '\r\n' +
error.extraHeader +
'Content-Length: ' + error.content.length + '\r\n\r\n' +
error.content;
socket.write(errorResponse, function() {
socket.end();
console.log(new Date() + ' ' + req.method + ' ' + req.url + ' ' + error.code + ' ' + error.msg + ' (' + error.content + ')');
});
return;
}
var crypto = require('crypto');
var sha1 = crypto.createHash('sha1');
sha1.update(key + WEBSOCKET_GUID, 'ascii');
var successResponse = 'HTTP/1.1 101 Switching Protocols\r\n' +
'Upgrade: websocket\r\n' +
'Connection: Upgrade\r\n' +
'Sec-WebSocket-Accept: ' + sha1.digest('base64') + '\r\n\r\n';
var qs = require('url').parse(req.url, true);
socket.write(successResponse, function() {
setupSocket(socket, qs.query.fn);
console.log(new Date() + ' ' + req.method + ' ' + req.url + ' 101 upgraded');
});
}
function usage() {
console.error('Usage: ' + process.argv[0] + ' ' + process.argv[1] + ' ip:port[,ip:port...] [ origin[,origin...] ]');
}
function main() {
if (process.argv.length < 3) {
usage();
process.exit(1);
}
var ips = process.argv[2].split(",");
if (process.argv.length > 3) {
var origins = process.argv[3].split(",");
for (var i = 0; i < origins.length; i++) {
ORIGINS.push(origins[i]);
}
}
// Create an HTTP server
var http = require('http');
var srv = http.createServer();
var repr = new Array();
srv.on('upgrade', handleUpgrade);
srv.on('error', function(e) {
console.error(e.toString());
srv.close();
});
srv.on('listening', function() {
var all_repr = repr.join(", ");
console.log(new Date() + ' Listening for connections on ' + all_repr);
});
for (var i = 0; i < ips.length; i++) {
var ip_port = ips[i].split(':');
if (ip_port.length < 2) {
usage();
process.exit(1);
}
var host = ip_port.slice(0, ip_port.length - 1).join(':');
var port = ip_port[ip_port.length - 1];
if (host[0] == "[" && host[host.length - 1] == "]") {
host = host.slice(1, host.length - 1);
}
if (host.indexOf(":") >= 0) {
repr.push("[" + host + "]:" + port);
} else {
repr.push(host + ":" + port);
}
ORIGINS.push('http://' + repr[i]);
ORIGINS.push('https://' + repr[i]);
srv.listen(port, host);
}
}
main();
#!/usr/bin/env python
#
# This file is a part of DNSViz, a tool suite for DNS/DNSSEC monitoring,
# analysis, and visualization.
# Created by Casey Deccio (casey@deccio.net)
#
# Copyright 2015-2016 VeriSign, Inc.
#
# DNSViz is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# DNSViz is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with DNSViz. If not, see <http://www.gnu.org/licenses/>.
#
import cgi
import json
import os
import Queue
import re
import struct
import sys
from dnsviz.ipaddr import *
from dnsviz import transport
FALSE_RE = re.compile(r'^(0|f(alse)?)?$', re.IGNORECASE)
try:
MAX_QUERIES = int(os.environ.get('MAX_QUERIES', 200))
except ValueError:
MAX_QUERIES = 200
ALLOW_PRIVATE_QUERY = not bool(FALSE_RE.search(os.environ.get('ALLOW_PRIVATE_QUERY', 'f')))
ALLOW_LOOPBACK_QUERY = not bool(FALSE_RE.search(os.environ.get('ALLOW_LOOPBACK_QUERY', 'f')))
BLACKLIST_FILE = os.environ.get('BLACKLIST_FILE', None)
WHITELIST_FILE = os.environ.get('WHITELIST_FILE', None)
blacklist = None
whitelist = None