Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

edit README.md to reflect config.ini exists, include small howto for github #7

Merged
merged 3 commits into from
Apr 26, 2017
Merged

edit README.md to reflect config.ini exists, include small howto for github #7

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4d62175
put configuration into configuration file, add an option for the DNS …
craig Apr 25, 2017
00579a1
Update config.ini
craig Apr 25, 2017
7c349d0
edit README to reflect config.ini exists, include small howto for github
craig Apr 25, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,16 @@
Provides a simple Python based proxy for running DNS over HTTPS to Google's DNS over HTTPS service.

Recently I wrote a blog post which probably gives you just enough information to get this up and running on a Mac / Linux box... https://www.robertputt.co.uk/2017/01/06/securing-dns-traffic-with-dns-over-https/, please note this script only seems to play nice with Python2.7 not Python 3.x

Configuration can be easily done with virtualenv:

```
virtualenv dns_proxy
cd dns_proxy/
source bin/activate
pip install dnslib requests
git clone https://github.com/robputt796/Py-DNS-over-HTTPS-Proxy.git
cat Py-DNS-over-HTTPS-Proxy/https_dns_proxy/config.ini
python Py-DNS-over-HTTPS-Proxy/https_dns_proxy/__init__.py &
dig @localhost -p8053 A robertputt.co.uk
```
33 changes: 25 additions & 8 deletions https_dns_proxy/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,29 @@
import base64
import os
import datetime
import ConfigParser
import sys
from dnslib.server import DNSServer
from dnslib.server import BaseResolver
from dnslib.server import DNSLogger
from dnslib.server import RR
from dnslib import QTYPE

# read from config.ini
myconfig = ConfigParser.ConfigParser()
config_name = 'config.ini'
config_path = os.path.join(sys.path[0], config_name)
myconfig.readfp(open(config_path))

GOOGLE_DNS_URL = 'https://216.58.212.110/resolve?'

PINNED_CERT = ("MIIHXDCCBkSgAwIBAgIIT8oHuVk3XwgwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNDEyMTMzNzMwWhcNMTcwNzA1MTMyODAwWjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIw8cmFSZx6YFPuXs/mnipdeqIqSWOlmUrbk27oy7u8Br2Aov0pfgPxorThxZLSsTke6nE0lRGfftRDmtA6ESFaOCBPQwggTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwggOzBgNVHREEggOqMIIDpoIMKi5nb29nbGUuY29tgg0qLmFuZHJvaWQuY29tghYqLmFwcGVuZ2luZS5nb29nbGUuY29tghIqLmNsb3VkLmdvb2dsZS5jb22CDiouZ2NwLmd2dDIuY29tghYqLmdvb2dsZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUuY2yCDiouZ29vZ2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28udWuCDyouZ29vZ2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5jb20uYnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2dsZS5jb20udHKCDyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xlLmVzggsqLmdvb2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdvb2dsZS5ubIILKi5nb29nbGUucGyCCyouZ29vZ2xlLnB0ghIqLmdvb2dsZWFkYXBpcy5jb22CDyouZ29vZ2xlYXBpcy5jboIUKi5nb29nbGVjb21tZXJjZS5jb22CESouZ29vZ2xldmlkZW8uY29tggwqLmdzdGF0aWMuY26CDSouZ3N0YXRpYy5jb22CCiouZ3Z0MS5jb22CCiouZ3Z0Mi5jb22CFCoubWV0cmljLmdzdGF0aWMuY29tggwqLnVyY2hpbi5jb22CECoudXJsLmdvb2dsZS5jb22CFioueW91dHViZS1ub2Nvb2tpZS5jb22CDSoueW91dHViZS5jb22CFioueW91dHViZWVkdWNhdGlvbi5jb22CCyoueXRpbWcuY29tghphbmRyb2lkLmNsaWVudHMuZ29vZ2xlLmNvbYILYW5kcm9pZC5jb22CG2RldmVsb3Blci5hbmRyb2lkLmdvb2dsZS5jboIcZGV2ZWxvcGVycy5hbmRyb2lkLmdvb2dsZS5jboIEZy5jb4IGZ29vLmdsghRnb29nbGUtYW5hbHl0aWNzLmNvbYIKZ29vZ2xlLmNvbYISZ29vZ2xlY29tbWVyY2UuY29tghhzb3VyY2UuYW5kcm9pZC5nb29nbGUuY26CCnVyY2hpbi5jb22CCnd3dy5nb28uZ2yCCHlvdXR1LmJlggt5b3V0dWJlLmNvbYIUeW91dHViZWVkdWNhdGlvbi5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBTHwj4BpNP0Tt5Zf5gxfcCLiMUdmjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAYfeUmVjHeq2ZRffJQwxujBrYDHyWUSm4ARst+8Toq7qswLBpSTqMgWc8PXQNC+UNmAQyq1LK0R69miRDmaszt6N3HitO+0cO8y5EWCsv7rOrn+3k1jebzEITUxhN61cpcf8uPXkoCsMwNt/AolnLTWl0o5ROZKDQtVUisoA+L0olFUlXNT2EJsY69mc4vvFJNQEX1KeiNaPWntgqFf3q5Yg0acLZ9gefbM16YB4o4+jjO/p6GYm6Qwz5KsFhn4Dawgph6cAxZNzwwTwB5YOoiXlDI0iI++aMCA7hHlFf8cURScDm8+gtMOaLJs75VYPI8rK2xuhOU9bm1fiy+MMjYQ==")
if len(sys.argv) == 2:
ENVIRONMENT=str(sys.argv[1])
else:
ENVIRONMENT='DNS1'

GOOGLE_DNS_URL = myconfig.get(ENVIRONMENT, 'GOOGLE_DNS_URL')
PINNED_CERT = myconfig.get(ENVIRONMENT, 'PINNED_CERT')
DNS_PORT = int(myconfig.get(ENVIRONMENT, 'DNS_PORT'))
EXIT_ON_MITM = myconfig.get(ENVIRONMENT, 'EXIT_ON_MITM')

HTTPResponse = requests.packages.urllib3.response.HTTPResponse
orig_HTTPResponse__init__ = HTTPResponse.__init__
Expand Down Expand Up @@ -67,10 +79,15 @@ def resolve(self, request, handler):

if PINNED_CERT != lookup_resp.peercert:
print lookup_resp.peercert
print ("WARNING: REMOTE SSL CERT DID NOT MATCH EXPECTED (PINNED) "
"SSL CERT, EXITING IN CASE OF MAN IN THE MIDDLE ATTACK")
my_pid = os.getpid()
os.kill(my_pid, signal.SIGINT)
if EXIT_ON_MITM:
print ("ERROR: REMOTE SSL CERT DID NOT MATCH EXPECTED (PINNED) "
"SSL CERT, EXITING IN CASE OF MAN IN THE MIDDLE ATTACK")
my_pid = os.getpid()
os.kill(my_pid, signal.SIGINT)
else:
print ("WARNING: REMOTE SSL CERT DID NOT MATCH EXPECTED (PINNED) "
"SSL CERT. NOT EXITING, BECAUSE YOU SAID SO IN YOUR CONFIG")


if lookup_resp.status_code == 200:
try:
Expand Down Expand Up @@ -104,7 +121,7 @@ def run_dns_proxy(self):
logger = DNSLogger()

server = DNSServer(resolver,
port=8053,
port=DNS_PORT,
address='localhost',
logger=logger)

Expand Down
13 changes: 13 additions & 0 deletions https_dns_proxy/config.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Works for robert
[DNS1]
GOOGLE_DNS_URL = https://216.58.212.110/resolve?
PINNED_CERT = MIIHXDCCBkSgAwIBAgIIT8oHuVk3XwgwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNDEyMTMzNzMwWhcNMTcwNzA1MTMyODAwWjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIw8cmFSZx6YFPuXs/mnipdeqIqSWOlmUrbk27oy7u8Br2Aov0pfgPxorThxZLSsTke6nE0lRGfftRDmtA6ESFaOCBPQwggTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwggOzBgNVHREEggOqMIIDpoIMKi5nb29nbGUuY29tgg0qLmFuZHJvaWQuY29tghYqLmFwcGVuZ2luZS5nb29nbGUuY29tghIqLmNsb3VkLmdvb2dsZS5jb22CDiouZ2NwLmd2dDIuY29tghYqLmdvb2dsZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUuY2yCDiouZ29vZ2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28udWuCDyouZ29vZ2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5jb20uYnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2dsZS5jb20udHKCDyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xlLmVzggsqLmdvb2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdvb2dsZS5ubIILKi5nb29nbGUucGyCCyouZ29vZ2xlLnB0ghIqLmdvb2dsZWFkYXBpcy5jb22CDyouZ29vZ2xlYXBpcy5jboIUKi5nb29nbGVjb21tZXJjZS5jb22CESouZ29vZ2xldmlkZW8uY29tggwqLmdzdGF0aWMuY26CDSouZ3N0YXRpYy5jb22CCiouZ3Z0MS5jb22CCiouZ3Z0Mi5jb22CFCoubWV0cmljLmdzdGF0aWMuY29tggwqLnVyY2hpbi5jb22CECoudXJsLmdvb2dsZS5jb22CFioueW91dHViZS1ub2Nvb2tpZS5jb22CDSoueW91dHViZS5jb22CFioueW91dHViZWVkdWNhdGlvbi5jb22CCyoueXRpbWcuY29tghphbmRyb2lkLmNsaWVudHMuZ29vZ2xlLmNvbYILYW5kcm9pZC5jb22CG2RldmVsb3Blci5hbmRyb2lkLmdvb2dsZS5jboIcZGV2ZWxvcGVycy5hbmRyb2lkLmdvb2dsZS5jboIEZy5jb4IGZ29vLmdsghRnb29nbGUtYW5hbHl0aWNzLmNvbYIKZ29vZ2xlLmNvbYISZ29vZ2xlY29tbWVyY2UuY29tghhzb3VyY2UuYW5kcm9pZC5nb29nbGUuY26CCnVyY2hpbi5jb22CCnd3dy5nb28uZ2yCCHlvdXR1LmJlggt5b3V0dWJlLmNvbYIUeW91dHViZWVkdWNhdGlvbi5jb20waAYIKwYBBQUHAQEEXDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0GA1UdDgQWBBTHwj4BpNP0Tt5Zf5gxfcCLiMUdmjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAYfeUmVjHeq2ZRffJQwxujBrYDHyWUSm4ARst+8Toq7qswLBpSTqMgWc8PXQNC+UNmAQyq1LK0R69miRDmaszt6N3HitO+0cO8y5EWCsv7rOrn+3k1jebzEITUxhN61cpcf8uPXkoCsMwNt/AolnLTWl0o5ROZKDQtVUisoA+L0olFUlXNT2EJsY69mc4vvFJNQEX1KeiNaPWntgqFf3q5Yg0acLZ9gefbM16YB4o4+jjO/p6GYm6Qwz5KsFhn4Dawgph6cAxZNzwwTwB5YOoiXlDI0iI++aMCA7hHlFf8cURScDm8+gtMOaLJs75VYPI8rK2xuhOU9bm1fiy+MMjYQ==
DNS_PORT = 8053
EXIT_ON_MITM = True

# Works for craig
[DNS2]
GOOGLE_DNS_URL = https://216.58.214.78/resolve?
PINNED_CERT = MIIIGjCCBwKgAwIBAgIIJgfaZudcgc4wDQYJKoZIhvcNAQELBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNDEyMTQxOTU2WhcNMTcwNzA1MTMyOTAwWjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5nb29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvbYP5Qdogh6Yl2bHTkXsYi7Y8mW3kAzUCnHVGhuMqyAq4EiKObe9o+9TZBsX9n+ytgzDiwBluGJgcmsHkDp6TSsJpv525y/pDoe62EeJErxrVSa3KzSnTNTCE2TTonWcDy7ymByYI7S113ZozftC56wIKaninHzcNBDP0/KjLf/EoZwHtk7xNJeDOwG6i0j9vOQISTWY1czqX2OOVpRk4iqSuo4tSnDCZ3PZcRHr8iCL10X4UpJKHqk1Ki7MyspRJOR+a2IvDIjkDYaBs00FU/7lRKVXXTs/9RcygPUX/kbR6PF46m7lfLuJyNC1hD/AIe/jdgMuPLjgFMn2Ss9VjQIDAQABo4IE5zCCBOMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIIDswYDVR0RBIIDqjCCA6aCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lkLmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29tgg4qLmdjcC5ndnQyLmNvbYIWKi5nb29nbGUtYW5hbHl0aWNzLmNvbYILKi5nb29nbGUuY2GCCyouZ29vZ2xlLmNsgg4qLmdvb2dsZS5jby5pboIOKi5nb29nbGUuY28uanCCDiouZ29vZ2xlLmNvLnVrgg8qLmdvb2dsZS5jb20uYXKCDyouZ29vZ2xlLmNvbS5hdYIPKi5nb29nbGUuY29tLmJygg8qLmdvb2dsZS5jb20uY2+CDyouZ29vZ2xlLmNvbS5teIIPKi5nb29nbGUuY29tLnRygg8qLmdvb2dsZS5jb20udm6CCyouZ29vZ2xlLmRlggsqLmdvb2dsZS5lc4ILKi5nb29nbGUuZnKCCyouZ29vZ2xlLmh1ggsqLmdvb2dsZS5pdIILKi5nb29nbGUubmyCCyouZ29vZ2xlLnBsggsqLmdvb2dsZS5wdIISKi5nb29nbGVhZGFwaXMuY29tgg8qLmdvb2dsZWFwaXMuY26CFCouZ29vZ2xlY29tbWVyY2UuY29tghEqLmdvb2dsZXZpZGVvLmNvbYIMKi5nc3RhdGljLmNugg0qLmdzdGF0aWMuY29tggoqLmd2dDEuY29tggoqLmd2dDIuY29tghQqLm1ldHJpYy5nc3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAqLnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29raWUuY29tgg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVjYXRpb24uY29tggsqLnl0aW1nLmNvbYIaYW5kcm9pZC5jbGllbnRzLmdvb2dsZS5jb22CC2FuZHJvaWQuY29tghtkZXZlbG9wZXIuYW5kcm9pZC5nb29nbGUuY26CHGRldmVsb3BlcnMuYW5kcm9pZC5nb29nbGUuY26CBGcuY2+CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGljcy5jb22CCmdvb2dsZS5jb22CEmdvb2dsZWNvbW1lcmNlLmNvbYIYc291cmNlLmFuZHJvaWQuZ29vZ2xlLmNuggp1cmNoaW4uY29tggp3d3cuZ29vLmdsggh5b3V0dS5iZYILeW91dHViZS5jb22CFHlvdXR1YmVlZHVjYXRpb24uY29tMGgGCCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNVHQ4EFgQU/DwWL+2LwGdjm6CFawWtWI2JdoAwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAhBgNVHSAEGjAYMAwGCisGAQQB1nkCBQEwCAYGZ4EMAQICMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcmwwDQYJKoZIhvcNAQELBQADggEBADE69fROafQeDS9x92mHTXabNA2l2bx37JwevNJdb7mHkyNf/w8XVm5CGwD4MfWivMFCr9bNdWXA8PVMVJ/Shg0nYJ+qiecdfI9M+JFQsa6xA6rTYj8Lie2C0jLYv9u8KnNSYFVcXLUsHbBPpvQ+ivvsVwEYlh/3TuY+iSBkRhnscHLKtx74t/sIGZyDS5RgIoooxl/YJre2ZfjNqueJ+yROCjXXYHz2cogrsxZjHkvNb7ALxDZEScZSXiLwZXzLflM7gaapU6tcr41Fm+Sadprne7h7deH/n4EplGMSFqKsMORohW7xaHUBmxMpeFpSXrgAS/Blnore7rJqwcRpFcE=
DNS_PORT = 8054
EXIT_ON_MITM =