Merge pull request #1 from ninoseki/v0.1.0

v0.1.0

.gitignore

@@ -11,7 +11,7 @@
 /tmp/
 
 # Used by dotenv library to load environment variables.
-# .env
+.env
 
 ## Specific to RubyMotion:
 .dat*
@@ -42,9 +42,11 @@ build-iPhoneSimulator/
 
 # for a library or gem, you might want to ignore these files since the code is
 # intended to run in multiple environments; otherwise, check them in:
-# Gemfile.lock
-# .ruby-version
-# .ruby-gemset
+Gemfile.lock
+.ruby-version
+.ruby-gemset
 
 # unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
 .rvmrc
+
+.rspec_status

.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

.travis.yml

@@ -0,0 +1,7 @@
+---
+sudo: false
+language: ruby
+cache: bundler
+rvm:
+  - 2.6
+before_install: gem install bundler -v 2.0.1

Gemfile

@@ -0,0 +1,4 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in rogue_one.gemspec
+gemspec

README.md

@@ -1,2 +1,41 @@
-# rogue_one
-Rogue One: a rogue DNS detector
+# Rogue one: a rogue DNS detector
+
+[![Build Status](https://travis-ci.org/ninoseki/rogue_one.svg?branch=master)](https://travis-ci.org/ninoseki/rogue_one)
+[![Coverage Status](https://coveralls.io/repos/github/ninoseki/rogue_one/badge.svg?branch=master)](https://coveralls.io/github/ninoseki/rogue_one?branch=master)
+
+## Installation
+
+```bash
+gem install rogue_one
+```
+
+## Usage
+
+```bash
+$ rogue_one
+Commands:
+  rogue_one help [COMMAND]       # Describe available commands or one specific command
+  rogue_one report [DNS_SERVER]  # Show a report of a given DNS server
+
+$ rogue_one report 1.1.1.1
+{
+  "verdict": "rogue one",
+  "landing_pages": [
+
+  ]
+}
+
+$ rogue_one reprot 1.53.252.215
+{
+  "verdict": "rogue one",
+  "landing_pages": [
+    "1.171.170.228",
+    "1.171.168.19",
+    "61.230.102.66"
+  ]
+}
+```
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "rogue_one"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

exe/rogue_one

@@ -0,0 +1,8 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift("#{__dir__}/../lib")
+
+require "rogue_one"
+
+RogueOne::CLI.start

lib/rogue_one.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require "rogue_one/version"
+
+require "rogue_one/resolver"
+require "rogue_one/detector"
+require "rogue_one/cli"
+
+module RogueOne
+  class Error < StandardError; end
+end

lib/rogue_one/cli.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require "thor"
+require "json"
+
+module RogueOne
+  class CLI < Thor
+    desc "report [DNS_SERVER]", "Show a report of a given DNS server"
+    def report(dns_server)
+      with_error_handling do
+        detector = Detector.new(target: dns_server)
+        puts JSON.pretty_generate(detector.report)
+      end
+    end
+
+    no_commands do
+      def with_error_handling
+        yield
+      rescue StandardError => e
+        puts "Warning: #{e}"
+      end
+    end
+  end
+end

lib/rogue_one/data/top_100.yml

@@ -0,0 +1,101 @@
+---
+- google.com
+- facebook.com
+- youtube.com
+- yahoo.com
+- baidu.com
+- wikipedia.org
+- qq.com
+- taobao.com
+- twitter.com
+- amazon.com
+- linkedin.com
+- live.com
+- google.co.in
+- sina.com.cn
+- hao123.com
+- blogspot.com
+- weibo.com
+- tmall.com
+- vk.com
+- wordpress.com
+- yahoo.co.jp
+- sohu.com
+- yandex.ru
+- ebay.com
+- google.de
+- bing.com
+- pinterest.com
+- google.co.uk
+- 163.com
+- 360.cn
+- google.fr
+- ask.com
+- instagram.com
+- google.co.jp
+- tumblr.com
+- msn.com
+- google.com.br
+- mail.ru
+- microsoft.com
+- xvideos.com
+- paypal.com
+- google.ru
+- soso.com
+- adcash.com
+- google.es
+- google.it
+- imdb.com
+- apple.com
+- imgur.com
+- neobux.com
+- craigslist.org
+- amazon.co.jp
+- t.co
+- xhamster.com
+- stackoverflow.com
+- reddit.com
+- google.com.mx
+- google.com.hk
+- cnn.com
+- google.ca
+- fc2.com
+- go.com
+- ifeng.com
+- bbc.co.uk
+- vube.com
+- people.com.cn
+- blogger.com
+- aliexpress.com
+- odnoklassniki.ru
+- wordpress.org
+- alibaba.com
+- gmw.cn
+- adobe.com
+- huffingtonpost.com
+- google.com.tr
+- xinhuanet.com
+- googleusercontent.com
+- youku.com
+- godaddy.com
+- pornhub.com
+- akamaihd.net
+- thepiratebay.se
+- kickass.to
+- google.com.au
+- amazon.de
+- clkmon.com
+- ebay.de
+- alipay.com
+- google.pl
+- espn.go.com
+- dailymotion.com
+- about.com
+- bp.blogspot.com
+- blogspot.in
+- netflix.com
+- vimeo.com
+- dailymail.co.uk
+- redtube.com
+- rakuten.co.jp
+- conduit.com

lib/rogue_one/detector.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require "yaml"
+
+module RogueOne
+  class Detector
+    attr_reader :target
+
+    GOOGLE_PUBLIC_DNS = "8.8.8.8"
+
+    def initialize(target:)
+      @target = target
+      @memo = Hash.new(0)
+      @mismatched_domains = []
+    end
+
+    def report
+      inspect
+
+      {
+        verdict: verdict,
+        landing_pages: landing_pages
+      }
+    end
+
+    private
+
+    def verdict
+      rogue_one? ? "rogue one" : "benign one"
+    end
+
+    def rogue_one?
+      @mismatched_domains.length > 50
+    end
+
+    def landing_pages
+      return [] unless rogue_one?
+
+      @memo.map do |ip, count|
+        count > 10 ? ip : nil
+      end.compact
+    end
+
+    def inspect
+      top_100_domains.each do |domain|
+        normal_result = normal_resolver.dig(domain, "A")
+        target_result = target_resolver.dig(domain, "A")
+
+        if normal_result != target_result
+          @mismatched_domains << domain
+          @memo[target_result] += 1 if target_result
+        end
+      end
+    end
+
+    def top_100_domains
+      @top_100_domains ||= YAML.safe_load(File.read(File.expand_path("./data/top_100.yml", __dir__)))
+    end
+
+    def normal_resolver
+      @normal_resolver ||= Resolver.new(nameserver: GOOGLE_PUBLIC_DNS)
+    end
+
+    def target_resolver
+      @target_resolver ||= Resolver.new(nameserver: target)
+    end
+  end
+end

lib/rogue_one/resolver.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require "resolv"
+
+module RogueOne
+  class Resolver
+    attr_reader :nameserver
+
+    def initialize(nameserver:)
+      @nameserver = nameserver
+    end
+
+    def dig(domain, type)
+      _resolver.getresource(domain, resource_by_type(type)).address.to_s
+    rescue Resolv::ResolvError => e
+      nil
+    end
+
+    private
+
+    def _resolver
+      @_resolver ||= Resolv::DNS.new(nameserver: [nameserver])
+    end
+
+    def resource_by_type(type)
+      resources.dig(type.upcase.to_sym)
+    end
+
+    def resources
+      {
+        ANY: Resolv::DNS::Resource::IN::ANY,
+        NS: Resolv::DNS::Resource::IN::NS,
+        CNAME: Resolv::DNS::Resource::IN::CNAME,
+        SOA: Resolv::DNS::Resource::IN::SOA,
+        HINFO: Resolv::DNS::Resource::IN::HINFO,
+        MINFO: Resolv::DNS::Resource::IN::MINFO,
+        MX: Resolv::DNS::Resource::IN::MX,
+        TXT: Resolv::DNS::Resource::IN::TXT,
+        A: Resolv::DNS::Resource::IN::A,
+        WKS: Resolv::DNS::Resource::IN::WKS,
+        PTR: Resolv::DNS::Resource::IN::PTR,
+        AAAA: Resolv::DNS::Resource::IN::AAAA,
+        SRV: Resolv::DNS::Resource::IN::SRV,
+      }
+    end
+  end
+end

lib/rogue_one/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module RogueOne
+  VERSION = "0.1.0"
+end