Experiments with middle-box DANE
Python Shell
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
tools Fixed bug with ip6tables addition of short ACLs. Only affects IPv6. A… Jun 21, 2017
.gitignore updated .gitignore Apr 10, 2017
LICENSE Looks like it works on Turris now Mar 20, 2017
README.md Danish is now in the OpenWRT/LEDE packages as net/danish Dec 11, 2017
__init__.py
cipt.sh Did more work on IPv6 Mar 24, 2017
danish.conf Change default log level to error May 11, 2017
danish.init
danish.py
setup.py setup hacking Apr 10, 2017

README.md

Overview

Danish is an experiment in middle-box DANE (RFC 6698) for HTTPS.

Danish is a daemon that listens for HTTPS TLS handshake traffic and captures the TLS/SNI and certificates. It then performs DNS lookups for DNS TLSA records to determine if the responding server is sending the correct X.509 certificate in its TLS ServerHello message.

If the certificates and DNS TLSA records do NOT match, iptables/ip6tables ACLs are installed to block user traffic to the offending website. ACLs are installed to both blackhole the immediate TCP traffic and prevent any further attempts at users connecting to the offending website. Users are then prevented from connecting to the offending website for the TTL of the relevant DNS TLSA RR.

Supported Protocols and Versions

Danish currently supports TLS 1.0 - 1.2, IPv4/IPv6, and some TLSA RRs. Danish only supports TLSA certificate usage 1 and 3, and TLSA selector 0. TLSA records that Danish does not support are ignored.

Full support for RFC 6698 is dependent on the OpenWRT/LEDE OpenSSL package also supporting DANE.

Installation

Danish is written to work on both OpenWRT and LEDE. It should work equally well on both.

Danish is tested with DNSMasq running on localhost, but it should work with any DNSSEC validating recursive server running on localhost. OpenWRT/LEDE also supports Unbound and while it has not been tested it should work without any issues.

For installation Danish requires the following other packages.

  • kmod-ipt-filter
  • iptables-mod-filter
  • dnsmasq-full
  • python
  • python-dns
  • python-pcapy
  • python-dpkt

Building an Image with Danish

All shell commands below are to be executed from your OpenWRT or LEDE base directory.

  1. Follow the instructions for building an OpenWRT or LEDE image.
  2. make menuconfig
  3. Select danish package under Network/IP Addresses and Names/danish
  4. make
  5. Take a nap. 💤
  6. Awaken to a freshly compiled image. 😎

You may need to de-select package dnsmasq as it may conflict with dnsmasq-full. dnsmasq-full includes DNSSEC support and Danish requires DNSSEC.

Configuration

Danish uses the Universal Configuration Interface (UCI). The Danish configuration file is stored in /etc/config/danish.

Configuration directives are defined below.

Section Element Default Explanation
network interface br-lan The 'inside' interface of the middlebox
network iptables /usr/sbin/iptables Location of iptables binary
network ip6tables /usr/sbin/ip6tables Location of ip6tables binary
network ipchain danish Name prefix Danish uses for iptables rules
danish loglevel error log level
danish logsize 1024 Max size of logfile in KB
danish logfile /tmp/danish.log Log file Location

Possible values for loglevel listed by increasing verbosity are error, warn, info, debug.