ddwrt-ultimate-dns-leak-test.sh

1. #!/bin/sh
2. #DEBUG=; set -x # comment/uncomment to disable/enable debug mode
3.  
4. #          name: ddwrt-ultimate-dns-leak-test.sh
5. #       version: 1.0.3, 25-aug-2020, by eibgrad
6. #       purpose: detect and report dns leaks when using VPNs
7. #   script type: startup (autostart)
8. # documentation: https://bit.ly/ddwrt-ultimate-dns-leak-test-doc
9. #  installation:
10. #    1. enable jffs2 (administration->jffs2)
11. #    2. enable syslogd (services->services->system log)
12. #    3. use shell (telnet/ssh) to execute one of the following commands:
13. #         curl -kLs bit.ly/ddwrt-installer|tr -d '\r'|sh -s NkKUUjsn startup
14. #       or
15. #         wget -qO - bit.ly/ddwrt-installer|tr -d '\r'|sh -s NkKUUjsn startup
16. #    4. modify options using vi editor (optional):
17. #         vi /jffs/etc/config/ddwrt-ultimate-dns-leak-test.startup
18. #    5. reboot
19. {
20. # ------------------------------ BEGIN OPTIONS ------------------------------- #
21.  
22. VPN_ENABLED_ONLY='1' # (0 = check 24/7, 1 = check only if VPN enabled)
23. NOTIFY_BY_EMAIL='0' # (0 = do NOT notify by email, 1 = notify by email)
24.  
25. MAX_PASS=0 # max number of passes through connection tracking (0=infinite)
26. MIN_EMAIL_TIME=10 # minimum time (in mins) between email notifications
27. SLEEP_PASS=60 # time (in secs) between passes (60 recommended)
28.  
29. # outgoing email configuration (optional)
30. SMTP_SERVER=''
31. SMTP_PORT=''
32. SMTP_USERNAME=''
33. SMTP_PASSWORD=''
34.  
35. # ------------------------------- END OPTIONS -------------------------------- #
36.  
37. # ---------------------- DO NOT CHANGE BELOW THIS LINE ----------------------- #
38.  
39. THIS="$(basename $0)"
40. LOGGER_THIS="$(echo $THIS | grep -Eo '^.{0,23}')"
41.  
42. # modern builds support nf_conntrack, older builds only ip_conntrack
43. CTRACK_TBL="$([ -e /proc/net/nf_conntrack ] && \
44.    echo /proc/net/nf_conntrack || echo /proc/net/ip_conntrack)"
45.  
46. # function _echo( message [priority] )
47. _echo() {
48.     echo "$(date): $1"
49.     logger $([ "$2" ] && echo "-p user.$2") -t "$LOGGER_THIS[$$]" "$1"
50. }
51.  
52. # function notify_by_email( subject message )
53. notify_by_email() {
54.     local server="$SMTP_SERVER"
55.     local port="$SMTP_PORT"
56.     local user="$SMTP_USERNAME"
57.     local password="$SMTP_PASSWORD"
58.     local from="$user"
59.     local to="$user"
60.     local subject="$1"
61.     local body="$2"
62.  
63.     [[ "$SMTP_SERVER" && "$SMTP_PORT" ]] || return 0
64.  
65.     echo -e "Subject:$subject\n$body\n" | \
66.         sendmail -S"$server:$port" -au"$user" -ap"$password" -f"$from" "$to"
67. }
68.  
69. # function report_dns_leak()
70. report_dns_leak() {
71.     _echo 'dns leak detected' warn
72.  
73.     local curr_time=$(date +%s)
74.  
75.     # limit time between email notifications to avoid flooding inbox
76.     [ $((curr_time - last_notify_time)) -lt $((MIN_EMAIL_TIME * 60)) ] && return 0
77.  
78.     [ "$NOTIFY_BY_EMAIL" != '0' ] && \
79.         notify_by_email "$THIS[$$]" "$(date): dns leak detected"
80.  
81.     last_notify_time=$curr_time
82. }
83.  
84. # function exit_0()
85. exit_0() { _echo done; exit 0; }
86.  
87. _echo running
88.  
89. # catch premature exit
90. trap exit_0 SIGHUP SIGINT SIGTERM
91.  
92. # wait until internet is up and running
93. while ! ping -qc1 -w3 8.8.8.8 >/dev/null 2>&1; do
94.     _echo 'waiting for internet access'
95.     sleep 10
96. done
97.  
98. # initialize this run
99. pass_count=0
100. last_notify_time=0
101.  
102. # monitor connection tracking for dns queries
103. while :; do
104.     # dns leak test works for both openvpn and pptp clients
105.     if [[ "$(nvram get openvpncl_enable)"    == "0" && \
106.           "$(nvram get pptpd_client_enable)" == "0" && \
107.           "$VPN_ENABLED_ONLY" != "0" ]]; then
108.         _echo 'nothing to do'
109.     else
110.         while :; do
111.             if [[ "$(nvram get openvpncl_enable)"    == '0' && \
112.                   "$(nvram get pptpd_client_enable)" == '0' && \
113.                   "$VPN_ENABLED_ONLY" != "0" ]]; then
114.                continue 2
115.             fi
116.  
117.             if [ $MAX_PASS -gt 0 ]; then
118.                 # quit if we've reached any execution limits
119.                 [ $pass_count -ge $MAX_PASS ] && break 2
120.  
121.                 let pass_count++
122.             fi
123.  
124.             # report dns queries over the WAN/ISP
125.             if cat $CTRACK_TBL | \
126.                     grep -Eqm1 " dst=$(nvram get wan_ipaddr) sport=53 "; then
127.                 report_dns_leak
128.             else
129.                 # report use of ISP's dns server(s)
130.                 while read line; do
131.                     ip="$(echo $line | awk '/nameserver/{print $2}')"
132.                     [ "$ip" ] && \
133.                         cat $CTRACK_TBL | grep -Eqm1 " dst=$ip .* dport=53 " && \
134.                             { report_dns_leak; break; }
135.                 done < /tmp/resolv.dnsmasq
136.  
137.                 [ "$line" ] || _echo 'no dns leaks detected'
138.             fi
139.  
140.             sleep $SLEEP_PASS
141.         done
142.     fi
143.  
144.     sleep $SLEEP_PASS
145. done
146.  
147. exit_0
148.  
149. } 2>&1 | logger $([ ${DEBUG+x} ] && echo '-p user.debug') \
150.     -t $(echo $(basename $0) | grep -Eo '^.{0,23}')[$$] &