-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathUpdate-CertListaToDnsPolicy.ps1
90 lines (75 loc) · 6.3 KB
/
Update-CertListaToDnsPolicy.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# Utility script that updates DNS Zone policy in Active Directory
function Read-UrlText {
# Read URL data and decode it as UTF8.
$rawdata = (Invoke-Webrequest -URI $URL).RawContentStream.ToArray()
[Text.Encoding]::UTF8.GetString($rawdata)
}
function Read-TxtList {
# Read a newline-separated list of URLs from provided URL.
param ($Url)
$lines = (Read-UrlText $Url) -split "\n"
$starlines = $lines | Foreach-Object { $($_, "*.$_") }
@($starlines | Foreach-Object {$_})
}
function Read-Rpz {
# Read a RPZ file from provided URL and return a list of URLs to block.
# Currently unused, but may be useful for some people I guess?
param ($Url)
$lines = (Read-UrlText $Url) -split "\n"
$cnames = $lines | Where-Object {$_ -match "CNAME" }
$cnames | Foreach-Object { return ($_ -split " ")[0] }
}
function Convert-Hex {
# Necessary, because Format-Hex is just dumb.
# Unfortunately this is unrolled and ugly, because powershell is slow as heck.
param ($Data)
$out = ""
foreach ($c in $Data.ToCharArray()) {
# Quadratic complexity, but in practice this is ORDERS of magnitude faster than join.
$out += [System.String]::Format('{0:x2}', [int]$c)
}
$out
}
function Block-Domains {
# The main function here - sync system DNS Policy with provided $DomList.
param ($Prefix, $DomHash)
Write-Output "[.] Getting current DNS policies"
$existing = Get-DnsServerQueryResolutionPolicy |
Where-Object { $_.Name.StartsWith($Prefix) } |
Foreach-Object { return $_.Name }
# Why do I have to
if ($existing -eq $null) { $existing = @()}
Write-Output "[.] Computing differences"
$comp = Compare-Object ($DomHash.Keys | %{$_}) $existing
Write-Output "[.] Adding new rules"
$comp | Where-Object { $_.SideIndicator -eq "<=" } |
Foreach-Object { $_.InputObject } |
Foreach-Object {
$domName = $DomHash[$_]
Add-DnsServerQueryResolutionPolicy -Name $_ -Action DENY -FQDN "EQ,$domName"
}
# https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/why-is-it-so-ridiculously-slow-to-remove-my-query-resolution/ba-p/1851087
$toRemove = $comp | Where-Object { $_.SideIndicator -eq "=>" } |
Foreach-Object { $_.InputObject } |
Foreach-Object { Get-DnsServerQueryResolutionPolicy -Name $_ }
Write-Output "[.] Dropping $($toRemove.Count) obsolete rules"
$toRemove |
Sort-Object ProcessingOrder -Descending |
Remove-DnsServerQueryResolutionPolicy -Force -ThrottleLimit 1
Write-Output "[.] Finished successfully"
}
function Main {
param ($Prefix, $Url)
Write-Output "[.] Fetching a domain blacklist"
$domains = Read-TxtList $Url
if ($domains.Count -lt 1000) {
# This is very sus
Write-Output "Only $($domains.Count) domains parsed from $Url, refusing to continue"
return
}
Write-Output "[.] Parsing new domain blacklist"
$wantedHash = @{}
$domains | Foreach-Object { $wantedHash.Add("$($Prefix)_$(Convert-Hex $_)", $_) }
Block-Domains $Prefix $wantedHash
}
Main "CERTPL" "https://hole.cert.pl/domains/v2/domains.txt"