Releases: cunnie/sslip.io
Rotate order of NS Records
We rotate the order that the NS records (ns-aws, ns-azure, ns-gce, ns-ovh) are returned in the hope that this will take the load off ns-aws, whose costs have jumped from $12.66 → $20.63 → $38.51 → $62.30 in the last four months due to bandwidth charges exceeding 10 TB.
Pre-release snapshot of NS usage:
ns-aws.sslip.io
"Queries: 237744377 (1800.6/s)"
"Answered Queries: 63040894 (477.5/s)"
ns-azure.sslip.io
"Queries: 42610823 (323.4/s)"
"Answered Queries: 14660603 (111.3/s)"
ns-gce.sslip.io
"Queries: 59734371 (454.1/s)"
"Answered Queries: 17636444 (134.1/s)"
ns-ovh.sslip.io
"Queries: 135897332 (1034.4/s)"
"Answered Queries: 36010164 (274.1/s)"
Full Changelog: 3.2.0...3.2.1
Introduce new nameserver, ns-ovh.sslip.io
Presenting ns-ovh.sslip.io:
- located in Warsaw, Poland
- IPv4: 51.75.53.19
- IPv6: 2001:41d0:602:2313::1
The raison d'être of this is to take the load off ns-aws, which jumped from $12.66 → $20.63 → $38.51 → $62.30 in the last four months due to bandwidth charges exceeding 10 TB.
Dismantling DNS-backed key-value store, k-v.io
- I'm no longer engaged on setting up k-v.io; I thought it'd be cool to have a DNS-backed etcd implementation, but now I don't care anymore.
- There were technical challenges, too: Specifically, updating values did not play well with DNS caching — you'd get the old value after updating.
- If the service became popular, I'd quickly run out of disk space on my tiny cloud VMs.
- The service would most likely be used by people doing data exfiltration via DNS. I already have enough problems with sslip.io scammers — the last thing I want is to sign up for dealing with k-v.io scammers.
What's Changed
- Blocking 6 major website mirrors by @Morty-Feldman in #38
- Blocking 2 websites that attempt to mirror N4G by @Morty-Feldman in #39
- Blocking 6 mirrored websites by @Morty-Feldman in #40
- Blocking 23 more mirror websites by @Morty-Feldman in #41
- Blocking 10 more mirrored domains by @Morty-Feldman in #42
- Blocking 29 mirror websites by @Morty-Feldman in #43
- Blocking 80 more website mirrors by @Morty-Feldman in #44
- Blocking 27 more mirrored domains by @Morty-Feldman in #45
- Blocking 42 mirror websites by @Morty-Feldman in #46
- Blocking 12 mirror websites by @Morty-Feldman in #47
- Blocking 28 mirror websites by @Morty-Feldman in #48
- Blocking 16 mirror sites by @Morty-Feldman in #49
- Blocking 13 mirror sites by @Morty-Feldman in #50
- Blocking 7 mirror sites by @Morty-Feldman in #51
- Blocking 9 mirror sites by @Morty-Feldman in #52
- Remove th-ab.de from blocklist by @thannaske in #53
- Warn developers to not index their sites by @cunnie in #54
- Blocking 3 mirror IP addresses by @Morty-Feldman in #55
- Blocking 24 mirror sites by @Morty-Feldman in #59
- Blocking 53 mirror sites by @Morty-Feldman in #60
- Blocking 45 mirror sites by @Morty-Feldman in #61
- Blocking 11 mirror sites by @Morty-Feldman in #62
- Blocking 12 mirror sites by @Morty-Feldman in #63
- Blocked 23 mirror sites by @Morty-Feldman in #64
- Blocked 12 mirror sites by @Morty-Feldman in #65
- Blocking 13 mirror sites by @Morty-Feldman in #66
- Blocked 12 mirror websites by @Morty-Feldman in #67
- Blocking 9 mirror websites by @Morty-Feldman in #68
- Blocking 16 mirror sites by @Morty-Feldman in #69
- Blocking 17 mirror sites by @Morty-Feldman in #70
- Blocking 13 mirror sites by @Morty-Feldman in #71
- Blocking 17 mirrored websites by @Morty-Feldman in #72
- Blocking 11 mirror sites by @Morty-Feldman in #73
- Blocking 15 mirror sites by @Morty-Feldman in #74
- Blocking 11 website mirrors by @Morty-Feldman in #75
- Blocking 17 mirror sites by @Morty-Feldman in #76
- Blocking 14 mirror websites by @Morty-Feldman in #77
New Contributors
- @Morty-Feldman made their first contribution in #38
- @thannaske made their first contribution in #53
- @cunnie made their first contribution in #54
Full Changelog: 3.1.0...3.2.0
Shorten TTL for publicly-accessible A & AAAA records
If we have IPs that we need to block, I want them to time-out within the hour. TTL: 604800 → 3600 (1 week → 1 hour)
Enable TCP Binding
sslip.io-dns-server
now binds to TCP as well as UDP. Although DNS queries typically pass over UDP, TCP offers better protection against cache-poisoning attacks.
If the server is unable to bind to UDP, it'll exit, but if it's unable to bind to TCP, it'll continue running.
Disable DNS-backed key-value store
- No one was using the DNS-backed key-value store
- The removal of the
etcd
library dropped the executable size by over half from 17MB to 7MB - I didn't want users who've deployed it internally to be "surprised" by unexpected key-value features
- Key-value-over-DNS has a seamy side to it: "data exfiltration". I know there are legitimate uses for it, but I've come to believe that a Key-value-over-HTTP solution is preferable because it's not only more legitimate but also because it eliminates the DNS caching problem.
`-quiet` flag suppresses logging for each DNS query
Google Cloud Plaatform (GCP) charged me $17.69 last month for "Cloud Logging" which consumed 84.74 GiB.
At an average of 51.2 queries/second, and each log line averaging 192 bytes, and 606024*30 seconds/month, this works out to 25,480,396,800 bytes (23.73 GiB), which works out to a monthly savings of $4.95 if using the -quiet
flag.
However, it seems that my saving would be even more because when I visually browse the logs, at least ⅔ are from sslip.io logging.
Breaking Change
The newest Docker image (v2.6.2+) should be invoked differently, without /usr/sbin/sslip.io-dns-server
:
docker run \
-it \
--rm \
-p 53:53/udp \
- /usr/sbin/sslip.io-dns-server \
-nameservers jammy.nono.io \
-addresses jammy.nono.io=10.9.9.114,jammy.nono.io=2601:646:100:69f0:0:ff:fe00:72
Tech note: I switched the Dockerfile CMD
to ENTRYPOINT
.
Full Changelog: 2.6.1...2.6.2
`-nameservers` & `-addresses` flags allow customized records
-nameservers
flag allows overriding the hard-coded nameservers, ns-aws.sslip.io, ns-azure.sslip.io, and ns-gce.sslip.io. Typical use:-nameservers=ns-0.pivotal.io,ns-1.pivotal.io
. Useful in internetless (air-gapped) environments-addresses
flag allows customizing address records, often used in conjunction with-nameservers
, e.g.-addresses ns-0.pivotal.io=10.8.8.8,ns-1.pivotal.io=10.9.9.9,ns-1.pivotal.io=fcab::
- 🐞 Reliably bind to individual IP addresses. Sometimes the server would panic when binding to IP addresses individually
- 🐞 Parallel integration tests would fail ~11% of the time due to a race condition. That condition has been fixed
- Integration tests work internetless by default (good for coding on a plane)
- Integration tests are parallelized
- Updated SOA to two days before Armistice Day (11/09)
- Dependency bumps, including bumping Ginkgo in Dockerfiles &
go.mod
- The Docker image cunnie/sslip.io-dns-server supports both amd64 and arm64 architectures.
Full Changelog: 2.6.0...2.6.1
PTR Records for IPv4 & IPv6
- IPv4 reverse lookup, e.g.
1.0.0.127.in-addr.arpa.
→127-0-0-1.sslip.io.
- IPv6 reverse lookup, e.g.
2.a.b.b.4.0.2.9.a.e.e.6.e.c.4.1.0.f.9.6.0.0.1.0.6.4.6.0.1.0.6.2.ip6.arpa.
→
2601-646-100-69f0-14ce-6eea-9204-bba2.sslip.io.
- Compressed TXT metrics.status.sslip.io (more info including PTR and k-v.io metrics, smaller packet)
- Updated SOA to Bastille Day (7/14)
Full Changelog: 2.5.4...2.6.0
Security Release: prohibit TXT records on k-v.io itself
This is a security release which prevents scammers from procuring a *.k-v.io
wildcard certificate from commercial certificate authorities who use the DNS-01 challenge.
Much thanks to @Alan-Liang, who noted the following:
... one could easily add (and modify) a TXT record at _acme-challenge.k-v.io, which I believe is used for verifying domain ownership at various cert providers, so anyone could in theory obtain valid SSL certs for k-v.io and *.k-v.io. I think this might be a security issue
Full Changelog: 2.5.3...2.5.4
k-v.io is operational
- k-v.io has an A record
- Dockerfile builds image to run https://k-v.io on GKE
- Rigorous testing of key-value get/put/delete on each of the three servers
- Bug fixes to etcd TLS certificates (wrong SANs),
Full Changelog: 2.5.2...2.5.3