Rotate order of NS Records

We rotate the order that the NS records (ns-aws, ns-azure, ns-gce, ns-ovh) are returned in the hope that this will take the load off ns-aws, whose costs have jumped from $12.66 → $20.63 → $38.51 → $62.30 in the last four months due to bandwidth charges exceeding 10 TB.

Pre-release snapshot of NS usage:

    ns-aws.sslip.io
    "Queries: 237744377 (1800.6/s)"
    "Answered Queries: 63040894 (477.5/s)"

    ns-azure.sslip.io
    "Queries: 42610823 (323.4/s)"
    "Answered Queries: 14660603 (111.3/s)"

    ns-gce.sslip.io
    "Queries: 59734371 (454.1/s)"
    "Answered Queries: 17636444 (134.1/s)"

    ns-ovh.sslip.io
    "Queries: 135897332 (1034.4/s)"
    "Answered Queries: 36010164 (274.1/s)"

Full Changelog: 3.2.0...3.2.1

Introduce new nameserver, ns-ovh.sslip.io

Presenting ns-ovh.sslip.io:

• located in Warsaw, Poland
• IPv4: 51.75.53.19
• IPv6: 2001:41d0:602:2313::1

The raison d'être of this is to take the load off ns-aws, which jumped from $12.66 → $20.63 → $38.51 → $62.30 in the last four months due to bandwidth charges exceeding 10 TB.

Dismantling DNS-backed key-value store, k-v.io

• I'm no longer engaged on setting up k-v.io; I thought it'd be cool to have a DNS-backed etcd implementation, but now I don't care anymore.
• There were technical challenges, too: Specifically, updating values did not play well with DNS caching — you'd get the old value after updating.
• If the service became popular, I'd quickly run out of disk space on my tiny cloud VMs.
• The service would most likely be used by people doing data exfiltration via DNS. I already have enough problems with sslip.io scammers — the last thing I want is to sign up for dealing with k-v.io scammers.

What's Changed

• Blocking 6 major website mirrors by @Morty-Feldman in #38
• Blocking 2 websites that attempt to mirror N4G by @Morty-Feldman in #39
• Blocking 6 mirrored websites by @Morty-Feldman in #40
• Blocking 23 more mirror websites by @Morty-Feldman in #41
• Blocking 10 more mirrored domains by @Morty-Feldman in #42
• Blocking 29 mirror websites by @Morty-Feldman in #43
• Blocking 80 more website mirrors by @Morty-Feldman in #44
• Blocking 27 more mirrored domains by @Morty-Feldman in #45
• Blocking 42 mirror websites by @Morty-Feldman in #46
• Blocking 12 mirror websites by @Morty-Feldman in #47
• Blocking 28 mirror websites by @Morty-Feldman in #48
• Blocking 16 mirror sites by @Morty-Feldman in #49
• Blocking 13 mirror sites by @Morty-Feldman in #50
• Blocking 7 mirror sites by @Morty-Feldman in #51
• Blocking 9 mirror sites by @Morty-Feldman in #52
• Remove th-ab.de from blocklist by @thannaske in #53
• Warn developers to not index their sites by @cunnie in #54
• Blocking 3 mirror IP addresses by @Morty-Feldman in #55
• Blocking 24 mirror sites by @Morty-Feldman in #59
• Blocking 53 mirror sites by @Morty-Feldman in #60
• Blocking 45 mirror sites by @Morty-Feldman in #61
• Blocking 11 mirror sites by @Morty-Feldman in #62
• Blocking 12 mirror sites by @Morty-Feldman in #63
• Blocked 23 mirror sites by @Morty-Feldman in #64
• Blocked 12 mirror sites by @Morty-Feldman in #65
• Blocking 13 mirror sites by @Morty-Feldman in #66
• Blocked 12 mirror websites by @Morty-Feldman in #67
• Blocking 9 mirror websites by @Morty-Feldman in #68
• Blocking 16 mirror sites by @Morty-Feldman in #69
• Blocking 17 mirror sites by @Morty-Feldman in #70
• Blocking 13 mirror sites by @Morty-Feldman in #71
• Blocking 17 mirrored websites by @Morty-Feldman in #72
• Blocking 11 mirror sites by @Morty-Feldman in #73
• Blocking 15 mirror sites by @Morty-Feldman in #74
• Blocking 11 website mirrors by @Morty-Feldman in #75
• Blocking 17 mirror sites by @Morty-Feldman in #76
• Blocking 14 mirror websites by @Morty-Feldman in #77

New Contributors

• @Morty-Feldman made their first contribution in #38
• @thannaske made their first contribution in #53
• @cunnie made their first contribution in #54

Full Changelog: 3.1.0...3.2.0

Shorten TTL for publicly-accessible A & AAAA records

If we have IPs that we need to block, I want them to time-out within the hour. TTL: 604800 → 3600 (1 week → 1 hour)

Enable TCP Binding

sslip.io-dns-server now binds to TCP as well as UDP. Although DNS queries typically pass over UDP, TCP offers better protection against cache-poisoning attacks.

If the server is unable to bind to UDP, it'll exit, but if it's unable to bind to TCP, it'll continue running.

Disable DNS-backed key-value store

• No one was using the DNS-backed key-value store
• The removal of the etcd library dropped the executable size by over half from 17MB to 7MB
• I didn't want users who've deployed it internally to be "surprised" by unexpected key-value features
• Key-value-over-DNS has a seamy side to it: "data exfiltration". I know there are legitimate uses for it, but I've come to believe that a Key-value-over-HTTP solution is preferable because it's not only more legitimate but also because it eliminates the DNS caching problem.

`-quiet` flag suppresses logging for each DNS query

Google Cloud Plaatform (GCP) charged me $17.69 last month for "Cloud Logging" which consumed 84.74 GiB.

At an average of 51.2 queries/second, and each log line averaging 192 bytes, and 606024*30 seconds/month, this works out to 25,480,396,800 bytes (23.73 GiB), which works out to a monthly savings of $4.95 if using the -quiet flag.

However, it seems that my saving would be even more because when I visually browse the logs, at least ⅔ are from sslip.io logging.

Breaking Change

The newest Docker image (v2.6.2+) should be invoked differently, without /usr/sbin/sslip.io-dns-server:

 docker run \
   -it \
   --rm \
   -p 53:53/udp \
-    /usr/sbin/sslip.io-dns-server \
       -nameservers jammy.nono.io \
       -addresses jammy.nono.io=10.9.9.114,jammy.nono.io=2601:646:100:69f0:0:ff:fe00:72

Tech note: I switched the Dockerfile CMD to ENTRYPOINT.

Full Changelog: 2.6.1...2.6.2

`-nameservers` & `-addresses` flags allow customized records

• -nameservers flag allows overriding the hard-coded nameservers, ns-aws.sslip.io, ns-azure.sslip.io, and ns-gce.sslip.io. Typical use: -nameservers=ns-0.pivotal.io,ns-1.pivotal.io. Useful in internetless (air-gapped) environments
• -addresses flag allows customizing address records, often used in conjunction with -nameservers, e.g. -addresses ns-0.pivotal.io=10.8.8.8,ns-1.pivotal.io=10.9.9.9,ns-1.pivotal.io=fcab::
• 🐞 Reliably bind to individual IP addresses. Sometimes the server would panic when binding to IP addresses individually
• 🐞 Parallel integration tests would fail ~11% of the time due to a race condition. That condition has been fixed
• Integration tests work internetless by default (good for coding on a plane)
• Integration tests are parallelized
• Updated SOA to two days before Armistice Day (11/09)
• Dependency bumps, including bumping Ginkgo in Dockerfiles & go.mod
• The Docker image cunnie/sslip.io-dns-server supports both amd64 and arm64 architectures.

Full Changelog: 2.6.0...2.6.1

PTR Records for IPv4 & IPv6

• IPv4 reverse lookup, e.g. 1.0.0.127.in-addr.arpa. → 127-0-0-1.sslip.io.
• IPv6 reverse lookup, e.g. 2.a.b.b.4.0.2.9.a.e.e.6.e.c.4.1.0.f.9.6.0.0.1.0.6.4.6.0.1.0.6.2.ip6.arpa. →
  2601-646-100-69f0-14ce-6eea-9204-bba2.sslip.io.
• Compressed TXT metrics.status.sslip.io (more info including PTR and k-v.io metrics, smaller packet)
• Updated SOA to Bastille Day (7/14)

Full Changelog: 2.5.4...2.6.0

Security Release: prohibit TXT records on k-v.io itself

This is a security release which prevents scammers from procuring a *.k-v.io wildcard certificate from commercial certificate authorities who use the DNS-01 challenge.

Much thanks to @Alan-Liang, who noted the following:

... one could easily add (and modify) a TXT record at _acme-challenge.k-v.io, which I believe is used for verifying domain ownership at various cert providers, so anyone could in theory obtain valid SSL certs for k-v.io and *.k-v.io. I think this might be a security issue

Full Changelog: 2.5.3...2.5.4

k-v.io is operational

• k-v.io has an A record
• Dockerfile builds image to run https://k-v.io on GKE
• Rigorous testing of key-value get/put/delete on each of the three servers
• Bug fixes to etcd TLS certificates (wrong SANs),

Full Changelog: 2.5.2...2.5.3