Releases: cunnie/sslip.io
`ns-hetzner.sslip.io` replaces NS `ns-azure.sslip.io`
The torrent of traffic I'm receiving has caused my AWS bill to spike from $9 to $148, all of the increase due to bandwidth charges.
To remediate, I'm replacing ns-azure with ns-hetzner. The previous release replaced ns-aws with ns-ovh.
ns-hetzner has both IPv4 and IPv6 addresses. It appears that Google's 8.8.8.8 DNS service favors IPv6-based nameservers.
`ns-aws.sslip.io` is no longer an NS for `sslip.io`
The torrent of traffic I'm receiving has caused my AWS bill to spike from $9 to $148, all of the increase due to bandwidth charges.
I'm still maintaining ns-aws; the VM still continue to run, and continue to serve web traffic, and maintain its hostname and IP addresses; however, it will no longer be in the list of NS records for sslip.io.
There are much less expensive hosting providers. OVH is my current favorite.
Join the Public Suffix List
TXT _psl.sslip.io record attests ownership for the Public Suffix List
We want to place sslip.io on the Public Suffix List so we don't need to pester Let's Encrypt for rate limit increases.
According to https://publicsuffix.org/submit/:
owners of privately-registered domains who themselves issue subdomains to mutually-untrusting parties may wish to be added to the PRIVATE section of the list.
References:
Rotate order of NS Records
We rotate the order that the NS records (ns-aws, ns-azure, ns-gce, ns-ovh) are returned in the hope that this will take the load off ns-aws, whose costs have jumped from $12.66 → $20.63 → $38.51 → $62.30 in the last four months due to bandwidth charges exceeding 10 TB.
Pre-release snapshot of NS usage:
ns-aws.sslip.io
"Queries: 237744377 (1800.6/s)"
"Answered Queries: 63040894 (477.5/s)"
ns-azure.sslip.io
"Queries: 42610823 (323.4/s)"
"Answered Queries: 14660603 (111.3/s)"
ns-gce.sslip.io
"Queries: 59734371 (454.1/s)"
"Answered Queries: 17636444 (134.1/s)"
ns-ovh.sslip.io
"Queries: 135897332 (1034.4/s)"
"Answered Queries: 36010164 (274.1/s)"
Full Changelog: 3.2.0...3.2.1
Introduce new nameserver, ns-ovh.sslip.io
Introducing ns-ovh.sslip.io:
- located in Warsaw, Poland
- IPv4: 51.75.53.19
- IPv6: 2001:41d0:602:2313::1
The raison d'être of this is to take the load off ns-aws, which jumped from $12.66 → $20.63 → $38.51 → $62.30 in the last four months due to bandwidth charges exceeding 100 GB.
Dismantling DNS-backed key-value store, k-v.io
- I'm no longer engaged on setting up k-v.io; I thought it'd be cool to have a DNS-backed etcd implementation, but now I don't care anymore.
- There were technical challenges, too: Specifically, updating values did not play well with DNS caching — you'd get the old value after updating.
- If the service became popular, I'd quickly run out of disk space on my tiny cloud VMs.
- The service would most likely be used by people doing data exfiltration via DNS. I already have enough problems with sslip.io scammers — the last thing I want is to sign up for dealing with k-v.io scammers.
What's Changed
- Blocking 6 major website mirrors by @Morty-Feldman in #38
- Blocking 2 websites that attempt to mirror N4G by @Morty-Feldman in #39
- Blocking 6 mirrored websites by @Morty-Feldman in #40
- Blocking 23 more mirror websites by @Morty-Feldman in #41
- Blocking 10 more mirrored domains by @Morty-Feldman in #42
- Blocking 29 mirror websites by @Morty-Feldman in #43
- Blocking 80 more website mirrors by @Morty-Feldman in #44
- Blocking 27 more mirrored domains by @Morty-Feldman in #45
- Blocking 42 mirror websites by @Morty-Feldman in #46
- Blocking 12 mirror websites by @Morty-Feldman in #47
- Blocking 28 mirror websites by @Morty-Feldman in #48
- Blocking 16 mirror sites by @Morty-Feldman in #49
- Blocking 13 mirror sites by @Morty-Feldman in #50
- Blocking 7 mirror sites by @Morty-Feldman in #51
- Blocking 9 mirror sites by @Morty-Feldman in #52
- Remove th-ab.de from blocklist by @thannaske in #53
- Warn developers to not index their sites by @cunnie in #54
- Blocking 3 mirror IP addresses by @Morty-Feldman in #55
- Blocking 24 mirror sites by @Morty-Feldman in #59
- Blocking 53 mirror sites by @Morty-Feldman in #60
- Blocking 45 mirror sites by @Morty-Feldman in #61
- Blocking 11 mirror sites by @Morty-Feldman in #62
- Blocking 12 mirror sites by @Morty-Feldman in #63
- Blocked 23 mirror sites by @Morty-Feldman in #64
- Blocked 12 mirror sites by @Morty-Feldman in #65
- Blocking 13 mirror sites by @Morty-Feldman in #66
- Blocked 12 mirror websites by @Morty-Feldman in #67
- Blocking 9 mirror websites by @Morty-Feldman in #68
- Blocking 16 mirror sites by @Morty-Feldman in #69
- Blocking 17 mirror sites by @Morty-Feldman in #70
- Blocking 13 mirror sites by @Morty-Feldman in #71
- Blocking 17 mirrored websites by @Morty-Feldman in #72
- Blocking 11 mirror sites by @Morty-Feldman in #73
- Blocking 15 mirror sites by @Morty-Feldman in #74
- Blocking 11 website mirrors by @Morty-Feldman in #75
- Blocking 17 mirror sites by @Morty-Feldman in #76
- Blocking 14 mirror websites by @Morty-Feldman in #77
New Contributors
- @Morty-Feldman made their first contribution in #38
- @thannaske made their first contribution in #53
- @cunnie made their first contribution in #54
Full Changelog: 3.1.0...3.2.0
Contributors
Assets 9
Shorten TTL for publicly-accessible A & AAAA records
If we have IPs that we need to block, I want them to time-out within the hour. TTL: 604800 → 3600 (1 week → 1 hour)
Enable TCP Binding
sslip.io-dns-server now binds to TCP as well as UDP. Although DNS queries typically pass over UDP, TCP offers better protection against cache-poisoning attacks.
If the server is unable to bind to UDP, it'll exit, but if it's unable to bind to TCP, it'll continue running.
Disable DNS-backed key-value store
- No one was using the DNS-backed key-value store
- The removal of the
etcdlibrary dropped the executable size by over half from 17MB to 7MB - I didn't want users who've deployed it internally to be "surprised" by unexpected key-value features
- Key-value-over-DNS has a seamy side to it: "data exfiltration". I know there are legitimate uses for it, but I've come to believe that a Key-value-over-HTTP solution is preferable because it's not only more legitimate but also because it eliminates the DNS caching problem.
`-quiet` flag suppresses logging for each DNS query
Google Cloud Plaatform (GCP) charged me $17.69 last month for "Cloud Logging" which consumed 84.74 GiB.
At an average of 51.2 queries/second, and each log line averaging 192 bytes, and 606024*30 seconds/month, this works out to 25,480,396,800 bytes (23.73 GiB), which works out to a monthly savings of $4.95 if using the -quiet flag.
However, it seems that my saving would be even more because when I visually browse the logs, at least ⅔ are from sslip.io logging.
Breaking Change
The newest Docker image (v2.6.2+) should be invoked differently, without /usr/sbin/sslip.io-dns-server:
docker run \
-it \
--rm \
-p 53:53/udp \
- /usr/sbin/sslip.io-dns-server \
-nameservers jammy.nono.io \
-addresses jammy.nono.io=10.9.9.114,jammy.nono.io=2601:646:100:69f0:0:ff:fe00:72
Tech note: I switched the Dockerfile CMD to ENTRYPOINT.
Full Changelog: 2.6.1...2.6.2
`-nameservers` & `-addresses` flags allow customized records
-nameserversflag allows overriding the hard-coded nameservers, ns-aws.sslip.io, ns-azure.sslip.io, and ns-gce.sslip.io. Typical use:-nameservers=ns-0.pivotal.io,ns-1.pivotal.io. Useful in internetless (air-gapped) environments-addressesflag allows customizing address records, often used in conjunction with-nameservers, e.g.-addresses ns-0.pivotal.io=10.8.8.8,ns-1.pivotal.io=10.9.9.9,ns-1.pivotal.io=fcab::- 🐞 Reliably bind to individual IP addresses. Sometimes the server would panic when binding to IP addresses individually
- 🐞 Parallel integration tests would fail ~11% of the time due to a race condition. That condition has been fixed
- Integration tests work internetless by default (good for coding on a plane)
- Integration tests are parallelized
- Updated SOA to two days before Armistice Day (11/09)
- Dependency bumps, including bumping Ginkgo in Dockerfiles &
go.mod - The Docker image cunnie/sslip.io-dns-server supports both amd64 and arm64 architectures.
Full Changelog: 2.6.0...2.6.1