sslip.io

If we have IPs that we need to block, I want them to time-out within the hour. TTL: 604800 → 3600 (1 week → 1 hour)

sslip.io-dns-server now binds to TCP as well as UDP. Although DNS queries typically pass over UDP, TCP offers better protection against cache-poisoning attacks.

If the server is unable to bind to UDP, it'll exit, but if it's unable to bind to TCP, it'll continue running.

• No one was using the DNS-backed key-value store
• The removal of the etcd library dropped the executable size by over half from 17MB to 7MB
• I didn't want users who've deployed it internally to be "surprised" by unexpected key-value features
• Key-value-over-DNS has a seamy side to it: "data exfiltration". I know there are legitimate uses for it, but I've come to believe that a Key-value-over-HTTP solution is preferable because it's not only more legitimate but also because it eliminates the DNS caching problem.

Google Cloud Plaatform (GCP) charged me $17.69 last month for "Cloud Logging" which consumed 84.74 GiB.

At an average of 51.2 queries/second, and each log line averaging 192 bytes, and 606024*30 seconds/month, this works out to 25,480,396,800 bytes (23.73 GiB), which works out to a monthly savings of $4.95 if using the -quiet flag.

However, it seems that my saving would be even more because when I visually browse the logs, at least ⅔ are from sslip.io logging.

Breaking Change

The newest Docker image (v2.6.2+) should be invoked differently, without /usr/sbin/sslip.io-dns-server:

 docker run \
   -it \
   --rm \
   -p 53:53/udp \
-    /usr/sbin/sslip.io-dns-server \
       -nameservers jammy.nono.io \
       -addresses jammy.nono.io=10.9.9.114,jammy.nono.io=2601:646:100:69f0:0:ff:fe00:72

Tech note: I switched the Dockerfile CMD to ENTRYPOINT.

Full Changelog: https://github.com/cunnie/sslip.io/compare/2.6.1...2.6.2

• -nameservers flag allows overriding the hard-coded nameservers, ns-aws.sslip.io, ns-azure.sslip.io, and ns-gce.sslip.io. Typical use: -nameservers=ns-0.pivotal.io,ns-1.pivotal.io. Useful in internetless (air-gapped) environments
• -addresses flag allows customizing address records, often used in conjunction with -nameservers, e.g. -addresses ns-0.pivotal.io=10.8.8.8,ns-1.pivotal.io=10.9.9.9,ns-1.pivotal.io=fcab::
• 🐞 Reliably bind to individual IP addresses. Sometimes the server would panic when binding to IP addresses individually
• 🐞 Parallel integration tests would fail ~11% of the time due to a race condition. That condition has been fixed
• Integration tests work internetless by default (good for coding on a plane)
• Integration tests are parallelized
• Updated SOA to two days before Armistice Day (11/09)
• Dependency bumps, including bumping Ginkgo in Dockerfiles & go.mod
• The Docker image cunnie/sslip.io-dns-server supports both amd64 and arm64 architectures.

Full Changelog: https://github.com/cunnie/sslip.io/compare/2.6.0...2.6.1

• IPv4 reverse lookup, e.g. 1.0.0.127.in-addr.arpa. → 127-0-0-1.sslip.io.
• IPv6 reverse lookup, e.g. 2.a.b.b.4.0.2.9.a.e.e.6.e.c.4.1.0.f.9.6.0.0.1.0.6.4.6.0.1.0.6.2.ip6.arpa. →
  2601-646-100-69f0-14ce-6eea-9204-bba2.sslip.io.
• Compressed TXT metrics.status.sslip.io (more info including PTR and k-v.io metrics, smaller packet)
• Updated SOA to Bastille Day (7/14)

Full Changelog: https://github.com/cunnie/sslip.io/compare/2.5.4...2.6.0

This is a security release which prevents scammers from procuring a *.k-v.io wildcard certificate from commercial certificate authorities who use the DNS-01 challenge.

Much thanks to @Alan-Liang, who noted the following:

... one could easily add (and modify) a TXT record at _acme-challenge.k-v.io, which I believe is used for verifying domain ownership at various cert providers, so anyone could in theory obtain valid SSL certs for k-v.io and *.k-v.io. I think this might be a security issue

Full Changelog: https://github.com/cunnie/sslip.io/compare/2.5.3...2.5.4

• k-v.io has an A record
• Dockerfile builds image to run https://k-v.io on GKE
• Rigorous testing of key-value get/put/delete on each of the three servers
• Bug fixes to etcd TLS certificates (wrong SANs),

Full Changelog: https://github.com/cunnie/sslip.io/compare/2.5.2...2.5.3

We don't return the deleted value because doing that would have the unintended consequence of postponing the deletion: downstream caching servers would cache the deleted value for up to three more minutes. We'd rather have the key deleted sooner rather than later.

Some APIs, e.g. etcd's, return a list of deleted values on return: those APIs can afford to do so because they don't need to worry about DNS propagation.

We also lengthen the timeout of an etcd API call from 500 msec to 1928 msecs; 500 msec was too close; some calls routinely took 480 msec to complete, and we wanted more headroom.

We also no longer do two etcd operations when we delete a value. Previously we would do a GET followed by a DELETE, but since we're not returning the value deleted, there's no point to the GET. Furthermore, the GET was never necessary, for the etcd DELETE API call returned the values deleted.

• We no longer produce BOSH releases; if you need a BOSH release, use version 2.5.1.
• You can now select the port to bind to, e.g. sslip.io-dns-server -port 5353. This is useful, for example, when you're not running as a privileged user, and you can't bind to a privileged port (e.g. 53).
• Blocklists are downloaded once per hour, not once per hour per IP address bound to.

Typical examples: 43.134.66.67/24, 2601:646:100:69f7:cafe:bebe:cafe:bebe/112

We decided we needed to block by CIDRs as well as strings because phishers can use hostnames that don't lend themselves to being blocked with strings, e.g. nf-43-134-66-67.sslip.io.

• Blocklist downloads every hour
• Private IP addresses aren't blocked

[fixes #13]

Typical example: https://raiffeisen.94.228.116.140.sslip.io.

Raiffeisen is a bank.

I was hoping Let's Encrypt would share their blocklist, but they wouldn't. See #13 for more information.

Bug fix: certain hostnames with embedded IPv4 addresses would cause the server to crash (this was caused by my regular expression thinking they were valid IPs, but net.ParseIP() disagreeing). Now the server doesn't crash; instead it returns no answers (correct behavior).

• Feature: you can view the metrics of a given server by querying the TXT record of metrics.status.sslip.io, e.g. dig @ns-aws.sslip.io metrics.status.sslip.io txt +short
• Bug fix: the server would panic() when querying the TXT record of a customized domain which didn't have a customized TXT record, e.g. dig @ns-aws.sslip.io ns.sslip.io txt +short. Now it doesn't panic()
• Change: experimental TXT records to find the server version have been moved from version.sslip.io to version.status.sslip.io, e.g. dig @ns-aws.sslip.io version.status.sslip.io txt +short
• Change: TTL dropped from 300 to 180 seconds (5 minutes to 3 minutes). This lays the groundwork for the upcoming key-value store.

We enable special behavior under the kv.sslip.io subdomain: it can be treated as a key-value store, the sub-subdomain being the key, and the TXT record being the value.

For example, to write ("put") the value "12.0.1" to the key "macos-version" on the ns-gce.sslip.io. nameserver, you'd use the following dig command:

dig @ns-gce.sslip.io. txt put.12.0.1.macos-version.kv.sslip.io.

To read ("get") the value back, you'd write the following dig command:

dig @ns-gce.sslip.io. txt get.macos-version.kv.sslip.io.

Since "get" is the default behavior, you don't need to include it in the
domain name:

dig @ns-gce.sslip.io. txt macos-version.kv.sslip.io.

Finally, when you're done with the key-value, you can "delete" it:

dig @ns-gce.sslip.io. txt delete.macos-version.kv.sslip.io.

Notes:

• Keys are case-insensitive (to accommodate DNS convention). In other words, KEY.kv.sslip.io and key.kv.sslip.io return the same TXT record.
• Values are case-sensitive. put.CamelCase.style.kv.sslip.io sets the TXT record to "CamelCase".
• put requests will return the TXT record being put; i.e. put.hello.world.kv.sslip.io returns one TXT record of one string, hello.
• delete requests will return the TXT record being deleted; i.e. delete.world.kv.sslip.io returns one TXT record of one string, hello. If the TXT record does not exist, no TXT records will be returned.
• Values are limited to 63 bytes to mitigate using the sslip.io servers in a DNS amplification attack.
• Values are not persistent: if the server is restarted, all values disappear. Poof.
• Values are not consistent. If a value is set in ns-aws.sslip.io, it does not propagate to ns-gce.sslip.io nor ns-azure.sslip.io.

When querying for NS records, the nono.io records are no longer returned; only the sslip.io records.

Add NS servers in sslip.io domain

We currently use three nameservers in the nono.io domain, but that's confusing--why not have the nameservers in the sslip.io domain?

This commit starts the ball rolling to convert to the sslip.io. We'll have a brief period where we have both nono.io and sslip.io nameservers.

At which point we'll add the sslip.io nameservers to our registrar, Namecheap.com.

Once they've been added to our registrar, we'll wait a day or two to propagate, and then we'll delete references to the nono.io nameservers.

ip.sslip.io TXT returns origin IP

Our documentation was wrong; our homepage said to get the origin IP address by querying the TXT record of the root, i.e. dig @ns-aws.nono.io txt . +short; however, our code worked differently: it returned the origin IP when the .ip TLD was queried.

The new behavior is that it returns the origin IP when ip.sslip.io. is queried, and the documentation now reflects that behavior.

Also, that behavior is marked "experimental" to give us leeway to change.

TXT record for version.sslip.io returns version information

dig txt version.sslip.io returns version information of the sslip.io DNS server. This can be helpful when troubleshooting.

The TXT record consists of three distinct strings: version, compile date, and git hash.

dig @ns-aws.nono.io txt version.sslip.io +short
  "2.2.1"
  "2021/10/06-05:17:18-0700"
  "7bef649"

The three servers should always have the same semantic version (e.g. "2.2.1"), but their compile date & git hash may differ for technical reasons.

Full Changelog: https://github.com/cunnie/sslip.io/compare/2.2.0...2.2.1

• ns-aws.nono.io now has an IPv6 address, 2600:1f18:aaf:6900::a
• You can use sslip.io's DNS servers (ns-aws.nono.io, ns-azure.nono.io, ns-gce.nono.io) to determine your public IP address by querying the TXT record of the root domain. If you're curious about your public IPv6 address, use the DNS server ns-aws.nono.io, for it has both IPv4 and IPv6 addresses:

dig @ns-aws.nono.io txt . +short    # sample reply "2607:fb90:464:ae1e:ed60:29c:884c:4b52"

Binding to port 53: better messaging

This release addresses problems under Linux:

• The user needs to be root to bind to port 53 (or have the CAP_NET_BIND_SERVICE capability), so if we have a permissions-problem, we say, "try sudo".

• If we can't bind to INADDR_ANY, and we probably can't because "systemd-resolved provides a local DNS stub listener on IP address 127.0.0.53" on port 53, which prevents us from binding, we fallback to attempting to bind to every available address individually.

🐞 Ignore case when comparing customized records

This fixes an error when procuring Let's Encrypt certs using HTTP-01 challenge—the server didn't recognize, when queried with SsLiP.iO, that it's the same as sslip.io, and so it didn't reply with the correct A/AAAA records.

fixes:

sudo /usr/local/bin/certbot renew
  No valid IP addresses found for sslip.io

log messages from /var/vcap/sys/log/sslip.io-dns-server/sslip.io-dns-server.stderr.log:

2021/01/30 21:45:49 3.122.55.230.22713 TypeA SsliP.IO. ? nil, SOA SsliP.IO. briancunnie.gmail.com. 2021011400 900 900 1800 300
2021/01/30 21:45:49 54.187.227.254.16621 TypeAAAA SslIP.io. ? nil, SOA SslIP.io. briancunnie.gmail.com. 2021011400 900 900 1800 300