Golang-based DNS server which maps DNS records with embedded IP addresses to those addresses.
APACHE-2.0 License
Published by cunnie 8 months ago
If we have IPs that we need to block, I want them to time-out within the hour. TTL: 604800 β 3600 (1 week β 1 hour)
Published by cunnie about 1 year ago
sslip.io-dns-server
now binds to TCP as well as UDP. Although DNS queries typically pass over UDP, TCP offers better protection against cache-poisoning attacks.
If the server is unable to bind to UDP, it'll exit, but if it's unable to bind to TCP, it'll continue running.
Published by cunnie over 1 year ago
etcd
library dropped the executable size by over half from 17MB to 7MBPublished by cunnie almost 2 years ago
Google Cloud Plaatform (GCP) charged me $17.69 last month for "Cloud Logging" which consumed 84.74 GiB.
At an average of 51.2 queries/second, and each log line averaging 192 bytes, and 606024*30 seconds/month, this works out to 25,480,396,800 bytes (23.73 GiB), which works out to a monthly savings of $4.95 if using the -quiet
flag.
However, it seems that my saving would be even more because when I visually browse the logs, at least β are from sslip.io logging.
The newest Docker image (v2.6.2+) should be invoked differently, without /usr/sbin/sslip.io-dns-server
:
docker run \
-it \
--rm \
-p 53:53/udp \
- /usr/sbin/sslip.io-dns-server \
-nameservers jammy.nono.io \
-addresses jammy.nono.io=10.9.9.114,jammy.nono.io=2601:646:100:69f0:0:ff:fe00:72
Tech note: I switched the Dockerfile CMD
to ENTRYPOINT
.
Full Changelog: https://github.com/cunnie/sslip.io/compare/2.6.1...2.6.2
Published by cunnie almost 2 years ago
-nameservers
flag allows overriding the hard-coded nameservers, ns-aws.sslip.io, ns-azure.sslip.io, and ns-gce.sslip.io. Typical use: -nameservers=ns-0.pivotal.io,ns-1.pivotal.io
. Useful in internetless (air-gapped) environments-addresses
flag allows customizing address records, often used in conjunction with -nameservers
, e.g. -addresses ns-0.pivotal.io=10.8.8.8,ns-1.pivotal.io=10.9.9.9,ns-1.pivotal.io=fcab::
go.mod
Full Changelog: https://github.com/cunnie/sslip.io/compare/2.6.0...2.6.1
Published by cunnie over 2 years ago
1.0.0.127.in-addr.arpa.
β 127-0-0-1.sslip.io.
2.a.b.b.4.0.2.9.a.e.e.6.e.c.4.1.0.f.9.6.0.0.1.0.6.4.6.0.1.0.6.2.ip6.arpa.
β2601-646-100-69f0-14ce-6eea-9204-bba2.sslip.io.
Full Changelog: https://github.com/cunnie/sslip.io/compare/2.5.4...2.6.0
Published by cunnie over 2 years ago
This is a security release which prevents scammers from procuring a *.k-v.io
wildcard certificate from commercial certificate authorities who use the DNS-01 challenge.
Much thanks to @Alan-Liang, who noted the following:
... one could easily add (and modify) a TXT record at _acme-challenge.k-v.io, which I believe is used for verifying domain ownership at various cert providers, so anyone could in theory obtain valid SSL certs for k-v.io and *.k-v.io. I think this might be a security issue
Full Changelog: https://github.com/cunnie/sslip.io/compare/2.5.3...2.5.4
Published by cunnie over 2 years ago
Full Changelog: https://github.com/cunnie/sslip.io/compare/2.5.2...2.5.3
Published by cunnie over 2 years ago
We don't return the deleted value because doing that would have the unintended consequence of postponing the deletion: downstream caching servers would cache the deleted value for up to three more minutes. We'd rather have the key deleted sooner rather than later.
Some APIs, e.g. etcd's, return a list of deleted values on return: those APIs can afford to do so because they don't need to worry about DNS propagation.
We also lengthen the timeout of an etcd
API call from 500 msec to 1928 msecs; 500 msec was too close; some calls routinely took 480 msec to complete, and we wanted more headroom.
We also no longer do two etcd
operations when we delete a value. Previously we would do a GET followed by a DELETE, but since we're not returning the value deleted, there's no point to the GET. Furthermore, the GET was never necessary, for the etcd
DELETE API call returned the values deleted.
sslip.io-dns-server -port 5353
. This is useful, for example, when you're not running as a privileged user, and you can't bind to a privileged port (e.g. 53).Published by cunnie over 2 years ago
Typical examples: 43.134.66.67/24
, 2601:646:100:69f7:cafe:bebe:cafe:bebe/112
We decided we needed to block by CIDRs as well as strings because phishers can use hostnames that don't lend themselves to being blocked with strings, e.g. nf-43-134-66-67.sslip.io
.
[fixes #13]
Published by cunnie over 2 years ago
Typical example: https://raiffeisen.94.228.116.140.sslip.io.
Raiffeisen is a bank.
I was hoping Let's Encrypt would share their blocklist, but they wouldn't. See #13 for more information.
Published by cunnie almost 3 years ago
Bug fix: certain hostnames with embedded IPv4 addresses would cause the server to crash (this was caused by my regular expression thinking they were valid IPs, but net.ParseIP()
disagreeing). Now the server doesn't crash; instead it returns no answers (correct behavior).
Published by cunnie almost 3 years ago
metrics.status.sslip.io
, e.g. dig @ns-aws.sslip.io metrics.status.sslip.io txt +short
panic()
when querying the TXT record of a customized domain which didn't have a customized TXT record, e.g. dig @ns-aws.sslip.io ns.sslip.io txt +short
. Now it doesn't panic()
version.sslip.io
to version.status.sslip.io
, e.g. dig @ns-aws.sslip.io version.status.sslip.io txt +short
Published by cunnie almost 3 years ago
We enable special behavior under the kv.sslip.io
subdomain: it can be treated as a key-value store, the sub-subdomain being the key, and the TXT record being the value.
For example, to write ("put") the value "12.0.1" to the key "macos-version" on the ns-gce.sslip.io.
nameserver, you'd use the following dig
command:
dig @ns-gce.sslip.io. txt put.12.0.1.macos-version.kv.sslip.io.
To read ("get") the value back, you'd write the following dig
command:
dig @ns-gce.sslip.io. txt get.macos-version.kv.sslip.io.
Since "get" is the default behavior, you don't need to include it in the
domain name:
dig @ns-gce.sslip.io. txt macos-version.kv.sslip.io.
Finally, when you're done with the key-value, you can "delete" it:
dig @ns-gce.sslip.io. txt delete.macos-version.kv.sslip.io.
Notes:
KEY.kv.sslip.io
and key.kv.sslip.io
return the same TXT record.put.CamelCase.style.kv.sslip.io
sets the TXT record to "CamelCase".put
requests will return the TXT record being put; i.e. put.hello.world.kv.sslip.io
returns one TXT record of one string, hello
.delete
requests will return the TXT record being deleted; i.e. delete.world.kv.sslip.io
returns one TXT record of one string, hello
. If the TXT record does not exist, no TXT records will be returned.ns-aws.sslip.io
, it does not propagate to ns-gce.sslip.io
nor ns-azure.sslip.io
.Published by cunnie almost 3 years ago
When querying for NS records, the nono.io
records are no longer returned; only the sslip.io
records.
Published by cunnie almost 3 years ago
Add NS servers in sslip.io
domain
We currently use three nameservers in the nono.io
domain, but that's confusing--why not have the nameservers in the sslip.io
domain?
This commit starts the ball rolling to convert to the sslip.io. We'll have a brief period where we have both nono.io
and sslip.io
nameservers.
At which point we'll add the sslip.io
nameservers to our registrar, Namecheap.com.
Once they've been added to our registrar, we'll wait a day or two to propagate, and then we'll delete references to the nono.io
nameservers.
Published by cunnie almost 3 years ago
ip.sslip.io
TXT returns origin IP
Our documentation was wrong; our homepage said to get the origin IP address by querying the TXT record of the root, i.e. dig @ns-aws.nono.io txt . +short
; however, our code worked differently: it returned the origin IP when the .ip
TLD was queried.
The new behavior is that it returns the origin IP when ip.sslip.io.
is queried, and the documentation now reflects that behavior.
Also, that behavior is marked "experimental" to give us leeway to change.
Published by cunnie about 3 years ago
dig txt version.sslip.io
returns version information of the sslip.io DNS server. This can be helpful when troubleshooting.
The TXT record consists of three distinct strings: version, compile date, and git hash.
dig @ns-aws.nono.io txt version.sslip.io +short
"2.2.1"
"2021/10/06-05:17:18-0700"
"7bef649"
The three servers should always have the same semantic version (e.g. "2.2.1"), but their compile date & git hash may differ for technical reasons.
Full Changelog: https://github.com/cunnie/sslip.io/compare/2.2.0...2.2.1
Published by cunnie over 3 years ago
ns-aws.nono.io
now has an IPv6 address, 2600:1f18:aaf:6900::a
ns-aws.nono.io
, ns-azure.nono.io
, ns-gce.nono.io
) to determine your public IP address by querying the TXT record of the root domain. If you're curious about your public IPv6 address, use the DNS server ns-aws.nono.io
, for it has both IPv4 and IPv6 addresses:dig @ns-aws.nono.io txt . +short # sample reply "2607:fb90:464:ae1e:ed60:29c:884c:4b52"
Published by cunnie over 3 years ago
This release addresses problems under Linux:
The user needs to be root to bind to port 53 (or have the CAP_NET_BIND_SERVICE
capability), so if we have a permissions-problem, we say, "try sudo
".
If we can't bind to INADDR_ANY
, and we probably can't because "systemd-resolved
provides a local DNS stub listener on IP address 127.0.0.53" on port 53, which prevents us from binding, we fallback to attempting to bind to every available address individually.
This fixes an error when procuring Let's Encrypt certs using HTTP-01 challengeβthe server didn't recognize, when queried with SsLiP.iO
, that it's the same as sslip.io
, and so it didn't reply with the correct A/AAAA records.
fixes:
sudo /usr/local/bin/certbot renew
No valid IP addresses found for sslip.io
log messages from /var/vcap/sys/log/sslip.io-dns-server/sslip.io-dns-server.stderr.log
:
2021/01/30 21:45:49 3.122.55.230.22713 TypeA SsliP.IO. ? nil, SOA SsliP.IO. briancunnie.gmail.com. 2021011400 900 900 1800 300
2021/01/30 21:45:49 54.187.227.254.16621 TypeAAAA SslIP.io. ? nil, SOA SslIP.io. briancunnie.gmail.com. 2021011400 900 900 1800 300