The documentation on how to procure a wildcard certificate had gotten
overly-complicated and stale, the Docker image, old, and the code, even
older.
Perhaps more importantly I couldn't bring myself to care whether people
could procure a wildcard certificate.
Signed-off-by: Brian Cunnie <brian.cunnie@gmail.com>
Now that our GitHub Actions workflow is functional, let's brag about how
many queries / second we're handling by displaying the badge at the top
of the README and of the web page.
- some of the examples to use "nip.io" instead of "sslip.io". I like
"nip.io" better; it's shorter
- The examples that previously used "jammy" now use "noble"; "jammy" is
no longer the latest Ubuntu "Long Term Support" (LTS) release
We test our four production nameservers using `rspec`, and although that
worked fine when we used GitHub actions with a curated Ruby, it didn't
always work as well when running locally.
With this commit we introduce a Gemfile which has the necessary Ruby
dependencies, which make it easer to run the tests locally.
Instead of checking only sslip.io, we expand our [4-times-per-day]
nameserver checks to include nip.io. This is a component of the
long-running campaign to promote the nip.io domain to full citizenship.
- We don't use JetBrains anymore; we use VS Code
- We don't have a CI directory
- Jenessa is no longer at Let's Encrypt
- Roopinder is now the "late Roopinder" 😢
We replace `ns-ovh-sg` with `ns-do-sg`; this is a purely financial
decision: `ns-ovh-sg` costs $60/month, $720/year.
`ns-do-sg` (Digital Ocean), is also a Singapore-based DNS server. It's a
basic-regular-2vcpu-4GiB RAM-80GB SSD-4TiB bandwidth for $24/month,
$288/year.
That's a yearly savings of $432.
I had originally overspec'ed the Singapore server because I suspected
that there was a ton of traffic in Asia; I was wrong. It's not even 20%
the traffic of Europe or North America. I am confident the Digital Ocean
server will be able to handle it.
I also reintroduce `ns-gce` as the second server in North America, backing
up `ns-hetzner`. My hope is that `ns-hetzner` carries most of the load,
and `ns-gce` carries the rest, but not so much as to trigger Google
Cloud Platform's (GCP's) expensive bandwidth billing.
| DNS server | Queries / second |
|:-----------|-----------------:|
| ns-hetzner | 10706.4 |
| ns-ovh | 10802.0 |
| ns-ovh-sg | 1677.7 |
I'm worried the traffic to my GCP server will cost me a hundred dollars
in bandwidth fees. It has a volume similar to my late AWS server which,
in its last month, racked up ~$130 in bandwidth fees!
I'm also trying to balance the servers more geographically: instead of
having two servers in the US and none in Asia, I'll have one server in
the US and one in Asia (Singapore).
The OVH server in Asia is expensive — $60/month instead of $20/month for
the OVH server in Warsaw. Also there's a monthly bandwidth cap in
Singapore in addition to the 300 Mbps cap.
I went with a dedicated server, similar to the one in Warsaw, but I took
the opportunity to upgrade it (same price):
- ns-ovh: KS-4: Intel Xeon-E3 1230 v6
- ns-ovh-sg: KS-5: Intel Xeon-E3 1270 v6
I'm hoping that by adding this server to Singapore, the traffic to the
ns-ovh, the Warsaw server, will lessen, and I won't get thos "Anti-DDoS
protection enabled for IP address 51.75.53.19" emails every few days.
Current Queries per second:
- 4,087 ns-gce
- 1,131 ns-hetzner
- 7,183 ns-ovh
- ns-aws & ns-azure have been replaced by ns-hetzner & ns-ovh
- ns-azure has been completely destroyed (`terraform apply -destroy`);
the elastic IP has been released, so there's no hope of bringing it
back.
- ns-aws has been renamed to "blocked.sslip.io". It no longer answers
DNS queries, but lives on as the website we point "blocked" queries to
that warns about phishing.
- Some of the Markdown files' changes were mere reformatting changes
The torrent of traffic I'm receiving has caused my AWS bill to spike
from $9 to $148, all of the increase due to bandwidth charges.
I'm still maintaining ns-aws; the VM still continue to run, and continue
to serve web traffic, and maintain its hostname and IP addresses;
however, it will no longer be in the list of NS records for sslip.io.
There are much less expensive hosting providers. OVH is my current
favorite.
- located in Warsaw, Poland
- IPv4: 51.75.53.19
- IPv6: 2001:41d0:602:2313::1
The crux of this is to take the load off ns-aws, which jumped from
$12.66 → $20.63 → $38.51 → $62.30 in the last four months due to
bandwidth charges exceeding 10 TB.
The real fix is to randomize the order in which the nameservers are
returned.
When we promoted the Golang code to the root of the repo, we neglected
to update the paths in the documentation, helper scripts, and pipelines.
This commit addresses that oversight by updating the paths.
`ENTRYPOINT` [is more appropriate](https://codewithyury.com/docker-run-vs-cmd-vs-entrypoint/):
> ENTRYPOINT configures a container that will run as an executable
Which is exactly how I think the container should work for new people.
Yes, I'm screwing over the existing users. Sorry.
Google Cloud Plaatform (GCP) charged me $17.69 last month for "Cloud
Logging" which consumed 84.74 GiB.
At an average of 51.2 queries/second, and each log line
averaging 192 bytes, and 60*60*24*30 seconds/month, this works out to
25,480,396,800 bytes (23.73 GiB), which works out to a monthly savings of
$4.95 if I use the `-quiet` flag.
However, it seems that my saving would be even more because when I
visually browse the logs, at least ⅔ are from sslip.io logging.
I have *no* idea where all the other logs are coming from.
- Move "Directory Structure" lower down--it's not terribly useful,
certainly less useful than the "DNS Server" section.
- Remove the "tidy" turd at the bottom of the page. It adds no value,
and I'm not sure how it got there in the first place.
- A specific sections for flags such as `-nameservers`
- Add a section about running official Docker containers.
- get rid of the old, deprecated "faq" and "about" pages
[#21]
People may not want my name servers (`ns-gce.sslip.io` et al.), esp. in
an internetless environment where my name servers are unreachable.
This commit addresses this shortcoming by allowing the nameservers to be
set via a new commandline flag (`-nameservers`). We no longer hardcode
our name servers; instead, we make them the default value for the new
flag.
Drive-by: removed an errant `fmt.Println()` in the IPv6 `ip6.arpa` PTR
records.
We'd like to parallelize the tests to lay the foundation for the
upcoming expansion of flags passed to the executable (e.g.
`-nameservers`), which will spawn a series of executables, each of which
takes 3 seconds to spin up, and running that sequentially would make
testing tiresome.
- We've migrated away from `serverSession.Err).Should(Say())`
to `serverSession.Err.Contents())).Should(MatchRegexp())`. `Say()`
depends on ordering, `MatchRegexp()` doesn't.
- We introduce a short, 50-millisecond `Sleep()` in `isPortFree()` to
eliminate a race condition introduced by parallelization where the
same port is returned twice.
- Some of our `DescribeTable` tests were order-dependent; we moved them
outside the table.
- We parallelize our pipeline's unit tests.
- For the `k-v.io` tests, we used different keys for each `It()` block
to avoid pollution. We are also more careful about waiting for the
setup to complete before running the actual test.
As a side-effect of parallelizing the tests, we no longer require `sudo`
on Linux to run the tests, for we no longer attempt to bind to port 53;
instead, we bind to a series of available unprivileged ports.
We don't return the deleted value because doing that would have the
unintended consequence of postponing the deletion: downstream caching
servers would cache the deleted value for up to three more minutes. We'd
rather have the key deleted sooner rather than later.
Some APIs, e.g. etcd's, return a list of deleted values on return: those
APIs can afford to do so because they don't need to worry about DNS
propagation.
We also lengthen the timeout of an `etcd` API call from 500 msec to 1928
msecs; 500 msec was too close; some calls routinely took 480 msec to
complete, and we wanted more headroom.
We also no longer do two `etcd` operations when we delete a value.
Previously we would do a GET followed by a DELETE, but since we're not
returning the value deleted, there's no point to the GET. Furthermore,
the GET was never necessary, for the `etcd` DELETE API call returned the
values deleted.
Drive-by:
- README: install gingko the proper way, with `go install`
[fixes#17]
Now that we're no longer create BOSH releases, we don't need to bury the
`src/` directory under `bosh-release`; we can now place it under the
repo root, and we no longer need to fiddle with symbolic links.
We're not creating BOSH releases because when we decided to implement a
key-value store, we'd have to create an `etcd` BOSH release, and we
didn't want to invest the time.
- You can select the port to bind to
- The NS record returned for `_acme-challenge` domains is special
Also, I removed the periods at the ends of bullets to be consistent.
This repo has been forked 36 times, and yet I've done a great disservice
to my would-be developers by not describing how to run/test my code.
This commit addresses that shortcoming by having a _Quick Start_ section
very near the top.
- includes new Ginkgo v2
- includes required `sudo` for Linux
- removed the now-wrong comment about TXT records (there's now a
plethora of TXT records such as `ip.sslip.io`)
- minor formatting tweaks
...that we can customize for each of our three DNS servers.
Drive-bys:
- Bumped SOA serial 2021080200 → 2021123100. There's something poetic
about it being the last day of the year
- Deleted the old PowerDNS configuration. It's so stale there's no point
in having it. Or mentioning it in the README.
...and not the deprecated PowerDNS pipe backend shell script, which we
no longer use.
README now has the badge for the unit tests, and the placeholder is
gone.
fixes:
```
resources.6h: '6h' is not a valid identifier: must start with a lowercase letter^
```
The Golang DNS server is no longer experimental; the sslip.io
nameservers run the Golang DNS server.
- Include a placeholder for the `ginkgo` tests to run in CI.
- Include `src/` and `bosh-release/` in the list of directories.
- Mark the PowerDNS-related assets as deprecated; we no longer use
PowerDNS.
ns-vultr.nono.io is a bad nameserver because it's shut down for ~8 days
each month (when the unbelievable Singapore hunger for NTP uses up my
monthly allowance of 3TB)
Besides, three nameservers is enough.
