From 6855598f0ff306e1bcc3eeb9caa1e93962e23642 Mon Sep 17 00:00:00 2001
From: Brian Cunnie <brian.cunnie@gmail.com>
Date: Sun, 15 Sep 2024 17:21:16 -0700
Subject: [PATCH] Introduce new name server, ns-ovh.sslip.io
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- located in Warsaw, Poland
- IPv4: 51.75.53.19
- IPv6: 2001:41d0:602:2313::1

The crux of this is to take the load off ns-aws, which jumped from
$12.66 → $20.63 → $38.51 → $62.30 in the last four months due to
bandwidth charges exceeding 10 TB.

The real fix is to randomize the order in which the nameservers are
returned.
---
 README.md                             | 26 +++++++++++++-------------
 docs/DEVELOPER.md                     |  9 +++++++--
 integration_test.go                   | 11 +++++++----
 k8s/document_root_sslip.io/index.html | 14 ++++++++++----
 main.go                               |  6 ++++--
 xip/xip_test.go                       | 11 ++++++-----
 6 files changed, 47 insertions(+), 30 deletions(-)

diff --git a/README.md b/README.md
index 760d432..efcb3f6 100644
--- a/README.md
+++ b/README.md
@@ -119,21 +119,21 @@ as ARM64 (AWS Graviton, Apple M1/M2).
 - `-port` overrides the default port, 53, which the server binds to. This can
   be especially useful when running as a non-privileged user, unable to bind to
   privileged ports (<1024) ("`listen udp :53: bind: permission denied`"). For
-  example, to run the server on port 9553: `go run main.go -port 9553`. To
-  query, `dig @localhost 127.0.0.1.sslip.io -p 9553`
+  example, to run the server on port 9553: `go run main.go -port 9553`. To query,
+  `dig @localhost 127.0.0.1.sslip.io -p 9553`
 - `-nameservers` overrides the default NS records `ns-aws.sslip.io`,
-  `ns-azure.sslip.io`, and `ns-gce.sslip.io`; flag, e.g. `go run main.go
-  -nameservers ns1.example.com,ns2.example.com`). If you're running your own
-  nameservers, you probably want to set this. Don't forget to set address
-  records for the new name servers with the `-addresses` flag (see below).
-  Exception: `_acme-challenge` records are handled differently to accommodate
-  the procurement of Let's Encrypt wildcard certificates; you can read more
-  about that procedure [here](docs/wildcard.md)
+  `ns-azure.sslip.io`, `ns-gce.sslip.io`, and `ns-ovh.sslip.io`; flag, e.g. `go
+run main.go -nameservers ns1.example.com,ns2.example.com`). If you're running
+  your own nameservers, you probably want to set this. Don't forget to set
+  address records for the new name servers with the `-addresses` flag (see
+  below). Exception: `_acme-challenge` records are handled differently to
+  accommodate the procurement of Let's Encrypt wildcard certificates; you can
+  read more about that procedure [here](docs/wildcard.md)
 - `-addresses` overrides the default A/AAAA (IPv4/IPv6) address records. For
-  example, here's how we set the IPv4 record & IPv6 record for our nameserver
-  (in the `-nameservers` example above), ns1.example.com: `-addresses
-  ns1.example.com=10.8.8.8,ns1.example.com=fc::8888`. Note that you can set
-  many addresses for a single host, e.g.
+  example, here's how we set the IPv4 record & IPv6 record for our nameserver (in
+  the `-nameservers` example above), ns1.example.com: `-addresses
+ns1.example.com=10.8.8.8,ns1.example.com=fc::8888`. Note that you can set many
+  addresses for a single host, e.g.
   `ns1.example.com=1.1.1.1,ns1.example.com=8.8.8.8,ns1.example.com=9.9.9.9`
 - `-blocklistURL` overrides the default block list,
   (<https://raw.githubusercontent.com/cunnie/sslip.io/main/etc/blocklist.txt>).
diff --git a/docs/DEVELOPER.md b/docs/DEVELOPER.md
index 2cd2514..b9a94e2 100644
--- a/docs/DEVELOPER.md
+++ b/docs/DEVELOPER.md
@@ -23,7 +23,7 @@ Optional: Update the version for the ns-aws, ns-azure install scripts
 ```bash
 pushd ~/bin
 sed -i '' "s~/$OLD_VERSION/~/$VERSION/~g" \
-  ~/bin/install_ns-{aws,azure,gce}.sh
+  ~/bin/install_ns-{aws,azure,gce,ovh}.sh
 git add -p
 git ci -m"Update sslip.io DNS server $OLD_VERSION → $VERSION"
 git push
@@ -47,7 +47,7 @@ export VERSION=3.1.0
 dig +short 127.0.0.1.example.com @$DNS_SERVER_IP
 echo 127.0.0.1
 dig +short ns example.com @$DNS_SERVER_IP
-printf "ns-aws.sslip.io.\nns-azure.sslip.io.\nns-gce.sslip.io.\n"
+printf "ns-aws.sslip.io.\nns-azure.sslip.io.\nns-gce.sslip.io.\nns-ovh.sslip.io.\n"
 dig +short mx example.com @$DNS_SERVER_IP
 echo "0 example.com."
 dig +short mx sslip.io @$DNS_SERVER_IP
@@ -85,6 +85,7 @@ git push --tags
 scp bin/sslip.io-dns-server-linux-arm64 ns-aws:
 scp bin/sslip.io-dns-server-linux-amd64 ns-azure:
 scp bin/sslip.io-dns-server-linux-amd64 ns-gce:
+scp bin/sslip.io-dns-server-linux-amd64 ns-ovh:
 ssh ns-aws sudo install sslip.io-dns-server-linux-arm64 /usr/bin/sslip.io-dns-server
 ssh ns-aws sudo shutdown -r now
  # check version number:
@@ -97,6 +98,10 @@ ssh ns-gce sudo install sslip.io-dns-server-linux-amd64 /usr/bin/sslip.io-dns-se
 ssh ns-gce sudo shutdown -r now
  # check version number:
 sleep 10; while ! dig txt @ns-gce.sslip.io version.status.sslip.io +short; do sleep 5; done # wait until it's back up before rebooting ns-gce
+ssh ns-ovh sudo install sslip.io-dns-server-linux-amd64 /usr/bin/sslip.io-dns-server
+ssh ns-ovh sudo shutdown -r now
+ # check version number:
+sleep 10; while ! dig txt @ns-ovh.sslip.io version.status.sslip.io +short; do sleep 5; done # wait until it's back up before rebooting ns-ovh
 ```
 
 - Browse to <https://github.com/cunnie/sslip.io/releases/new> to draft a new release
diff --git a/integration_test.go b/integration_test.go
index 6df964a..3ae9840 100644
--- a/integration_test.go
+++ b/integration_test.go
@@ -266,19 +266,22 @@ var _ = Describe("sslip.io-dns-server", func() {
 				digCmd = exec.Command("dig", strings.Split(digArgs, " ")...)
 				digSession, err = Start(digCmd, GinkgoWriter, GinkgoWriter)
 				Expect(err).ToNot(HaveOccurred())
-				Eventually(digSession).Should(Say(`flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 5`))
+				Eventually(digSession).Should(Say(`flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 7`))
 				Eventually(digSession).Should(Say(`;; ANSWER SECTION:`))
 				Eventually(digSession).Should(Say(`ns-aws.sslip.io.\n`))
 				Eventually(digSession).Should(Say(`ns-azure.sslip.io.\n`))
 				Eventually(digSession).Should(Say(`ns-gce.sslip.io.\n`))
+				Eventually(digSession).Should(Say(`ns-ovh.sslip.io.\n`))
 				Eventually(digSession).Should(Say(`;; ADDITIONAL SECTION:`))
 				Eventually(digSession).Should(Say(`ns-aws.sslip.io..*52.0.56.137\n`))
 				Eventually(digSession).Should(Say(`ns-aws.sslip.io..*2600:1f18:aaf:6900::a\n`))
 				Eventually(digSession).Should(Say(`ns-azure.sslip.io..*52.187.42.158\n`))
 				Eventually(digSession).Should(Say(`ns-gce.sslip.io..*104.155.144.4\n`))
 				Eventually(digSession).Should(Say(`ns-gce.sslip.io..*2600:1900:4000:4d12::\n`))
+				Eventually(digSession).Should(Say(`ns-ovh.sslip.io..*51.75.53.19\n`))
+				Eventually(digSession).Should(Say(`ns-ovh.sslip.io..*2001:41d0:602:2313::1\n`))
 				Eventually(digSession, 1).Should(Exit(0))
-				Eventually(string(serverSession.Err.Contents())).Should(MatchRegexp(`TypeNS example.com. \? ns-aws.sslip.io., ns-azure.sslip.io., ns-gce.sslip.io.\n`))
+				Eventually(string(serverSession.Err.Contents())).Should(MatchRegexp(`TypeNS example.com. \? ns-aws.sslip.io., ns-azure.sslip.io., ns-gce.sslip.io., ns-ovh.sslip.io.\n`))
 			})
 		})
 		When(`there are multiple TXT records returned (e.g. SPF for sslip.io)`, func() {
@@ -399,8 +402,8 @@ var _ = Describe("sslip.io-dns-server", func() {
 				`TypeAAAA international-raiffeisen-bank.fc00--.sslip.io. \? fc00::\n$`),
 			Entry("an NS record with acme_challenge with a forbidden string is not delegated",
 				"@localhost _acme-challenge.raiffeisen.fe80--.sslip.io ns +short",
-				`\Ans-aws.sslip.io.\nns-azure.sslip.io.\nns-gce.sslip.io.\n\z`,
-				`TypeNS _acme-challenge.raiffeisen.fe80--.sslip.io. \? ns-aws.sslip.io., ns-azure.sslip.io., ns-gce.sslip.io.\n$`),
+				`\Ans-aws.sslip.io.\nns-azure.sslip.io.\nns-gce.sslip.io.\nns-ovh.sslip.io.\n\z`,
+				`TypeNS _acme-challenge.raiffeisen.fe80--.sslip.io. \? ns-aws.sslip.io., ns-azure.sslip.io., ns-gce.sslip.io., ns-ovh.sslip.io.\n$`),
 			Entry("an A record with a forbidden CIDR is redirected",
 				"@localhost nf.43.134.66.67.sslip.io +short",
 				`\A52.0.56.137\n\z`,
diff --git a/k8s/document_root_sslip.io/index.html b/k8s/document_root_sslip.io/index.html
index b036e26..b8af8e0 100644
--- a/k8s/document_root_sslip.io/index.html
+++ b/k8s/document_root_sslip.io/index.html
@@ -143,14 +143,20 @@ src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script> <![endif]-->
             <td>USA</td>
           </tr>
           <tr class="even">
+            <td><code>ns-azure.sslip.io.</code></td>
+            <td>52.187.42.158</td>
+            <td>Singapore</td>
+          </tr>
+          <tr class="odd">
             <td><code>ns-gce.sslip.io.</code></td>
             <td>104.155.144.4</td>
             <td>USA</td>
           </tr>
-          <tr class="odd">
-            <td><code>ns-azure.sslip.io.</code></td>
-            <td>52.187.42.158</td>
-            <td>Singapore</td>
+          <tr class="even">
+            <td><code>ns-ovh.sslip.io.</code></td>
+            <td>51.75.53.19<br>
+            2001:41d0:602:2313::1</td>
+            <td>Poland</td>
           </tr>
         </tbody>
       </table>
diff --git a/main.go b/main.go
index e060b60..6f67249 100644
--- a/main.go
+++ b/main.go
@@ -17,7 +17,7 @@ func main() {
 	var blocklistURL = flag.String("blocklistURL",
 		"https://raw.githubusercontent.com/cunnie/sslip.io/main/etc/blocklist.txt",
 		`URL containing a list of non-resolvable IPs/names/CIDRs, usually phishing or scamming sites. Example "file://etc/blocklist.txt"`)
-	var nameservers = flag.String("nameservers", "ns-aws.sslip.io.,ns-azure.sslip.io.,ns-gce.sslip.io.",
+	var nameservers = flag.String("nameservers", "ns-aws.sslip.io.,ns-azure.sslip.io.,ns-gce.sslip.io.,ns-ovh.sslip.io.",
 		"comma-separated list of FQDNs of nameservers. If you're running your own sslip.io nameservers, set them here")
 	var addresses = flag.String("addresses",
 		"sslip.io=78.46.204.247,"+
@@ -31,7 +31,9 @@ func main() {
 			"ns-aws.sslip.io=2600:1f18:aaf:6900::a,"+
 			"ns-azure.sslip.io=52.187.42.158,"+
 			"ns-gce.sslip.io=104.155.144.4,"+
-			"ns-gce.sslip.io=2600:1900:4000:4d12::",
+			"ns-gce.sslip.io=2600:1900:4000:4d12::,"+
+			"ns-ovh.sslip.io=51.75.53.19,"+
+			"ns-ovh.sslip.io=2001:41d0:602:2313::1",
 		"comma-separated list of hosts and corresponding IPv4 and/or IPv6 address(es). If you're running your own sslip.io nameservers, add their hostnames and addresses here. If unsure, add to the list rather than replace")
 	var delegates = flag.String("delegates", "", "comma-separated list of domains you own "+
 		"and nameservers you control to which to delegate, often used to acquire wildcard certificates from "+
diff --git a/xip/xip_test.go b/xip/xip_test.go
index 3e72f89..b4280aa 100644
--- a/xip/xip_test.go
+++ b/xip/xip_test.go
@@ -79,14 +79,15 @@ var _ = Describe("Xip", func() {
 
 	Describe("NSResources()", func() {
 		When("we use the default nameservers", func() {
-			var x, _ = xip.NewXip("file:///", []string{"ns-aws.sslip.io.", "ns-azure.sslip.io.", "ns-gce.sslip.io."}, []string{}, []string{})
+			var x, _ = xip.NewXip("file:///", []string{"ns-aws.sslip.io.", "ns-azure.sslip.io.", "ns-gce.sslip.io.", "ns-ovh.sslip.io."}, []string{}, []string{})
 			It("returns the name servers", func() {
 				randomDomain := testhelper.Random8ByteString() + ".com."
 				ns := x.NSResources(randomDomain)
-				Expect(len(ns)).To(Equal(3))
+				Expect(len(ns)).To(Equal(4))
 				Expect(ns[0].NS.String()).To(Equal("ns-aws.sslip.io."))
 				Expect(ns[1].NS.String()).To(Equal("ns-azure.sslip.io."))
 				Expect(ns[2].NS.String()).To(Equal("ns-gce.sslip.io."))
+				Expect(ns[3].NS.String()).To(Equal("ns-ovh.sslip.io."))
 			})
 			When(`the domain name contains "_acme-challenge."`, func() {
 				When("the domain name has an embedded IP", func() {
@@ -105,20 +106,20 @@ var _ = Describe("Xip", func() {
 					It("returns the default trinity of nameservers", func() {
 						randomDomain := "_acme-challenge." + testhelper.Random8ByteString() + ".com."
 						ns := x.NSResources(randomDomain)
-						Expect(len(ns)).To(Equal(3))
+						Expect(len(ns)).To(Equal(4))
 					})
 				})
 			})
 			When("we delegate domains to other nameservers", func() {
 				When(`we don't use the "=" in the arguments`, func() {
 					It("returns an informative log message", func() {
-						var _, logs = xip.NewXip("file://etc/blocklist-test.txt", []string{"ns-aws.sslip.io.", "ns-azure.sslip.io.", "ns-gce.sslip.io."}, []string{}, []string{"noEquals"})
+						var _, logs = xip.NewXip("file://etc/blocklist-test.txt", []string{"ns-aws.sslip.io.", "ns-azure.sslip.io.", "ns-gce.sslip.io.", "ns-ovh.sslip.io."}, []string{}, []string{"noEquals"})
 						Expect(strings.Join(logs, "")).To(MatchRegexp(`"-delegates: arguments should be in the format "delegatedDomain=nameserver", not "noEquals"`))
 					})
 				})
 				When(`there's no "." at the end of the delegated domain or nameserver`, func() {
 					It(`helpfully adds the "."`, func() {
-						var x, logs = xip.NewXip("file://etc/blocklist-test.txt", []string{"ns-aws.sslip.io.", "ns-azure.sslip.io.", "ns-gce.sslip.io."}, []string{}, []string{"a=b"})
+						var x, logs = xip.NewXip("file://etc/blocklist-test.txt", []string{"ns-aws.sslip.io.", "ns-azure.sslip.io.", "ns-gce.sslip.io.", "ns-ovh.sslip.io."}, []string{}, []string{"a=b"})
 						Expect(strings.Join(logs, "")).To(MatchRegexp(`Adding delegated NS record "a\.=b\."`))
 						ns := x.NSResources("a.")
 						Expect(len(ns)).To(Equal(1))