zishuo/nip
1
0
Fork 0
mirror of https://github.com/cunnie/sslip.io.git synced 2025-10-04 23:32:49 +08:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Remove traces of nameservers ns-aws, ns-azure

Browse Source 
- ns-aws & ns-azure have been replaced by ns-hetzner & ns-ovh
- ns-azure has been completely destroyed (`terraform apply -destroy`);
  the elastic IP has been released, so there's no hope of bringing it
  back.
- ns-aws has been renamed to "blocked.sslip.io". It no longer answers
  DNS queries, but lives on as the website we point "blocked" queries to
  that warns about phishing.
- Some of the Markdown files' changes were mere reformatting changes
This commit is contained in:
Brian Cunnie
2025-01-04 11:28:40 -08:00
parent 70c0b3ca74
commit 7d6b724cbe
8 changed files with 44 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
README.md
View File

@@ -1,11 +1,11 @@
# sslip.io
| Test Type | Status |
|------------------------|----------------------------------------------------------------------------------------------------------------------------------------|
| ---------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
| Production Nameservers | [![ci.nono.io](https://ci.nono.io/api/v1/pipelines/sslip.io/jobs/dns-servers/badge)](https://ci.nono.io/teams/main/pipelines/sslip.io) |
| DNS Server Unit Tests | [![ci.nono.io](https://ci.nono.io/api/v1/pipelines/sslip.io/jobs/unit/badge)](https://ci.nono.io/teams/main/pipelines/sslip.io) |
*sslip.io* is a DNS server that maps specially-crafted DNS A records to IP
_sslip.io_ is a DNS server that maps specially-crafted DNS A records to IP
addresses (e.g. "127-0-0-1.sslip.io" maps to 127.0.0.1). It is similar to, and
inspired by, [xip.io](http://xip.io/).
@@ -118,29 +118,29 @@ as ARM64 (AWS Graviton, Apple M1/M2).
## Command-line Flags
- `-port` overrides the default port, 53, which the server binds to. This can
be especially useful when running as a non-privileged user, unable to bind to
privileged ports (<1024) ("`listen udp :53: bind: permission denied`"). For
example, to run the server on port 9553: `go run main.go -port 9553`. To query,
`dig @localhost 127.0.0.1.sslip.io -p 9553`
- `-nameservers` overrides the default NS records `ns-azure.sslip.io`,
`ns-gce.sslip.io`, and `ns-ovh.sslip.io`; flag, e.g. `go run main.go
-nameservers ns1.example.com,ns2.example.com`). If you're running your own
nameservers, you probably want to set this. Don't forget to set address records
for the new name servers with the `-addresses` flag (see below). Exception:
`_acme-challenge` records are handled differently to accommodate the
procurement of Let's Encrypt wildcard certificates; you can read more about
that procedure [here](docs/wildcard.md)
be especially useful when running as a non-privileged user, unable to bind to
privileged ports (<1024) ("`listen udp :53: bind: permission denied`"). For
example, to run the server on port 9553: `go run main.go -port 9553`. To query,
`dig @localhost 127.0.0.1.sslip.io -p 9553`
- `-nameservers` overrides the default NS records
`ns-gce.sslip.io`, `ns-hetzner.sslip.io`, and `ns-ovh.sslip.io`; flag, e.g. `go run main.go
-nameservers ns1.example.com,ns2.example.com`). If you're running your own
nameservers, you probably want to set this. Don't forget to set address records
for the new name servers with the `-addresses` flag (see below). Exception:
`_acme-challenge` records are handled differently to accommodate the
procurement of Let's Encrypt wildcard certificates; you can read more about
that procedure [here](docs/wildcard.md)
- `-addresses` overrides the default A/AAAA (IPv4/IPv6) address records. For
example, here's how we set the IPv4 record & IPv6 record for our nameserver (in
the `-nameservers` example above), ns1.example.com: `-addresses
ns1.example.com=10.8.8.8,ns1.example.com=fc::8888`. Note that you can set many
addresses for a single host, e.g.
`ns1.example.com=1.1.1.1,ns1.example.com=8.8.8.8,ns1.example.com=9.9.9.9`
example, here's how we set the IPv4 record & IPv6 record for our nameserver (in
the `-nameservers` example above), ns1.example.com: `-addresses
ns1.example.com=10.8.8.8,ns1.example.com=fc::8888`. Note that you can set many
addresses for a single host, e.g.
`ns1.example.com=1.1.1.1,ns1.example.com=8.8.8.8,ns1.example.com=9.9.9.9`
- `-blocklistURL` overrides the default block list,
(<https://raw.githubusercontent.com/cunnie/sslip.io/main/etc/blocklist.txt>).
It's not necessary to override this if you're in an internetless environment:
if the DNS server can't download the blocklist, it prints out a message and
continues to serve DNS queries
(<https://raw.githubusercontent.com/cunnie/sslip.io/main/etc/blocklist.txt>).
It's not necessary to override this if you're in an internetless environment:
if the DNS server can't download the blocklist, it prints out a message and
continues to serve DNS queries
## DNS Server Miscellany

16
docs/DEVELOPER.md
View File

@@ -18,12 +18,12 @@ sed -i '' "s~/$OLD_VERSION/~/$VERSION/~g" \
k8s/Dockerfile-sslip.io-dns-server
```
Optional: Update the version for the ns-aws, ns-azure, ns-gce, ns-ovh install scripts
Optional: Update the version for the ns-gce, ns-hetzner, and ns-ovh install scripts
```bash
pushd ~/bin
sed -i '' "s~/$OLD_VERSION/~/$VERSION/~g" \
~/bin/install_ns-{aws,azure,gce,hetzner,ovh}.sh
~/bin/install_ns-{gce,hetzner,ovh}.sh
git add -p
git ci -m"Update sslip.io DNS server $OLD_VERSION$VERSION"
git push
@@ -85,19 +85,9 @@ git ci -vm"$VERSION: Minor bugfixes, tweaks"
git tag $VERSION
git push
git push --tags
scp bin/sslip.io-dns-server-linux-arm64 ns-aws:
scp bin/sslip.io-dns-server-linux-amd64 ns-azure:
scp bin/sslip.io-dns-server-linux-amd64 ns-gce:
scp bin/sslip.io-dns-server-linux-amd64 ns-hetzner:
scp bin/sslip.io-dns-server-linux-amd64 ns-ovh:
ssh ns-aws sudo install sslip.io-dns-server-linux-arm64 /usr/bin/sslip.io-dns-server
ssh ns-aws sudo shutdown -r now
# check version number:
sleep 10; while ! dig txt @ns-aws.sslip.io version.status.sslip.io +short; do sleep 5; done # wait until it's back up before rebooting ns-azure
ssh ns-azure sudo install sslip.io-dns-server-linux-amd64 /usr/bin/sslip.io-dns-server
ssh ns-azure sudo shutdown -r now
# check version number:
sleep 10; while ! dig txt @ns-azure.sslip.io version.status.sslip.io +short; do sleep 5; done # wait until it's back up before rebooting ns-gce
ssh ns-gce sudo install sslip.io-dns-server-linux-amd64 /usr/bin/sslip.io-dns-server
ssh ns-gce sudo shutdown -r now
# check version number:
@@ -124,7 +114,7 @@ Update the webservers with the HTML with new versions:
```bash
ssh nono.io curl -L -o /www/sslip.io/document_root/index.html https://raw.githubusercontent.com/cunnie/sslip.io/main/k8s/document_root_sslip.io/index.html
for HOST in ns-{aws,azure,gce,hetzner,ovh}.sslip.io; do
for HOST in {blocked,ns-gce,ns-hetzner,ns-ovh}.sslip.io; do
ssh $HOST curl -L -o /var/nginx/sslip.io/index.html https://raw.githubusercontent.com/cunnie/sslip.io/main/k8s/document_root_sslip.io/index.html
done
```

2
docs/wildcard.md
View File

@@ -14,7 +14,7 @@ Let's Encrypt DNS-01 challenge process.
Let's Encrypt will query your name servers for the TXT record
`_acme-challenge.xip.example.com`, then your DNS server will respond with the
TXT record _that should have been created on Route53 as part of the challenge_,
otherwise it'll return the delegated nameservers (ns-azure.sslip.io and so on).
otherwise it'll return the delegated nameservers (ns-gce.sslip.io and so on).
### Using the sslip.io domain

2
integration_speed_test.go
View File

@@ -63,7 +63,7 @@ var _ = Describe("speed", func() {
// The queries/second is conservative, realistically should be higher
// - queries are done sequentially, not in parallel
// - each query includes an overhead of 4 Expect()
// current max queries is 132/second (ns-aws.sslip.io.)
// current max queries is 2047/second (ns-ovh.sslip.io.)
// ~19k Apple M2
// ~8k vSphere Xeon D-1736 2.7GHz
// ~6k AWS Graviton T2

6
k8s/document_root_sslip.io/index.html
View File

@@ -241,7 +241,7 @@ dig @ns.sslip.io txt ip.sslip.io +short -6 # forces IPv6 lookup; sample reply "2
</li>
</ul>
<p>A big advantage of using DNS queries instead of HTTP queries is bandwidth: querying
<code>ns-azure.sslip.io</code> requires a mere 594 bytes spread over 2 packets; Querying <a
<code>ns-ovh.sslip.io</code> requires a mere 594 bytes spread over 2 packets; Querying <a
href="https://icanhazip.com/">https://icanhazip.com/</a> requires 8692 bytes spread out over 34 packets—over
14 times
as much! Admittedly bandwidth usage is a bigger concern for the one hosting the service than the one using the
@@ -262,7 +262,7 @@ dig @ns-gce.nono.io version.status.sslip.io txt +short
<h4 id="metrics">Server Metrics</h4>You can retrieve metrics from a given server by querying the TXT records of
<code>metrics.status.sslip.io</code>
<pre>
dig @ns-azure.sslip.io metrics.status.sslip.io txt +short
dig @ns-ovh.sslip.io metrics.status.sslip.io txt +short
"Uptime: 165655"
"Blocklist: 2023-10-04 07:37:50-07 3,6"
"Queries: 14295231 (86.3/s)"
@@ -316,7 +316,7 @@ dig @ns-azure.sslip.io metrics.status.sslip.io txt +short
(e.g. "dig @ns.sslip.io ip.sslip.io txt")</dd>
<dt>TXT Version</dt>
<dd>The number of responses which included a TXT record of the DNS's servers version since starting operation
(e.g. "dig @ns-azure.sslip.io version.status.sslip.io txt")</dd>
(e.g. "dig @ns-hetzner.sslip.io version.status.sslip.io txt")</dd>
<dt>PTR IPv4/IPv6</dt>
<dd>This consists of two numbers; the first is the number of responses to IPv4 PTR queries
(<code>1.0.0.127.in-addr.arpa.</code><code>127-0-0-1.sslip.io.</code>), the second, IPv6 PTR queries</dd>

5
main.go
View File

@@ -28,9 +28,8 @@ func main() {
"ns.sslip.io=2a01:4ff:1f0:c920::,"+
"ns.sslip.io=51.75.53.19,"+
"ns.sslip.io=2001:41d0:602:2313::1,"+
"ns-aws.sslip.io=52.0.56.137,"+
"ns-aws.sslip.io=2600:1f18:aaf:6900::a,"+
"ns-azure.sslip.io=52.187.42.158,"+
"blocked.sslip.io=52.0.56.137,"+
"blocked.sslip.io=2600:1f18:aaf:6900::a,"+
"ns-gce.sslip.io=104.155.144.4,"+
"ns-gce.sslip.io=2600:1900:4000:4d12::,"+
"ns-hetzner.sslip.io=5.78.115.44,"+

8
xip/xip.go
View File

@@ -1155,13 +1155,13 @@ func (x *Xip) nameToAwithBlocklist(q dnsmessage.Question, response Response, log
Class: dnsmessage.ClassINET,
TTL: 604800, // 60 * 60 * 24 * 7 == 1 week; long TTL, these IP addrs don't change
Length: 0,
}, Customizations["ns-aws.sslip.io."].A[0])
}, Customizations["blocked.sslip.io."].A[0])
if err != nil {
return err
}
return nil
})
return response, logMessage + net.IP(Customizations["ns-aws.sslip.io."].A[0].A[:]).String(), nil
return response, logMessage + net.IP(Customizations["blocked.sslip.io."].A[0].A[:]).String(), nil
}
x.Metrics.AnsweredQueries++
x.Metrics.AnsweredAQueries++
@@ -1267,13 +1267,13 @@ func (x *Xip) nameToAAAAwithBlocklist(q dnsmessage.Question, response Response,
Class: dnsmessage.ClassINET,
TTL: 604800, // 60 * 60 * 24 * 7 == 1 week; long TTL, these IP addrs don't change
Length: 0,
}, Customizations["ns-aws.sslip.io."].AAAA[0])
}, Customizations["blocked.sslip.io."].AAAA[0])
if err != nil {
return err
}
return nil
})
return response, logMessage + net.IP(Customizations["ns-aws.sslip.io."].AAAA[0].AAAA[:]).String(), nil
return response, logMessage + net.IP(Customizations["blocked.sslip.io."].AAAA[0].AAAA[:]).String(), nil
}
x.Metrics.AnsweredQueries++
x.Metrics.AnsweredAAAAQueries++

14
xip/xip_test.go
View File

@@ -79,13 +79,13 @@ var _ = Describe("Xip", func() {
Describe("NSResources()", func() {
When("we use the default nameservers", func() {
var x, _ = xip.NewXip("file:///", []string{"ns-azure.sslip.io.", "ns-gce.sslip.io.", "ns-ovh.sslip.io."}, []string{}, []string{})
var x, _ = xip.NewXip("file:///", []string{"ns-gce.sslip.io.", "ns-hetzner.sslip.io.", "ns-ovh.sslip.io."}, []string{}, []string{})
It("returns the name servers", func() {
randomDomain := testhelper.Random8ByteString() + ".com."
ns := x.NSResources(randomDomain)
Expect(len(ns)).To(Equal(3))
Expect(ns[0].NS.String()).To(Equal("ns-azure.sslip.io."))
Expect(ns[1].NS.String()).To(Equal("ns-gce.sslip.io."))
Expect(ns[0].NS.String()).To(Equal("ns-gce.sslip.io."))
Expect(ns[1].NS.String()).To(Equal("ns-hetzner.sslip.io."))
Expect(ns[2].NS.String()).To(Equal("ns-ovh.sslip.io."))
})
When(`the domain name contains "_acme-challenge."`, func() {
@@ -112,13 +112,13 @@ var _ = Describe("Xip", func() {
When("we delegate domains to other nameservers", func() {
When(`we don't use the "=" in the arguments`, func() {
It("returns an informative log message", func() {
var _, logs = xip.NewXip("file://etc/blocklist-test.txt", []string{"ns-azure.sslip.io.", "ns-gce.sslip.io.", "ns-ovh.sslip.io."}, []string{}, []string{"noEquals"})
var _, logs = xip.NewXip("file://etc/blocklist-test.txt", []string{"ns-gce.sslip.io.", "ns-hetzner.sslip.io.", "ns-ovh.sslip.io."}, []string{}, []string{"noEquals"})
Expect(strings.Join(logs, "")).To(MatchRegexp(`"-delegates: arguments should be in the format "delegatedDomain=nameserver", not "noEquals"`))
})
})
When(`there's no "." at the end of the delegated domain or nameserver`, func() {
It(`helpfully adds the "."`, func() {
var x, logs = xip.NewXip("file://etc/blocklist-test.txt", []string{"ns-azure.sslip.io.", "ns-gce.sslip.io.", "ns-ovh.sslip.io."}, []string{}, []string{"a=b"})
var x, logs = xip.NewXip("file://etc/blocklist-test.txt", []string{"ns-gce.sslip.io.", "ns-hetzner.sslip.io.", "ns-ovh.sslip.io."}, []string{}, []string{"a=b"})
Expect(strings.Join(logs, "")).To(MatchRegexp(`Adding delegated NS record "a\.=b\."`))
ns := x.NSResources("a.")
Expect(len(ns)).To(Equal(1))
@@ -228,8 +228,8 @@ var _ = Describe("Xip", func() {
Entry("www", "www.sslip.io"),
Entry("a lone number", "538.sslip.io"),
Entry("too big", "256.254.253.252"),
Entry("NS but no dot", "ns-azure.sslip.io"),
Entry("NS + cruft at beginning", "p-ns-azure.sslip.io"),
Entry("NS but no dot", "ns-hetzner.sslip.io"),
Entry("NS + cruft at beginning", "p-ns-hetzner.sslip.io"),
Entry("test-net address with dots-and-dashes mixed", "www-192.0-2.3.example-me.com"),
)
When("There is more than one A record", func() {