diff --git a/Docker/sslip.io-dns-server/Dockerfile b/Docker/sslip.io-dns-server/Dockerfile index 66395d8..8a2f699 100644 --- a/Docker/sslip.io-dns-server/Dockerfile +++ b/Docker/sslip.io-dns-server/Dockerfile @@ -26,7 +26,7 @@ LABEL org.opencontainers.image.authors="Brian Cunnie " RUN dnf install -y bind-utils ARG TARGETARCH # amd64, arm64 (so I can run on AWS graviton2) -RUN curl -f -L https://github.com/cunnie/sslip.io/releases/download/3.2.7/sslip.io-dns-server-linux-$TARGETARCH \ +RUN curl -f -L https://github.com/cunnie/sslip.io/releases/download/3.2.8/sslip.io-dns-server-linux-$TARGETARCH \ -o /usr/sbin/sslip.io-dns-server; \ chmod 755 /usr/sbin/sslip.io-dns-server diff --git a/README.md b/README.md index ed77913..5489392 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,5 @@ # sslip.io - [![Production Nameservers](https://github.com/cunnie/sslip.io/actions/workflows/nameservers.yml/badge.svg)](https://github.com/cunnie/sslip.io/actions/workflows/nameservers.yml) [![CI Tests](https://github.com/cunnie/sslip.io/actions/workflows/ci-tests.yml/badge.svg)](https://github.com/cunnie/sslip.io/actions/workflows/ci-tests.yml) @@ -119,21 +118,21 @@ as ARM64 (AWS Graviton, Apple M1/M2). - `-port` overrides the default port, 53, which the server binds to. This can be especially useful when running as a non-privileged user, unable to bind to privileged ports (<1024) ("`listen udp :53: bind: permission denied`"). For - example, to run the server on port 9553: `go run main.go -port 9553`. To query, - `dig @localhost 127.0.0.1.sslip.io -p 9553` -- `-nameservers` overrides the default NS records `ns-hetzner.sslip.io`, - `ns-ovh.sslip.io`, and `ns-ovh-sg.sslip.io`; flag, e.g. `go run main.go - -nameservers ns1.example.com,ns2.example.com`). If you're running your own - nameservers, you probably want to set this. Don't forget to set address records - for the new name servers with the `-addresses` flag (see below). Exception: - `_acme-challenge` records are handled differently to accommodate the - procurement of Let's Encrypt wildcard certificates; you can read more about - that procedure [here](docs/wildcard.md) + example, to run the server on port 9553: `go run main.go -port 9553`. To + query, `dig @localhost 127.0.0.1.sslip.io -p 9553` +- `-nameservers` overrides the default NS records `ns-do-sg.sslip.io`, + `ns-gce.sslip.io`, `ns-hetzner.sslip.io`, and `ns-ovh.sslip.io`; flag, e.g. + `go run main.go -nameservers ns1.example.com,ns2.example.com`). If you're + running your own nameservers, you probably want to set this. Don't forget to + set address records for the new name servers with the `-addresses` flag (see + below). Exception: `_acme-challenge` records are handled differently to + accommodate the procurement of Let's Encrypt wildcard certificates; you can + read more about that procedure [here](docs/wildcard.md) - `-addresses` overrides the default A/AAAA (IPv4/IPv6) address records. For - example, here's how we set the IPv4 record & IPv6 record for our nameserver (in - the `-nameservers` example above), ns1.example.com: `-addresses - ns1.example.com=10.8.8.8,ns1.example.com=fc::8888`. Note that you can set many - addresses for a single host, e.g. + example, here's how we set the IPv4 record & IPv6 record for our nameserver + (in the `-nameservers` example above), ns1.example.com: `-addresses + ns1.example.com=10.8.8.8,ns1.example.com=fc::8888`. Note that you can set + many addresses for a single host, e.g. `ns1.example.com=1.1.1.1,ns1.example.com=8.8.8.8,ns1.example.com=9.9.9.9` - `-blocklistURL` overrides the default block list, (). @@ -146,7 +145,7 @@ as ARM64 (AWS Graviton, Apple M1/M2). - it binds to both UDP and TCP. - The SOA record is hard-coded except the _MNAME_ (primary master name server) record, which is set to the queried hostname (e.g. `dig big.apple.com - @ns-ovh.nono.io` would return an SOA with an _MNAME_ record of + @ns.sslip.io` would return an SOA with an _MNAME_ record of `big.apple.com.` - The MX records are hard-coded to the queried hostname with a preference of 0, except `sslip.io` itself, which has custom MX records to enable email diff --git a/bin/make_all b/bin/make_all index b233023..60edd59 100755 --- a/bin/make_all +++ b/bin/make_all @@ -4,7 +4,7 @@ # DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" cd $DIR/.. -ldflags="-X xip/xip.VersionSemantic=3.2.7 \ +ldflags="-X xip/xip.VersionSemantic=3.2.8 \ -X xip/xip.VersionDate=$(date +%Y/%m/%d-%H:%M:%S%z) \ -X xip/xip.VersionGitHash=$(git rev-parse --short HEAD)" export GOOS GOARCH diff --git a/docs/DEVELOPER.md b/docs/DEVELOPER.md index e5562b6..0976cca 100644 --- a/docs/DEVELOPER.md +++ b/docs/DEVELOPER.md @@ -4,8 +4,8 @@ These instructions are meant primarily for me when deploying a new release; they might not make sense unless you're on my workstation. ```bash -export OLD_VERSION=3.2.6 -export VERSION=3.2.7 +export OLD_VERSION=3.2.7 +export VERSION=3.2.8 cd ~/workspace/sslip.io git pull -r --autostash # update the version number for the TXT record for version.status.sslip.io @@ -41,13 +41,13 @@ Test from another window: ```bash export DNS_SERVER_IP=127.0.0.1 -export VERSION=3.2.7 +export VERSION=3.2.8 # quick sanity test dig +short 127.0.0.1.example.com @$DNS_SERVER_IP echo 127.0.0.1 # NS ordering might be rotated dig +short ns example.com @$DNS_SERVER_IP -printf "ns-hetzner.sslip.io.\nns-ovh.sslip.io.\nns-ovh-sg.sslip.io.\n" +printf "ns-do-sg.sslip.io.\nns-gce.sslip.io.\nns-hetzner.sslip.io.\nns-ovh.sslip.io.\n" dig +short mx example.com @$DNS_SERVER_IP echo "0 example.com." dig +short mx sslip.io @$DNS_SERVER_IP @@ -84,10 +84,14 @@ git ci -vm"$VERSION: -ns-azure, ns-aws → \"blocked\"" git tag $VERSION git push git push --tags +scp bin/sslip.io-dns-server-linux-amd64 ns-do-sg: scp bin/sslip.io-dns-server-linux-amd64 ns-gce: scp bin/sslip.io-dns-server-linux-amd64 ns-hetzner: scp bin/sslip.io-dns-server-linux-amd64 ns-ovh: -scp bin/sslip.io-dns-server-linux-amd64 ns-ovh-sg: +ssh ns-do-sg sudo install sslip.io-dns-server-linux-amd64 /usr/bin/sslip.io-dns-server +ssh ns-do-sg sudo shutdown -r now + # check version number: +sleep 10; while ! dig txt @ns-do-sg.sslip.io version.status.sslip.io +short; do sleep 5; done ssh ns-gce sudo install sslip.io-dns-server-linux-amd64 /usr/bin/sslip.io-dns-server ssh ns-gce sudo shutdown -r now # check version number: @@ -100,10 +104,6 @@ ssh ns-ovh sudo install sslip.io-dns-server-linux-amd64 /usr/bin/sslip.io-dns-se ssh ns-ovh sudo shutdown -r now # check version number: sleep 10; while ! dig txt @ns-ovh.sslip.io version.status.sslip.io +short; do sleep 5; done -ssh ns-ovh-sg sudo install sslip.io-dns-server-linux-amd64 /usr/bin/sslip.io-dns-server -ssh ns-ovh-sg sudo shutdown -r now - # check version number: -sleep 10; while ! dig txt @ns-ovh-sg.sslip.io version.status.sslip.io +short; do sleep 5; done ``` - Browse to to draft a new release diff --git a/integration_test.go b/integration_test.go index 738fefa..4dd60af 100644 --- a/integration_test.go +++ b/integration_test.go @@ -238,22 +238,24 @@ var _ = Describe("sslip.io-dns-server", func() { digCmd = exec.Command("dig", strings.Split(digArgs, " ")...) digSession, err = Start(digCmd, GinkgoWriter, GinkgoWriter) Expect(err).ToNot(HaveOccurred()) + Eventually(digSession).Should(Say(`146.190.110.69`)) + Eventually(digSession).Should(Say(`104.155.144.4`)) Eventually(digSession).Should(Say(`5.78.115.44`)) Eventually(digSession).Should(Say(`51.75.53.19`)) - Eventually(digSession).Should(Say(`51.79.178.89`)) Eventually(digSession, 1).Should(Exit(0)) - Eventually(string(serverSession.Err.Contents())).Should(MatchRegexp(`TypeA ns.sslip.io. \? 5.78.115.44, 51.75.53.19, 51.79.178.89\n`)) + Eventually(string(serverSession.Err.Contents())).Should(MatchRegexp(`TypeA ns.sslip.io. \? 146.190.110.69, 104.155.144.4, 5.78.115.44, 51.75.53.19\n`)) }) It("returns all the AAAA records", func() { digArgs = "@localhost aaaa ns.sslip.io +short -p " + strconv.Itoa(port) digCmd = exec.Command("dig", strings.Split(digArgs, " ")...) digSession, err = Start(digCmd, GinkgoWriter, GinkgoWriter) Expect(err).ToNot(HaveOccurred()) + Eventually(digSession).Should(Say(`2400:6180:0:d2:0:1:da21:d000`)) + Eventually(digSession).Should(Say(`2600:1900:4000:4d12::`)) Eventually(digSession).Should(Say(`2a01:4ff:1f0:c920::`)) Eventually(digSession).Should(Say(`2001:41d0:602:2313::1`)) - Eventually(digSession).Should(Say(`2402:1f00:8001:d59::1`)) Eventually(digSession, 1).Should(Exit(0)) - Eventually(string(serverSession.Err.Contents())).Should(MatchRegexp(`TypeAAAA ns.sslip.io. \? 2a01:4ff:1f0:c920::, 2001:41d0:602:2313::1, 2402:1f00:8001:d59::1\n`)) + Eventually(string(serverSession.Err.Contents())).Should(MatchRegexp(`TypeAAAA ns.sslip.io. \? 2400:6180:0:d2:0:1:da21:d000, 2600:1900:4000:4d12::, 2a01:4ff:1f0:c920::, 2001:41d0:602:2313::1\n`)) }) }) When("there are multiple MX records returned (e.g. sslip.io)", func() { @@ -274,21 +276,24 @@ var _ = Describe("sslip.io-dns-server", func() { digCmd = exec.Command("dig", strings.Split(digArgs, " ")...) digSession, err = Start(digCmd, GinkgoWriter, GinkgoWriter) Expect(err).ToNot(HaveOccurred()) - Eventually(digSession).Should(Say(`flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 6`)) + Eventually(digSession).Should(Say(`flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 8`)) Eventually(digSession).Should(Say(`;; ANSWER SECTION:`)) Eventually(digSession).Should(Say(`;; ADDITIONAL SECTION:`)) + Eventually(digSession).Should(Say(`ns-do-sg.sslip.io..*146.190.110.69\n`)) + Eventually(digSession).Should(Say(`ns-do-sg.sslip.io..*2400:6180:0:d2:0:1:da21:d000\n`)) + Eventually(digSession).Should(Say(`ns-gce.sslip.io..*104.155.144.4\n`)) + Eventually(digSession).Should(Say(`ns-gce.sslip.io..*2600:1900:4000:4d12::\n`)) Eventually(digSession).Should(Say(`ns-hetzner.sslip.io..*5.78.115.44\n`)) Eventually(digSession).Should(Say(`ns-hetzner.sslip.io..*2a01:4ff:1f0:c920::\n`)) Eventually(digSession).Should(Say(`ns-ovh.sslip.io..*51.75.53.19\n`)) Eventually(digSession).Should(Say(`ns-ovh.sslip.io..*2001:41d0:602:2313::1\n`)) - Eventually(digSession).Should(Say(`ns-ovh-sg.sslip.io..*51.79.178.89\n`)) - Eventually(digSession).Should(Say(`ns-ovh-sg.sslip.io..*2402:1f00:8001:d59::1\n`)) Eventually(digSession, 1).Should(Exit(0)) // the server names may appear out-of-order + Eventually(string(digSession.Out.Contents())).Should(MatchRegexp(`NS\tns-do-sg.sslip.io.\n`)) + Eventually(string(digSession.Out.Contents())).Should(MatchRegexp(`NS\tns-gce.sslip.io.\n`)) Eventually(string(digSession.Out.Contents())).Should(MatchRegexp(`NS\tns-hetzner.sslip.io.\n`)) Eventually(string(digSession.Out.Contents())).Should(MatchRegexp(`NS\tns-ovh.sslip.io.\n`)) - Eventually(string(digSession.Out.Contents())).Should(MatchRegexp(`NS\tns-ovh-sg.sslip.io.\n`)) - Eventually(string(serverSession.Err.Contents())).Should(MatchRegexp(`TypeNS example.com. \? ns-hetzner.sslip.io., ns-ovh.sslip.io., ns-ovh-sg.sslip.io.\n`)) + Eventually(string(serverSession.Err.Contents())).Should(MatchRegexp(`TypeNS example.com. \? ns-do-sg.sslip.io., ns-gce.sslip.io., ns-hetzner.sslip.io., ns-ovh.sslip.io.\n`)) }) }) When(`there are multiple TXT records returned (e.g. SPF for sslip.io)`, func() { @@ -410,8 +415,8 @@ var _ = Describe("sslip.io-dns-server", func() { // use regex to account for rotated nameserver order Entry("an NS record with acme_challenge with a forbidden string is not delegated", "@localhost _acme-challenge.raiffeisen.fe80--.sslip.io ns +short", - `\Ans-[a-z-]+.sslip.io.\nns-[a-z-]+.sslip.io.\nns-[a-z-]+.sslip.io.\n\z`, - `TypeNS _acme-challenge.raiffeisen.fe80--.sslip.io. \? ns-hetzner.sslip.io., ns-ovh.sslip.io., ns-ovh-sg.sslip.io.\n$`), + `\Ans-[a-z-]+.sslip.io.\nns-[a-z-]+.sslip.io.\nns-[a-z-]+.sslip.io.\nns-[a-z-]+.sslip.io.\n\z`, + `TypeNS _acme-challenge.raiffeisen.fe80--.sslip.io. \? ns-do-sg.sslip.io., ns-gce.sslip.io., ns-hetzner.sslip.io., ns-ovh.sslip.io.\n$`), Entry("an A record with a forbidden CIDR is redirected", "@localhost nf.43.134.66.67.sslip.io +short", `\A52.0.56.137\n\z`, diff --git a/main.go b/main.go index eaab9d0..0a27f38 100644 --- a/main.go +++ b/main.go @@ -17,19 +17,25 @@ func main() { var blocklistURL = flag.String("blocklistURL", "https://raw.githubusercontent.com/cunnie/sslip.io/main/etc/blocklist.txt", `URL containing a list of non-resolvable IPs/names/CIDRs, usually phishing or scamming sites. Example "file://etc/blocklist.txt"`) - var nameservers = flag.String("nameservers", "ns-hetzner.sslip.io.,ns-ovh.sslip.io.,ns-ovh-sg.sslip.io.", + var nameservers = flag.String("nameservers", "ns-do-sg.sslip.io.,ns-gce.sslip.io.,ns-hetzner.sslip.io.,ns-ovh.sslip.io.", "comma-separated list of FQDNs of nameservers. If you're running your own sslip.io nameservers, set them here") var addresses = flag.String("addresses", "sslip.io=78.46.204.247,"+ "sslip.io=2a01:4f8:c17:b8f::2,"+ + "ns.sslip.io=146.190.110.69,"+ + "ns.sslip.io=2400:6180:0:d2:0:1:da21:d000,"+ + "ns.sslip.io=104.155.144.4,"+ + "ns.sslip.io=2600:1900:4000:4d12::,"+ "ns.sslip.io=5.78.115.44,"+ "ns.sslip.io=2a01:4ff:1f0:c920::,"+ "ns.sslip.io=51.75.53.19,"+ "ns.sslip.io=2001:41d0:602:2313::1,"+ - "ns.sslip.io=51.79.178.89,"+ - "ns.sslip.io=2402:1f00:8001:d59::1,"+ "blocked.sslip.io=52.0.56.137,"+ "blocked.sslip.io=2600:1f18:aaf:6900::a,"+ + "ns-do-sg.sslip.io=146.190.110.69,"+ + "ns-do-sg.sslip.io=2400:6180:0:d2:0:1:da21:d000,"+ + "ns-gce.sslip.io=104.155.144.4,"+ + "ns-gce.sslip.io=2600:1900:4000:4d12::,"+ "ns-hetzner.sslip.io=5.78.115.44,"+ "ns-hetzner.sslip.io=2a01:4ff:1f0:c920::,"+ "ns-ovh.sslip.io=51.75.53.19,"+ diff --git a/spec/check-dns_spec.rb b/spec/check-dns_spec.rb index fb1a3db..285a797 100644 --- a/spec/check-dns_spec.rb +++ b/spec/check-dns_spec.rb @@ -18,7 +18,7 @@ def get_whois_nameservers(domain) end domain = ENV['DOMAIN'] || 'example.com' -sslip_version = '3.2.7' +sslip_version = '3.2.8' whois_nameservers = get_whois_nameservers(domain) describe domain do