ns-ovh-sg → ns-do-sg; +ns-gce

We replace `ns-ovh-sg` with `ns-do-sg`; this is a purely financial decision: `ns-ovh-sg` costs $60/month, $720/year. `ns-do-sg` (Digital Ocean), is also a Singapore-based DNS server. It's a basic-regular-2vcpu-4GiB RAM-80GB SSD-4TiB bandwidth for $24/month, $288/year. That's a yearly savings of $432. I had originally overspec'ed the Singapore server because I suspected that there was a ton of traffic in Asia; I was wrong. It's not even 20% the traffic of Europe or North America. I am confident the Digital Ocean server will be able to handle it. I also reintroduce `ns-gce` as the second server in North America, backing up `ns-hetzner`. My hope is that `ns-hetzner` carries most of the load, and `ns-gce` carries the rest, but not so much as to trigger Google Cloud Platform's (GCP's) expensive bandwidth billing. | DNS server | Queries / second | |:-----------|-----------------:| | ns-hetzner | 10706.4 | | ns-ovh | 10802.0 | | ns-ovh-sg | 1677.7 |
2025-10-05 15:46:50 +08:00 · 2025-05-20 11:23:18 -07:00
parent 75fc68005d
commit e5450f579a
7 changed files with 52 additions and 42 deletions
--- a/Docker/sslip.io-dns-server/Dockerfile
+++ b/Docker/sslip.io-dns-server/Dockerfile
@@ -26,7 +26,7 @@ LABEL org.opencontainers.image.authors="Brian Cunnie <brian.cunnie@gmail.com>"
 RUN dnf install -y bind-utils
 ARG TARGETARCH # amd64, arm64 (so I can run on AWS graviton2)
-RUN curl -f -L https://github.com/cunnie/sslip.io/releases/download/3.2.7/sslip.io-dns-server-linux-$TARGETARCH \
+RUN curl -f -L https://github.com/cunnie/sslip.io/releases/download/3.2.8/sslip.io-dns-server-linux-$TARGETARCH \
    -o /usr/sbin/sslip.io-dns-server; \
  chmod 755 /usr/sbin/sslip.io-dns-server
--- a/README.md
+++ b/README.md
@@ -1,6 +1,5 @@
 # sslip.io
 [![Production Nameservers](https://github.com/cunnie/sslip.io/actions/workflows/nameservers.yml/badge.svg)](https://github.com/cunnie/sslip.io/actions/workflows/nameservers.yml)
 [![CI Tests](https://github.com/cunnie/sslip.io/actions/workflows/ci-tests.yml/badge.svg)](https://github.com/cunnie/sslip.io/actions/workflows/ci-tests.yml)
@@ -119,21 +118,21 @@ as ARM64 (AWS Graviton, Apple M1/M2).
 - `-port` overrides the default port, 53, which the server binds to. This can
  be especially useful when running as a non-privileged user, unable to bind to
  privileged ports (<1024) ("`listen udp :53: bind: permission denied`"). For
-  example, to run the server on port 9553: `go run main.go -port 9553`. To query,
+  example, to run the server on port 9553: `go run main.go -port 9553`. To
-  `dig @localhost 127.0.0.1.sslip.io -p 9553`
+  query, `dig @localhost 127.0.0.1.sslip.io -p 9553`
- `-nameservers` overrides the default NS records `ns-hetzner.sslip.io`,
+- `-nameservers` overrides the default NS records `ns-do-sg.sslip.io`,
-  `ns-ovh.sslip.io`, and `ns-ovh-sg.sslip.io`; flag, e.g. `go run main.go
+  `ns-gce.sslip.io`, `ns-hetzner.sslip.io`, and `ns-ovh.sslip.io`; flag, e.g.
-  -nameservers ns1.example.com,ns2.example.com`). If you're running your own
+  `go run main.go -nameservers ns1.example.com,ns2.example.com`). If you're
-  nameservers, you probably want to set this. Don't forget to set address records
+  running your own nameservers, you probably want to set this. Don't forget to
-  for the new name servers with the `-addresses` flag (see below). Exception:
+  set address records for the new name servers with the `-addresses` flag (see
-  `_acme-challenge` records are handled differently to accommodate the
+  below). Exception: `_acme-challenge` records are handled differently to
-  procurement of Let's Encrypt wildcard certificates; you can read more about
+  accommodate the procurement of Let's Encrypt wildcard certificates; you can
-  that procedure [here](docs/wildcard.md)
+  read more about that procedure [here](docs/wildcard.md)
 - `-addresses` overrides the default A/AAAA (IPv4/IPv6) address records. For
-  example, here's how we set the IPv4 record & IPv6 record for our nameserver (in
+  example, here's how we set the IPv4 record & IPv6 record for our nameserver
-  the `-nameservers` example above), ns1.example.com: `-addresses
+  (in the `-nameservers` example above), ns1.example.com: `-addresses
-  ns1.example.com=10.8.8.8,ns1.example.com=fc::8888`. Note that you can set many
+  ns1.example.com=10.8.8.8,ns1.example.com=fc::8888`. Note that you can set
-  addresses for a single host, e.g.
+  many addresses for a single host, e.g.
  `ns1.example.com=1.1.1.1,ns1.example.com=8.8.8.8,ns1.example.com=9.9.9.9`
 - `-blocklistURL` overrides the default block list,
  (<https://raw.githubusercontent.com/cunnie/sslip.io/main/etc/blocklist.txt>).
@@ -146,7 +145,7 @@ as ARM64 (AWS Graviton, Apple M1/M2).
 - it binds to both UDP and TCP.
 - The SOA record is hard-coded except the _MNAME_ (primary master name server)
  record, which is set to the queried hostname (e.g. `dig big.apple.com
-  @ns-ovh.nono.io` would return an SOA with an _MNAME_ record of
+  @ns.sslip.io` would return an SOA with an _MNAME_ record of
  `big.apple.com.`
 - The MX records are hard-coded to the queried hostname with a preference of 0,
  except `sslip.io` itself, which has custom MX records to enable email
--- a/bin/make_all
+++ b/bin/make_all
@@ -4,7 +4,7 @@
 #
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 cd $DIR/..
-ldflags="-X xip/xip.VersionSemantic=3.2.7 \
+ldflags="-X xip/xip.VersionSemantic=3.2.8 \
         -X xip/xip.VersionDate=$(date +%Y/%m/%d-%H:%M:%S%z) \
         -X xip/xip.VersionGitHash=$(git rev-parse --short HEAD)"
 export GOOS GOARCH
--- a/docs/DEVELOPER.md
+++ b/docs/DEVELOPER.md
@@ -4,8 +4,8 @@ These instructions are meant primarily for me when deploying a new release;
 they might not make sense unless you're on my workstation.
 ```bash
-export OLD_VERSION=3.2.6
+export OLD_VERSION=3.2.7
-export VERSION=3.2.7
+export VERSION=3.2.8
 cd ~/workspace/sslip.io
 git pull -r --autostash
 # update the version number for the TXT record for version.status.sslip.io
@@ -41,13 +41,13 @@ Test from another window:
 ```bash
 export DNS_SERVER_IP=127.0.0.1
-export VERSION=3.2.7
+export VERSION=3.2.8
 # quick sanity test
 dig +short 127.0.0.1.example.com @$DNS_SERVER_IP
 echo 127.0.0.1
 # NS ordering might be rotated
 dig +short ns example.com @$DNS_SERVER_IP
-printf "ns-hetzner.sslip.io.\nns-ovh.sslip.io.\nns-ovh-sg.sslip.io.\n"
+printf "ns-do-sg.sslip.io.\nns-gce.sslip.io.\nns-hetzner.sslip.io.\nns-ovh.sslip.io.\n"
 dig +short mx example.com @$DNS_SERVER_IP
 echo "0 example.com."
 dig +short mx sslip.io @$DNS_SERVER_IP
@@ -84,10 +84,14 @@ git ci -vm"$VERSION: -ns-azure, ns-aws → \"blocked\""
 git tag $VERSION
 git push
 git push --tags
 scp bin/sslip.io-dns-server-linux-amd64 ns-do-sg:
 scp bin/sslip.io-dns-server-linux-amd64 ns-gce:
 scp bin/sslip.io-dns-server-linux-amd64 ns-hetzner:
 scp bin/sslip.io-dns-server-linux-amd64 ns-ovh:
-scp bin/sslip.io-dns-server-linux-amd64 ns-ovh-sg:
+ssh ns-do-sg sudo install sslip.io-dns-server-linux-amd64 /usr/bin/sslip.io-dns-server
 ssh ns-do-sg sudo shutdown -r now
 # check version number:
 sleep 10; while ! dig txt @ns-do-sg.sslip.io version.status.sslip.io +short; do sleep 5; done
 ssh ns-gce sudo install sslip.io-dns-server-linux-amd64 /usr/bin/sslip.io-dns-server
 ssh ns-gce sudo shutdown -r now
 # check version number:
@@ -100,10 +104,6 @@ ssh ns-ovh sudo install sslip.io-dns-server-linux-amd64 /usr/bin/sslip.io-dns-se
 ssh ns-ovh sudo shutdown -r now
 # check version number:
 sleep 10; while ! dig txt @ns-ovh.sslip.io version.status.sslip.io +short; do sleep 5; done
 ssh ns-ovh-sg sudo install sslip.io-dns-server-linux-amd64 /usr/bin/sslip.io-dns-server
 ssh ns-ovh-sg sudo shutdown -r now
 # check version number:
 sleep 10; while ! dig txt @ns-ovh-sg.sslip.io version.status.sslip.io +short; do sleep 5; done
 ```
 - Browse to <https://github.com/cunnie/sslip.io/releases/new> to draft a new release
--- a/integration_test.go
+++ b/integration_test.go
@@ -238,22 +238,24 @@ var _ = Describe("sslip.io-dns-server", func() {
 				digCmd = exec.Command("dig", strings.Split(digArgs, " ")...)
 				digSession, err = Start(digCmd, GinkgoWriter, GinkgoWriter)
 				Expect(err).ToNot(HaveOccurred())
 				Eventually(digSession).Should(Say(`146.190.110.69`))
 				Eventually(digSession).Should(Say(`104.155.144.4`))
 				Eventually(digSession).Should(Say(`5.78.115.44`))
 				Eventually(digSession).Should(Say(`51.75.53.19`))
 				Eventually(digSession).Should(Say(`51.79.178.89`))
 				Eventually(digSession, 1).Should(Exit(0))
-				Eventually(string(serverSession.Err.Contents())).Should(MatchRegexp(`TypeA ns.sslip.io. \? 5.78.115.44, 51.75.53.19, 51.79.178.89\n`))
+				Eventually(string(serverSession.Err.Contents())).Should(MatchRegexp(`TypeA ns.sslip.io. \? 146.190.110.69, 104.155.144.4, 5.78.115.44, 51.75.53.19\n`))
 			})
 			It("returns all the AAAA records", func() {
 				digArgs = "@localhost aaaa ns.sslip.io +short -p " + strconv.Itoa(port)
 				digCmd = exec.Command("dig", strings.Split(digArgs, " ")...)
 				digSession, err = Start(digCmd, GinkgoWriter, GinkgoWriter)
 				Expect(err).ToNot(HaveOccurred())
 				Eventually(digSession).Should(Say(`2400:6180:0:d2:0:1:da21:d000`))
 				Eventually(digSession).Should(Say(`2600:1900:4000:4d12::`))
 				Eventually(digSession).Should(Say(`2a01:4ff:1f0:c920::`))
 				Eventually(digSession).Should(Say(`2001:41d0:602:2313::1`))
 				Eventually(digSession).Should(Say(`2402:1f00:8001:d59::1`))
 				Eventually(digSession, 1).Should(Exit(0))
-				Eventually(string(serverSession.Err.Contents())).Should(MatchRegexp(`TypeAAAA ns.sslip.io. \? 2a01:4ff:1f0:c920::, 2001:41d0:602:2313::1, 2402:1f00:8001:d59::1\n`))
+				Eventually(string(serverSession.Err.Contents())).Should(MatchRegexp(`TypeAAAA ns.sslip.io. \? 2400:6180:0:d2:0:1:da21:d000, 2600:1900:4000:4d12::, 2a01:4ff:1f0:c920::, 2001:41d0:602:2313::1\n`))
 			})
 		})
 		When("there are multiple MX records returned (e.g. sslip.io)", func() {
@@ -274,21 +276,24 @@ var _ = Describe("sslip.io-dns-server", func() {
 				digCmd = exec.Command("dig", strings.Split(digArgs, " ")...)
 				digSession, err = Start(digCmd, GinkgoWriter, GinkgoWriter)
 				Expect(err).ToNot(HaveOccurred())
-				Eventually(digSession).Should(Say(`flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 6`))
+				Eventually(digSession).Should(Say(`flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 8`))
 				Eventually(digSession).Should(Say(`;; ANSWER SECTION:`))
 				Eventually(digSession).Should(Say(`;; ADDITIONAL SECTION:`))
 				Eventually(digSession).Should(Say(`ns-do-sg.sslip.io..*146.190.110.69\n`))
 				Eventually(digSession).Should(Say(`ns-do-sg.sslip.io..*2400:6180:0:d2:0:1:da21:d000\n`))
 				Eventually(digSession).Should(Say(`ns-gce.sslip.io..*104.155.144.4\n`))
 				Eventually(digSession).Should(Say(`ns-gce.sslip.io..*2600:1900:4000:4d12::\n`))
 				Eventually(digSession).Should(Say(`ns-hetzner.sslip.io..*5.78.115.44\n`))
 				Eventually(digSession).Should(Say(`ns-hetzner.sslip.io..*2a01:4ff:1f0:c920::\n`))
 				Eventually(digSession).Should(Say(`ns-ovh.sslip.io..*51.75.53.19\n`))
 				Eventually(digSession).Should(Say(`ns-ovh.sslip.io..*2001:41d0:602:2313::1\n`))
 				Eventually(digSession).Should(Say(`ns-ovh-sg.sslip.io..*51.79.178.89\n`))
 				Eventually(digSession).Should(Say(`ns-ovh-sg.sslip.io..*2402:1f00:8001:d59::1\n`))
 				Eventually(digSession, 1).Should(Exit(0))
 				// the server names may appear out-of-order
 				Eventually(string(digSession.Out.Contents())).Should(MatchRegexp(`NS\tns-do-sg.sslip.io.\n`))
 				Eventually(string(digSession.Out.Contents())).Should(MatchRegexp(`NS\tns-gce.sslip.io.\n`))
 				Eventually(string(digSession.Out.Contents())).Should(MatchRegexp(`NS\tns-hetzner.sslip.io.\n`))
 				Eventually(string(digSession.Out.Contents())).Should(MatchRegexp(`NS\tns-ovh.sslip.io.\n`))
-				Eventually(string(digSession.Out.Contents())).Should(MatchRegexp(`NS\tns-ovh-sg.sslip.io.\n`))
+				Eventually(string(serverSession.Err.Contents())).Should(MatchRegexp(`TypeNS example.com. \? ns-do-sg.sslip.io., ns-gce.sslip.io., ns-hetzner.sslip.io., ns-ovh.sslip.io.\n`))
 				Eventually(string(serverSession.Err.Contents())).Should(MatchRegexp(`TypeNS example.com. \? ns-hetzner.sslip.io., ns-ovh.sslip.io., ns-ovh-sg.sslip.io.\n`))
 			})
 		})
 		When(`there are multiple TXT records returned (e.g. SPF for sslip.io)`, func() {
@@ -410,8 +415,8 @@ var _ = Describe("sslip.io-dns-server", func() {
 			// use regex to account for rotated nameserver order
 			Entry("an NS record with acme_challenge with a forbidden string is not delegated",
 				"@localhost _acme-challenge.raiffeisen.fe80--.sslip.io ns +short",
-				`\Ans-[a-z-]+.sslip.io.\nns-[a-z-]+.sslip.io.\nns-[a-z-]+.sslip.io.\n\z`,
+				`\Ans-[a-z-]+.sslip.io.\nns-[a-z-]+.sslip.io.\nns-[a-z-]+.sslip.io.\nns-[a-z-]+.sslip.io.\n\z`,
-				`TypeNS _acme-challenge.raiffeisen.fe80--.sslip.io. \? ns-hetzner.sslip.io., ns-ovh.sslip.io., ns-ovh-sg.sslip.io.\n$`),
+				`TypeNS _acme-challenge.raiffeisen.fe80--.sslip.io. \? ns-do-sg.sslip.io., ns-gce.sslip.io., ns-hetzner.sslip.io., ns-ovh.sslip.io.\n$`),
 			Entry("an A record with a forbidden CIDR is redirected",
 				"@localhost nf.43.134.66.67.sslip.io +short",
 				`\A52.0.56.137\n\z`,
--- a/main.go
+++ b/main.go
@@ -17,19 +17,25 @@ func main() {
 	var blocklistURL = flag.String("blocklistURL",
 		"https://raw.githubusercontent.com/cunnie/sslip.io/main/etc/blocklist.txt",
 		`URL containing a list of non-resolvable IPs/names/CIDRs, usually phishing or scamming sites. Example "file://etc/blocklist.txt"`)
-	var nameservers = flag.String("nameservers", "ns-hetzner.sslip.io.,ns-ovh.sslip.io.,ns-ovh-sg.sslip.io.",
+	var nameservers = flag.String("nameservers", "ns-do-sg.sslip.io.,ns-gce.sslip.io.,ns-hetzner.sslip.io.,ns-ovh.sslip.io.",
 		"comma-separated list of FQDNs of nameservers. If you're running your own sslip.io nameservers, set them here")
 	var addresses = flag.String("addresses",
 		"sslip.io=78.46.204.247,"+
 			"sslip.io=2a01:4f8:c17:b8f::2,"+
 			"ns.sslip.io=146.190.110.69,"+
 			"ns.sslip.io=2400:6180:0:d2:0:1:da21:d000,"+
 			"ns.sslip.io=104.155.144.4,"+
 			"ns.sslip.io=2600:1900:4000:4d12::,"+
 			"ns.sslip.io=5.78.115.44,"+
 			"ns.sslip.io=2a01:4ff:1f0:c920::,"+
 			"ns.sslip.io=51.75.53.19,"+
 			"ns.sslip.io=2001:41d0:602:2313::1,"+
 			"ns.sslip.io=51.79.178.89,"+
 			"ns.sslip.io=2402:1f00:8001:d59::1,"+
 			"blocked.sslip.io=52.0.56.137,"+
 			"blocked.sslip.io=2600:1f18:aaf:6900::a,"+
 			"ns-do-sg.sslip.io=146.190.110.69,"+
 			"ns-do-sg.sslip.io=2400:6180:0:d2:0:1:da21:d000,"+
 			"ns-gce.sslip.io=104.155.144.4,"+
 			"ns-gce.sslip.io=2600:1900:4000:4d12::,"+
 			"ns-hetzner.sslip.io=5.78.115.44,"+
 			"ns-hetzner.sslip.io=2a01:4ff:1f0:c920::,"+
 			"ns-ovh.sslip.io=51.75.53.19,"+
--- a/spec/check-dns_spec.rb
+++ b/spec/check-dns_spec.rb
@@ -18,7 +18,7 @@ def get_whois_nameservers(domain)
 end
 domain = ENV['DOMAIN'] || 'example.com'
-sslip_version = '3.2.7'
+sslip_version = '3.2.8'
 whois_nameservers = get_whois_nameservers(domain)
 describe domain do