- I don't need the "badges" pipeline anymore. It was once something that
made me terribly proud, and I'm sad to let it go.
- Similarly with the PWS pipeline. PWS is long-gone, and I don't know
why I kept it around so long because I didn't have any emotional
attachment to it
- I certainly don't need the task file for checking the nameservers;
that's a Concourse CI-thing.
Previously this action was called "Check DNS", but that was confusing
because this repo is all about DNS, so to be more clear we are calling
it "Check Nameservers" because that's what we're doing — checking that
the sslip.io nameservers are running properly.
This variable, `DOMAIN`, is carried over from Concourse CI, but I
probably should've hard-coded it.
Fixes, when running GitHub actions:
```
Usage: whois [OPTION]... OBJECT...
```
Concourse uses the directory above the repo; GitHub actions uses the
repo. This commit adjusts the director to accommodate GitHub Actions.
Fixes:
```
LoadError:
cannot load such file -- /__w/sslip.io/sslip.io/sslip.io/spec
```
I'm not ready to convert the release process, which is fairly
complicated, to GitHub actions. And the simple job is inadequate and
does the wrong thing (e.g. doesn't embed version numbers).
- on a self-hosted runner
- pull requests don't trigger actions (security)
- forks don't trigger actions (security)
- run in a container (fedora-golang-bosh) (security)
Concourse has stood me in good stead these past years, but development
has stalled with the Pivotal → VMware → Broadcom acquisitions, and now,
with the expiration of one of my Google Cloud Platform committed use
discounts, is a good time to transition to GitHub actions.
- ns-aws & ns-azure have been replaced by ns-hetzner & ns-ovh
- ns-azure has been completely destroyed (`terraform apply -destroy`);
the elastic IP has been released, so there's no hope of bringing it
back.
- ns-aws has been renamed to "blocked.sslip.io". It no longer answers
DNS queries, but lives on as the website we point "blocked" queries to
that warns about phishing.
- Some of the Markdown files' changes were mere reformatting changes
When using dig to determine the metrics of my servers, e.g. "dig txt
metrics.status.sslip.io @ns-ovh.sslip.io +short", one record looks
particularly heinous:
```
"Answer \226\137\165 1: 67974722 (651.9/s)"
```
It's supposed to look like this:
```
"Answer ≥ 1: 67974722 (651.9/s)"
```
`dig` doesn't handle Unicode well. So I'm replacing "Answer ≥ 1" with
"Answer > 0". No Unicode.
It was a worthy effort, but ultimately failed.
We don't need a custom `listLocalIPCIDRs()`; Golang now has a builtin:
`net.InterfaceAddrs()`. [0]
This is one of those wonderful commits that removes more lines than it
adds.
[0] https://pkg.go.dev/net#InterfaceAddrs
I've always been uncomfortable with the metric "Answered Queries" — it
implies that we don't answer all the queries. But we do answer all the
queries!
What the metric meant is "the number of DNS responses that we send that
have one or more records in the ANSWER section".
The new metric is "Answer ≥ 1". Not great, but better than before.
When I had introduced ns-hetzner, I forgot to update the records for
ns.sslip.io, which continued to point to the old, deprecated ns-azure.
This commit updates the ns.sslip.io records.
- remove the alert about not using the sslip.io nameservers as
general-purpose nameservers — I feel if they're looking at the page,
they already know enough not to use the nameservers as recursive
nameservers.
- deprecate ns-azure.
- extend the shutdown to 12/25 for ns-aws & ns-azure
- add a shoutout to Let's Encrypt
`tidy`, a UNIX-based HTML-formatter, has had its day in the sun, but
with the advent of VS Code, which I'll be using often to modify the
HTML, it makes more sense to format within the editor rather than in a
separate terminal window.
The nameserver on Azure is probably my least-favorite: much slower, much
higher latency. Even though it would've made more geographic sense to
dismantle my GCP nameserver in favor of the Hetzner, I'm using this
opportunity to get rid of the Azure.
And, of course, introduce the Hetzner nameserver with its 20TB of
bandwidth allowance, which I've come to need.
The torrent of traffic I'm receiving has caused my AWS bill to spike
from $9 to $148, all of the increase due to bandwidth charges.
I'm still maintaining ns-aws; the VM still continue to run, and continue
to serve web traffic, and maintain its hostname and IP addresses;
however, it will no longer be in the list of NS records for sslip.io.
There are much less expensive hosting providers. OVH is my current
favorite.
Rather than bloating the code with yet another flag, one that only I
would use, and in only one specific case (ns-aws.sslip.io), it would be
better to simply take ns-aws.sslip.io out of the NS list.
I'm being gouged by bandwidth costs by AWS. Last month's bill was $148,
and all but $9 was about bandwidth.
My bandwidth has been inexplicably climbing since February:
Billing
Month Total GB % increase
2024/2 37.119
2024/3 52.953 42.66%
2024/4 58.745 10.94%
2024/5 69.307 17.98%
2024/6 173.371 150.15%
2024/7 334.064 92.69%
2024/8 539.343 61.45%
2024/9 568.745 5.45%
2024/10 1365.305 140.06%
The new flag will allow me to throttle the AWS bandwidth to ~287 queries
/ second, which, according to my calculations, will max out the free
100 GB bandwidth without dipping into the for-pay bandwidth.
We want to place sslip.io on the Public Suffix List so we don't need to
pester Let's Encrypt for rate limit increases.
According to https://publicsuffix.org/submit/:
> owners of privately-registered domains who themselves issue subdomains
to mutually-untrusting parties may wish to be added to the PRIVATE
section of the list.
References:
- https://publicsuffix.org/
- https://github.com/publicsuffix/list/pull/2206
[Fixes#57]
Previously when the NS records were returned, ns-aws was always returned
first. Coincidentally, 64% of the queries were directed to ns-aws. And
once I exceeded AWS's 10 TB bandwidth limit, AWS began gouging me for
bandwidth charges, and $12.66/month rapidly climbed to $62.30
I'm hoping that by randomly rotating the order of nameservers, the
traffic will balance across the nameservers.
Current snapshot (already ns-ovh is helping):
ns-aws.sslip.io
"Queries: 237744377 (1800.6/s)"
"Answered Queries: 63040894 (477.5/s)"
ns-azure.sslip.io
"Queries: 42610823 (323.4/s)"
"Answered Queries: 14660603 (111.3/s)"
ns-gce.sslip.io
"Queries: 59734371 (454.1/s)"
"Answered Queries: 17636444 (134.1/s)"
ns-ovh.sslip.io
"Queries: 135897332 (1034.4/s)"
"Answered Queries: 36010164 (274.1/s)"
- located in Warsaw, Poland
- IPv4: 51.75.53.19
- IPv6: 2001:41d0:602:2313::1
The crux of this is to take the load off ns-aws, which jumped from
$12.66 → $20.63 → $38.51 → $62.30 in the last four months due to
bandwidth charges exceeding 10 TB.
The real fix is to randomize the order in which the nameservers are
returned.
I'm no longer engaged on setting up k-v.io; I thought it'd be cool to
have a DNS-backed etcd implementation, but now I don't care anymore.
There were technical challenges, too: Specifically, updating values did
not play well with DNS caching — you'd get the old value after updating.
If the service became popular, I'd quickly run out of disk space on my
tiny cloud VMs.
The service would most likely be used by people doing data exfiltration
via DNS. I already have enough problems with sslip.io scammers — the
last thing I want is to sign up for dealing with k-v.io scammers.
This commit removes the etcd configuration, certificates, and pipelines.
I had big plans for feeding in the configuration of the DNS server with
a JSON file, but since then I've come to consider command-line flags
good enough, so there's no reason to leave this useless file lingering —
it'll only server to confuse.
