mirror of
https://github.com/cunnie/sslip.io.git
synced 2025-10-05 15:46:50 +08:00
9c8712578d
I'm being gouged by bandwidth costs by AWS. Last month's bill was $148, and all but $9 was about bandwidth. My bandwidth has been inexplicably climbing since February: Billing Month Total GB % increase 2024/2 37.119 2024/3 52.953 42.66% 2024/4 58.745 10.94% 2024/5 69.307 17.98% 2024/6 173.371 150.15% 2024/7 334.064 92.69% 2024/8 539.343 61.45% 2024/9 568.745 5.45% 2024/10 1365.305 140.06% The new flag will allow me to throttle the AWS bandwidth to ~287 queries / second, which, according to my calculations, will max out the free 100 GB bandwidth without dipping into the for-pay bandwidth.
284 lines
10 KiB
Go
284 lines
10 KiB
Go
package main
|
|
|
|
import (
|
|
"encoding/binary"
|
|
"errors"
|
|
"flag"
|
|
"log"
|
|
"math"
|
|
"net"
|
|
"os"
|
|
"runtime"
|
|
"strings"
|
|
"syscall"
|
|
"xip/xip"
|
|
)
|
|
|
|
func main() {
|
|
var blocklistURL = flag.String("blocklistURL",
|
|
"https://raw.githubusercontent.com/cunnie/sslip.io/main/etc/blocklist.txt",
|
|
`URL containing a list of non-resolvable IPs/names/CIDRs, usually phishing or scamming sites. Example "file://etc/blocklist.txt"`)
|
|
var nameservers = flag.String("nameservers", "ns-aws.sslip.io.,ns-azure.sslip.io.,ns-gce.sslip.io.,ns-ovh.sslip.io.",
|
|
"comma-separated list of FQDNs of nameservers. If you're running your own sslip.io nameservers, set them here")
|
|
var addresses = flag.String("addresses",
|
|
"sslip.io=78.46.204.247,"+
|
|
"sslip.io=2a01:4f8:c17:b8f::2,"+
|
|
"ns.sslip.io=52.0.56.137,"+
|
|
"ns.sslip.io=52.187.42.158,"+
|
|
"ns.sslip.io=104.155.144.4,"+
|
|
"ns.sslip.io=2600:1f18:aaf:6900::a,"+
|
|
"ns.sslip.io=2600:1900:4000:4d12::,"+
|
|
"ns-aws.sslip.io=52.0.56.137,"+
|
|
"ns-aws.sslip.io=2600:1f18:aaf:6900::a,"+
|
|
"ns-azure.sslip.io=52.187.42.158,"+
|
|
"ns-gce.sslip.io=104.155.144.4,"+
|
|
"ns-gce.sslip.io=2600:1900:4000:4d12::,"+
|
|
"ns-ovh.sslip.io=51.75.53.19,"+
|
|
"ns-ovh.sslip.io=2001:41d0:602:2313::1",
|
|
"comma-separated list of hosts and corresponding IPv4 and/or IPv6 address(es). If you're running your own sslip.io nameservers, add their hostnames and addresses here. If unsure, add to the list rather than replace")
|
|
var delegates = flag.String("delegates", "", "comma-separated list of domains you own "+
|
|
"and nameservers you control to which to delegate, often used to acquire wildcard certificates from "+
|
|
"Let's Encrypt via DNS challenge. Example: "+
|
|
`-delegates=_acme-challenge.73-189-219-4.xip.nono.io=ns-437.awsdns-54.com.,_acme-challenge.73-189-219-4.xip.nono.io=ns-1097.awsdns-09.org."`)
|
|
var bindPort = flag.Int("port", 53, "port the DNS server should bind to")
|
|
var quiet = flag.Bool("quiet", false, "suppresses logging of each DNS response. Use this to avoid Google Cloud charging you $30/month to retain the logs of your GKE-based sslip.io server")
|
|
var public = flag.Bool("public", true, "allows resolution of public IP addresses. If false, only resolves private IPs including localhost (127/8, ::1), link-local (169.254/16, fe80::/10), CG-NAT (100.64/12), private (10/8, 172.16/12, 192.168/16, fc/7). Set to false if you don't want miscreants impersonating you via public IPs. If unsure, set to false")
|
|
var maxQueriesPerSec = flag.Int("max_queries_per_sec", math.MaxInt32, "maximum queries per second. This limit, in queries/second, is measured since the server was started. When the limit is reached, the server stops replying until throughput drops below the limit. Use this if AWS is gouging you for bandwidth. 300 qps is close to 100 GB / month")
|
|
flag.Parse()
|
|
log.Printf("%s version %s starting", os.Args[0], xip.VersionSemantic)
|
|
log.Printf("blocklist URL: %s, name servers: %s, bind port: %d, quiet: %t",
|
|
*blocklistURL, *nameservers, *bindPort, *quiet)
|
|
|
|
x, logmessages := xip.NewXip(*blocklistURL, strings.Split(*nameservers, ","), strings.Split(*addresses, ","), strings.Split(*delegates, ","), *maxQueriesPerSec)
|
|
x.Public = *public
|
|
for _, logmessage := range logmessages {
|
|
log.Println(logmessage)
|
|
}
|
|
|
|
var udpConns []*net.UDPConn
|
|
var tcpListeners []*net.TCPListener
|
|
var unboundUDPIPs []string
|
|
var unboundTCPIPs []string
|
|
udpConn, err := net.ListenUDP("udp", &net.UDPAddr{Port: *bindPort})
|
|
switch {
|
|
case err == nil: // success! We've bound to all interfaces
|
|
udpConns = append(udpConns, udpConn)
|
|
case isErrorPermissionsError(err):
|
|
log.Printf("Try invoking me with `sudo` because I don't have permission to bind to UDP port %d.\n", *bindPort)
|
|
log.Fatal(err.Error())
|
|
case isErrorAddressAlreadyInUse(err):
|
|
log.Printf("I couldn't bind via UDP to \"[::]:%d\" (INADDR_ANY, all interfaces), so I'll try to bind to each address individually.\n", *bindPort)
|
|
udpConns, unboundUDPIPs = bindUDPAddressesIndividually(*bindPort)
|
|
if len(unboundUDPIPs) > 0 {
|
|
log.Printf(`I couldn't bind via UDP to the following IPs: "%s"`, strings.Join(unboundUDPIPs, `", "`))
|
|
}
|
|
default:
|
|
log.Fatal(err.Error())
|
|
}
|
|
tcpListener, err := net.ListenTCP("tcp", &net.TCPAddr{Port: *bindPort})
|
|
switch {
|
|
case err == nil: // success! We've bound to all interfaces
|
|
tcpListeners = append(tcpListeners, tcpListener)
|
|
case isErrorPermissionsError(err): // unnecessary because it should've bombed out earlier when attempting to bind UDP
|
|
log.Printf("Try invoking me with `sudo` because I don't have permission to bind to TCP port %d.\n", *bindPort)
|
|
log.Println(err.Error())
|
|
case isErrorAddressAlreadyInUse(err):
|
|
log.Printf("I couldn't bind via TCP to \"[::]:%d\" (INADDR_ANY, all interfaces), so I'll try to bind to each address individually.\n", *bindPort)
|
|
tcpListeners, unboundTCPIPs = bindTCPAddressesIndividually(*bindPort)
|
|
if len(unboundTCPIPs) > 0 {
|
|
log.Printf(`I couldn't bind via TCP to the following IPs: "%s"`, strings.Join(unboundTCPIPs, `", "`))
|
|
}
|
|
default:
|
|
log.Println(err.Error()) // Unlike UDP, we don't exit on TCP errors, we merely log
|
|
}
|
|
if len(tcpListeners) == 0 {
|
|
// unlike UDP failure to bind, we don't exit because TCP is optional, UDP, mandatory
|
|
log.Printf("I couldn't bind via TCP to any IPs on port %d", *bindPort)
|
|
}
|
|
|
|
// Log the list of IPs that we've bound to because it helps troubleshooting
|
|
var boundUDPIPs []string
|
|
for _, udpConn := range udpConns {
|
|
boundUDPIPs = append(boundUDPIPs, udpConn.LocalAddr().String())
|
|
}
|
|
log.Printf(`I bound via UDP to the following IPs: "%s"`, strings.Join(boundUDPIPs, `", "`))
|
|
var boundTCPIPs []string
|
|
for _, tcpListener := range tcpListeners {
|
|
boundTCPIPs = append(boundTCPIPs, tcpListener.Addr().String())
|
|
}
|
|
log.Printf(`I bound via TCP to the following IPs: "%s"`, strings.Join(boundTCPIPs, `", "`))
|
|
|
|
if len(udpConns) == 0 { // couldn't bind to UDP anywhere? exit
|
|
log.Fatalf("I couldn't bind via UDP to any IPs on port %d, so I'm exiting", *bindPort)
|
|
}
|
|
if len(tcpListeners) == 0 { // couldn't bind to TCP anywhere? don't exit; TCP is optional
|
|
log.Printf("I couldn't bind via TCP to any IPs on port %d", *bindPort)
|
|
}
|
|
|
|
// Read from the UDP connections & TCP Listeners
|
|
// use goroutines to read from all the UDP connections EXCEPT the first; we don't use a goroutine for that
|
|
// one because we use the first one to keep this program from exiting
|
|
for _, udpConn := range udpConns[1:] {
|
|
go readFromUDP(udpConn, x, *quiet)
|
|
}
|
|
for _, tcpListener := range tcpListeners {
|
|
go readFromTCP(tcpListener, x, *quiet)
|
|
}
|
|
log.Printf("Ready to answer queries")
|
|
readFromUDP(udpConns[0], x, *quiet) // refrain from exiting; There should always be a udpConns[0], and readFromUDP() _never_ returns
|
|
}
|
|
|
|
func readFromUDP(conn *net.UDPConn, x *xip.Xip, quiet bool) {
|
|
for {
|
|
query := make([]byte, 512)
|
|
_, addr, err := conn.ReadFromUDP(query)
|
|
if err != nil {
|
|
log.Println(err.Error())
|
|
continue
|
|
}
|
|
go func() {
|
|
response, logMessage, err := x.QueryResponse(query, addr.IP)
|
|
if err != nil {
|
|
log.Println(err.Error())
|
|
return
|
|
}
|
|
_, err = conn.WriteToUDP(response, addr)
|
|
if !quiet {
|
|
log.Printf("%v.%d %s", addr.IP, addr.Port, logMessage)
|
|
}
|
|
x.Metrics.UDPQueries += 1
|
|
}()
|
|
}
|
|
}
|
|
|
|
func readFromTCP(tcpListener *net.TCPListener, x *xip.Xip, quiet bool) {
|
|
for {
|
|
query := make([]byte, 65535) // 2-byte length field means largest size is 65535
|
|
tcpConn, err := tcpListener.AcceptTCP()
|
|
if err != nil {
|
|
log.Println(err.Error())
|
|
continue
|
|
}
|
|
_, err = tcpConn.Read(query)
|
|
query = query[2:] // remove the 2-byte length at the beginning of the query
|
|
if err != nil {
|
|
log.Println(err.Error())
|
|
continue
|
|
}
|
|
remoteAddrPort := tcpConn.RemoteAddr().String()
|
|
addr, port, err := net.SplitHostPort(remoteAddrPort)
|
|
|
|
go func() {
|
|
defer func(tcpConn *net.TCPConn) {
|
|
_ = tcpConn.Close()
|
|
}(tcpConn)
|
|
response, logMessage, err := x.QueryResponse(query, net.ParseIP(addr))
|
|
if err != nil {
|
|
log.Println(err.Error())
|
|
return
|
|
}
|
|
// insert the 2-byte length to the beginning of the response
|
|
responseSize := uint16(len(response))
|
|
responseSizeBigEndianBytes := make([]byte, 2)
|
|
binary.BigEndian.PutUint16(responseSizeBigEndianBytes, responseSize)
|
|
response = append(responseSizeBigEndianBytes, response...)
|
|
_, err = tcpConn.Write(response)
|
|
if !quiet {
|
|
log.Printf("%s.%s %s", addr, port, logMessage)
|
|
}
|
|
x.Metrics.TCPQueries += 1
|
|
}()
|
|
}
|
|
}
|
|
|
|
func bindUDPAddressesIndividually(bindPort int) (udpConns []*net.UDPConn, unboundIPs []string) {
|
|
ipCIDRs := listLocalIPCIDRs()
|
|
for _, ipCIDR := range ipCIDRs {
|
|
ip, _, err := net.ParseCIDR(ipCIDR)
|
|
if err != nil {
|
|
log.Printf(`I couldn't parse the local interface "%s".`, ipCIDR)
|
|
continue
|
|
}
|
|
udpConn, err := net.ListenUDP("udp", &net.UDPAddr{
|
|
IP: ip,
|
|
Port: bindPort,
|
|
Zone: "",
|
|
})
|
|
if err != nil {
|
|
unboundIPs = append(unboundIPs, ip.String())
|
|
} else {
|
|
udpConns = append(udpConns, udpConn)
|
|
}
|
|
}
|
|
return udpConns, unboundIPs
|
|
}
|
|
|
|
func bindTCPAddressesIndividually(bindPort int) (tcpListeners []*net.TCPListener, unboundIPs []string) {
|
|
ipCIDRs := listLocalIPCIDRs()
|
|
for _, ipCIDR := range ipCIDRs {
|
|
ip, _, err := net.ParseCIDR(ipCIDR)
|
|
if err != nil {
|
|
log.Printf(`I couldn't parse the local interface "%s".`, ipCIDR)
|
|
continue
|
|
}
|
|
listener, err := net.ListenTCP("tcp", &net.TCPAddr{IP: ip, Port: bindPort})
|
|
if err != nil {
|
|
unboundIPs = append(unboundIPs, ip.String())
|
|
} else {
|
|
tcpListeners = append(tcpListeners, listener)
|
|
}
|
|
}
|
|
return tcpListeners, unboundIPs
|
|
}
|
|
|
|
// TODO: replace this function with net.InterfaceAddrs() ([]Addr, error)
|
|
// typical addr "10.9.9.161/24"
|
|
func listLocalIPCIDRs() []string {
|
|
var ifaces []net.Interface
|
|
var cidrStrings []string
|
|
var err error
|
|
if ifaces, err = net.Interfaces(); err != nil {
|
|
panic(err)
|
|
}
|
|
for _, iface := range ifaces {
|
|
var cidrs []net.Addr
|
|
if cidrs, err = iface.Addrs(); err != nil {
|
|
panic(err)
|
|
}
|
|
for _, cidr := range cidrs {
|
|
cidrStrings = append(cidrStrings, cidr.String())
|
|
}
|
|
}
|
|
return cidrStrings
|
|
}
|
|
|
|
// Thanks https://stackoverflow.com/a/52152912/2510873
|
|
func isErrorAddressAlreadyInUse(err error) bool {
|
|
var eOsSyscall *os.SyscallError
|
|
if !errors.As(err, &eOsSyscall) {
|
|
return false
|
|
}
|
|
var errErrno syscall.Errno // doesn't need a "*" (ptr) because it's already a ptr (uintptr)
|
|
if !errors.As(eOsSyscall, &errErrno) {
|
|
return false
|
|
}
|
|
if errors.Is(errErrno, syscall.EADDRINUSE) {
|
|
return true
|
|
}
|
|
const WSAEADDRINUSE = 10048
|
|
if runtime.GOOS == "windows" && errErrno == WSAEADDRINUSE {
|
|
return true
|
|
}
|
|
return false
|
|
}
|
|
|
|
func isErrorPermissionsError(err error) bool {
|
|
var eOsSyscall *os.SyscallError
|
|
if errors.As(err, &eOsSyscall) {
|
|
if os.IsPermission(eOsSyscall) {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|