Releases: cunnie/sslip.io
ns-gce.sslip.io nameserver is retired
Previously ns-gce.sslip.io was a "half" nameserver: it didn't have a glue record like the three other nameservers, but the sslip.io nameservers included it in the list of nameservers when queried. ns-gce didn't do logging, also unlike its brethren. In many ways, ns-gce was the runt of the litter, and today we cull the herd (don't ask me for more metaphors; I'm stopping here).
Backstory
The ns-gce nameserver has always been problematic: I couldn't turn on logging because Google gouged me >$20/month for the logs alone (which was the impetus for the -quiet flag), so I made it "half" a nameserver: the registrar didn't have it as one of the three nameservers, but the nameservers themselves, when queried for the NS records, included it as a fourth.
But I want complete logs, so I'm fully retiring this nameserver.
Unfortunately, I signed up for a three-year GCP "committed use discount" which doesn't expire until 2026-11-02, which goes to show that a lot can happen in two years. Who knew that VMware would deprecate k8s in favor of Cloud Foundry? Who knew that I'd leave Broadcom for Majestic Labs in July 2024? Lesson learned: don't do 3-year committed use discounts.
Enhanced hexadecimal notation delimiters
Enhanced Hexadecimal Delimiters
Hexadecimal notation now includes - (dashes) as well as . (dots). Previously only dots were allowed.
Previously www-7f000001-usa.nip.io wouldn't resolve; now it resolves to 127.0.0.1
🐞 Fixed IPv4 Regex
There was a corner case where certain IP addresses wouldn't resolve correctly if they were preceded by a 0n (zero followed by a decimal digit). That bug is now fixed. Examples of the hostnames that now resolve but previously didn't:
- funprdmongo30-03.10.1.4.133.nip.io. → 10.1.4.133
- olvm-engine-01.132.145.157.105.nip.io. → 132.145.157.105
- wt32-ETh01-03.172.26.131.29.NIp.IO. → 172.26.131.29
Faster blocklist
Fivefold increase in blocklist lookup speed, dropping from consuming 4.8% of the CPU to 0.96%
We tighten the screws on the spammers abusing nip.io/sslip.io with DMARC TXT records, same as Google's DMARC but without the reporting. Thanks @brakhane.
Contributors
Assets 10
Fighting Spammers: tighten SPF soft fail → hard fail
Dirtbag spammers are using the sslip.io domain to send spam email, which has triggered the addition of our domain to Spamhaus Domain Blocklist (DBL) (so far nip.io has remain unscathed).
We fight this the best way we can: we make the SPF (sender policy framework) more restrictive; instead of our previous "soft fail" policy if the email doesn't come from one of our approved mailservers (i.e. Protonmail), we now have a "hard fail".
From a personal standpoint, it's discouraging to have to spend an hour dealing with this.
TODO: I might also remove the dynamic MX feature, e.g. dig mx 127-0-0-1.nip.io → 0 127-0-0-1.nip.io.
From: Namecheap Legal & Abuse Team legalandabuse@namecheap.com
We have recently received some reports indicating that there might be unsolicited email activity associated with your domain. The following domain registered under your Namecheap account has been flagged by anti-spam organizations:
The Spamhaus Project Ltd. DBL:
sslip.io
Unclutter git history by removing blocked sites
This version introduces no new features, fixes no bugs. This version merely updates the location of the blocklist (IPs that we block due to takedown notices). The blocklist is now in its own repo, with its own commit history.
Our commit history is cluttered with blocking sites due to takedown notices. It's unseemly, so we've created a new repo, https://github.com/cunnie/sslip.io-blocklist, to be used exclusively for blocking phishers, scammers, and grifters.
PTR domain is configurable
Default PTR record domain has changed from "sslip.io" to "nip.io".
For example, dig -x 127.0.0.1 @ns.nip.io previously returned
127-0-0-1.sslip.io., now returns 127-0-0-1.nip.io.
Previously, the PTR domain was hard-coded to sslip.io., but this
commit introduces two changes:
- the default PTR domain is now
nip.io.. Hey, it's shorter. - the PTR domain can now be set with the
-ptr-domainflag, e.g.go run main.go -ptr-domain=xip.example.comand then queryingdig -x 169.254.169.254would return169-254-169-254.xip.example.com.
Notes:
- I don't feel bad about changing the default behavior because hardly
anyone uses PTR lookups. Out of 12,773,617,290 queries, only 1564 were
PTR records (0.000012%)! - In that vein, I acknowledge that this is a feature that no one's
clamoring for, no one will use, but it's important to me for reasons
that I don't fully understand.
Promote nip.io
- nip.io has special-purpose TXT records (ip.nip.io, version.status.nip.io, metrics.status.nip.io)
- nip.io has a full suite of NS records (e.g. ns-ovh.nip.io, ns-gce.nip.io)
- nip.io has a wildcard NS record (ns.nip.io)
- nip.io is described more prominently in the docs
Web pages:
- bumped bootstrap version
- fixed favicon
- fixed broken stylesheets
- freshened the README (e.g. remove stale warnings about ns-aws going away)
Hexadecimal Notation
Resolve hexadecimal notation for IPv4 & IPv6 addresses
Examples:
7f000001.sslip.io→ 127.0.0.100000000000000000000000000000001.nip.io→ ::1
This came about as a result of the nip.io migration to sslip.io servers: nip.io supported hexadecimal notation; sslip.io didn't. Several nip.io users were blindsided by the feature's lack, and raised an issue.
- The hexadecimal-notated IPv4 must be exactly 8 hexadecimal characters, no separators.
- The hexadecimal-notated IPv6 must be exactly 32 hexadecimal characters, no separators.
- Any hexadecimal notation must be bookended by dots or by the beginning or end of the string (www.0a09091e.sslip.io or 0a09091e.sslip.io). No dashes.
- If a normal IP notation and a hex notation are in the same hostname, then the normal IP notation takes precedence. This preserves existing behavior for sslip.io users, e.g. (0a09091e.127-0-0-1.sslip.io resolves to 127.0.0.1, not 10.9.9.30)
- IPv6's hexadecimal notation is so clunky that I doubt it'll ever be used.
[#92]
Introducing nip.io
Roopinder Singh, the creator of nip.io, has passed, but his estate has granted sslip.io the privilege of hosting nip.io, and this release includes changes to allow the website (https://nip.io) and email to live on.
ns-ovh-sg → ns-do-sg; +ns-gce
We replace ns-ovh-sg with ns-do-sg; this is a purely financial decision: ns-ovh-sg costs $60/month, $720/year.
ns-do-sg (Digital Ocean), is also a Singapore-based DNS server. It's a basic-regular-2vcpu-4GiB RAM-80GB SSD-4TiB bandwidth for $24/month, $288/year.
That's a yearly savings of $432.
I had originally overspec'ed the Singapore server because I suspected that there was a ton of traffic in Asia; I was wrong. It's not even 20% the traffic of Europe or North America. I am confident the Digital Ocean server will be able to handle it.
I also reintroduce ns-gce as the second server in North America, backing up ns-hetzner. My hope is that ns-hetzner carries most of the load, and ns-gce carries the rest, but not so much as to trigger Google Cloud Platform's (GCP's) expensive bandwidth billing.
| DNS server | Queries / second |
|---|---|
| ns-hetzner | 10706.4 |
| ns-ovh | 10802.0 |
| ns-ovh-sg | 1677.7 |