Skip to content

Releases: cunnie/

`-quiet` flag suppresses logging for each DNS query

27 Nov 01:30
Choose a tag to compare

Google Cloud Plaatform (GCP) charged me $17.69 last month for "Cloud Logging" which consumed 84.74 GiB.

At an average of 51.2 queries/second, and each log line averaging 192 bytes, and 606024*30 seconds/month, this works out to 25,480,396,800 bytes (23.73 GiB), which works out to a monthly savings of $4.95 if using the -quiet flag.

However, it seems that my saving would be even more because when I visually browse the logs, at least ⅔ are from logging.

Breaking Change

The newest Docker image (v2.6.2+) should be invoked differently, without /usr/sbin/

 docker run \
   -it \
   --rm \
   -p 53:53/udp \
-    /usr/sbin/ \
       -nameservers \

Tech note: I switched the Dockerfile CMD to ENTRYPOINT.

Full Changelog: 2.6.1...2.6.2

`-nameservers` & `-addresses` flags allow customized records

11 Nov 20:50
Choose a tag to compare
  • -nameservers flag allows overriding the hard-coded nameservers,,, and Typical use:, Useful in internetless (air-gapped) environments
  • -addresses flag allows customizing address records, often used in conjunction with -nameservers, e.g. -addresses,,
  • 🐞 Reliably bind to individual IP addresses. Sometimes the server would panic when binding to IP addresses individually
  • 🐞 Parallel integration tests would fail ~11% of the time due to a race condition. That condition has been fixed
  • Integration tests work internetless by default (good for coding on a plane)
  • Integration tests are parallelized
  • Updated SOA to two days before Armistice Day (11/09)
  • Dependency bumps, including bumping Ginkgo in Dockerfiles & go.mod
  • The Docker image cunnie/ supports both amd64 and arm64 architectures.

Full Changelog: 2.6.0...2.6.1

PTR Records for IPv4 & IPv6

15 Jul 02:10
Choose a tag to compare
  • IPv4 reverse lookup, e.g.
  • IPv6 reverse lookup, e.g.
  • Compressed TXT (more info including PTR and metrics, smaller packet)
  • Updated SOA to Bastille Day (7/14)

Full Changelog: 2.5.4...2.6.0

Security Release: prohibit TXT records on itself

01 May 00:16
Choose a tag to compare

This is a security release which prevents scammers from procuring a * wildcard certificate from commercial certificate authorities who use the DNS-01 challenge.

Much thanks to @Alan-Liang, who noted the following:

... one could easily add (and modify) a TXT record at, which I believe is used for verifying domain ownership at various cert providers, so anyone could in theory obtain valid SSL certs for and * I think this might be a security issue

Full Changelog: 2.5.3...2.5.4 is operational

22 Apr 23:25
Choose a tag to compare
  • has an A record
  • Dockerfile builds image to run on GKE
  • Rigorous testing of key-value get/put/delete on each of the three servers
  • Bug fixes to etcd TLS certificates (wrong SANs),

Full Changelog: 2.5.2...2.5.3 on DELETE, don't return the deleted value

13 Apr 21:23
Choose a tag to compare

We don't return the deleted value because doing that would have the unintended consequence of postponing the deletion: downstream caching servers would cache the deleted value for up to three more minutes. We'd rather have the key deleted sooner rather than later.

Some APIs, e.g. etcd's, return a list of deleted values on return: those APIs can afford to do so because they don't need to worry about DNS propagation.

We also lengthen the timeout of an etcd API call from 500 msec to 1928 msecs; 500 msec was too close; some calls routinely took 480 msec to complete, and we wanted more headroom.

We also no longer do two etcd operations when we delete a value. Previously we would do a GET followed by a DELETE, but since we're not returning the value deleted, there's no point to the GET. Furthermore, the GET was never necessary, for the etcd DELETE API call returned the values deleted.

  • We no longer produce BOSH releases; if you need a BOSH release, use version 2.5.1.
  • You can now select the port to bind to, e.g. -port 5353. This is useful, for example, when you're not running as a privileged user, and you can't bind to a privileged port (e.g. 53).
  • Blocklists are downloaded once per hour, not once per hour per IP address bound to.

Include a CIDR-based blocklist to foil phishers

27 Feb 01:24
Choose a tag to compare

Typical examples:, 2601:646:100:69f7:cafe:bebe:cafe:bebe/112

We decided we needed to block by CIDRs as well as strings because phishers can use hostnames that don't lend themselves to being blocked with strings, e.g.

  • Blocklist downloads every hour
  • Private IP addresses aren't blocked

[fixes #13]

Include a blocklist to foil phishers

07 Feb 04:11
Choose a tag to compare

Typical example:

Raiffeisen is a bank.

I was hoping Let's Encrypt would share their blocklist, but they wouldn't. See #13 for more information.

🐞 Fix crashes caused by specially-crafted hostnames

22 Jan 17:56
Choose a tag to compare

Bug fix: certain hostnames with embedded IPv4 addresses would cause the server to crash (this was caused by my regular expression thinking they were valid IPs, but net.ParseIP() disagreeing). Now the server doesn't crash; instead it returns no answers (correct behavior).

Now with metrics! ``

20 Jan 16:33
Choose a tag to compare
  • Feature: you can view the metrics of a given server by querying the TXT record of, e.g. dig txt +short
  • Bug fix: the server would panic() when querying the TXT record of a customized domain which didn't have a customized TXT record, e.g. dig txt +short. Now it doesn't panic()
  • Change: experimental TXT records to find the server version have been moved from to, e.g. dig txt +short
  • Change: TTL dropped from 300 to 180 seconds (5 minutes to 3 minutes). This lays the groundwork for the upcoming key-value store.