Skip to content

Instantly share code, notes, and snippets.

@Al-Azif
Last active January 12, 2024 13:00
Show Gist options
  • Save Al-Azif/255479c07006e7614e6bae342c19c44d to your computer and use it in GitHub Desktop.
Save Al-Azif/255479c07006e7614e6bae342c19c44d to your computer and use it in GitHub Desktop.
Update on the situation/solution for the Live DNS service

Preamble

So I gotta have a minute of real talk where I'll explain the issues and why no automated solution will really solve the issue. Do not just read part of this, do not take someone else’s, often incorrect, TL;DR as what was actually said.

There's an extremely large amount of IPs trying to use the DNS for browsing on their PC (or w/e). Literally millions of requests a second. I cannot separate these out without it becoming a full time job just watching traffic and reacting. This will also cost an amount, monthly, that I'm not willing to pay for a free service. I have a way for it to work, but a fair amount of people aren't going to like it.

What have you tried?

These are the issues I'm running into:

  • It is not coming from a single IP block, so I cannot just block a certain network, ex 192.168.1.*
  • Setting a quota, per IP, doesn't work because there are so many unique IPs.
  • Rate limiting does not work because there are so many unique IPs.
  • The traffic does not appear malicious or unusual (For regular internet usage).
  • Whitelisting every domain that "needs" to be available is unfeasible because it would be a constant battle on what people want to use/visit.
  • No you cannot go off of MAC addresses, they are not transmitted.
  • No you cannot use Cloudflare or some other free proxy service, as it's not HTTP/HTTPS traffic that's the issue.
  • Jumping IP addresses may work for a time but doesn't actually solve the issues, and it's likely the issue will pop up again. The IPs have also been the same for years and user needing to continuously look up the new IPs every other month is silly. This also opens the possibility for trolling if the IPs go back into the pool of available IPs. Someone else will be assigned the IP, meaning they could run a DNS to allow updates, host bricking payload, etc. There's no free way to keep the old IPs reserved and keep getting new ones, the costs would snowball fast.

I've spent the last month logging data and talking with professionals with tech support at different hosting companies trying to figure out a solution... There isn't one that isn't prohibitively expensive. "Unlimited" is not actually unlimited, FYI, talking to their tech support versus their sales support the picture becomes clear. To run it as is, I'd need to spend thousands monthly and to have someone dedicated to monitoring it 24/7/365.

What's your solution?

The only solution I can figure out is whitelisting client IPs for recursive queries. This means IPs contained within a config file will be allowed to use the DNS the same way it's been used the last 5 year. Unfortunately, there's no open system to manage something like this and most of the easy ones we could come up with can easily be cheated/bypassed. I have a system setup that can't really be cheated... but it will cost users $1/month. GitHub sponsors allows me to export data and I have a script setup that after you submit me your IP it will keep the IP associated with your GitHub whitelisted on both servers. If this actually becomes popular enough, doubt.jpg, I'll throw together a little website frontend for it.

The DNS will work as usual with the exception the recursive queries, like it has been the last month. This means speed tests, update blocking, hijacking, and the exploit host located on the same server will function as usual without any user interaction. You can also access resources via raw IP addresses.

So you're charging for your work now?

No, all my code past, present, and future, and will remain, open source to the best of my abilities. You can host exactly what I'm hosting yourself on your home PC. The only thing that will have a cost associated with it is a singular live service I host, and only a portion of it.

My work will also continue as usual, however; if I actually hit any funding goals it will greatly speed up being able to get back to work on PS stuff in any real capacity, versus the last two years where I've just done some stuff behind the scenes for a few people and general maintenance to keep things running.

I'll put an emphasis on keeping the live service host up to date (Like adding PS5 exploits) as it'd be a paid service.

You can see more info on my GitHub sponsors page here.

@Smig0l
Copy link

Smig0l commented Jan 5, 2024

Hi! Can u paste a nload output? What are the specs or your vms?
I have some free vm in Oracle cloud and i can build one or two dns servers.
Glad to help you!

@Al-Azif
Copy link
Author

Al-Azif commented Jan 5, 2024

Hi! Can u paste a nload output? What are the specs or your vms? I have some free vm in Oracle cloud and i can build one or two dns servers. Glad to help you!

It's not a spec issue, it's a bandwidth issue. I can easily fully saturate a 10gb line 24/7 right now.

@CasperMcFadden95
Copy link

I think whitelisting the top 25 most used websites would be a good compromise (pkg-zone.com, es7in1.site, youtube.com, github.com, e.t.c.)
This will discourage someone from using this DNS on their laptop/router as most sites won't work.
Thanks for offering this service.

@hemiware
Copy link

hemiware commented Jan 7, 2024

just host the ps5 payloads on the sever like the ps4 and everybody is happy; wright? leave the rest like it is

@dweee
Copy link

dweee commented Jan 7, 2024

This will discourage someone from using this DNS on their laptop/router as most sites won't work.

this IS the issue.. people using it on devices that plainly don't need it. from personal experience setting the DNS on PS4/Switch is piss easy so setting it on your router is just straight up a waste of bandwidth for this DNS service's intentions.
Plus if you rely on your router, what's not to say that your router might hand out the ISP's DNS after an update or if you take your console to another house or new network? You're just unnecessarily causing the potential for an update to even just get downloaded which you (or someone else) may mistakenly apply.
There's no excuse to set this DNS on other devices/as your networks DHCP servers' DNS to hand out to clients.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment