2024 Update
Summary (2024)
As 2024 ends it’s worth posting an update, the only post for the year, mostly to remind myself what happened in the year.
Several times over the year I heard from users which I always enjoy! Thank you to those folk who reached out with questions, keep the emails coming!
I ended 2024 with the same 3 servers (SYD/ADL/PER) online that I started the year with. Across the servers the stats are:
- 435M DNS queries being served (rolling 30 days)
- 900GB of outbound data (rolling 30 days)
- 90 percent of DNS queries served from Adguard’s cache
- 11 percent of all DNS queries were blocked by ad/malware filters
- Average processing time 21ms, including queries that were not cached
On the busiest server (ADL) I saw a gradual decline in traffic over the latter part of 2024. I’m not sure if the server was removed from a list somewhere, or if users are finding servers closer to them, I mean Adelaide is a long way from most places to be fair :-)
June
I had an ISP from Turkmenistan start hitting the ADL server pretty hard, to the tune of 10x the usual total daily traffic. Unfortunately the little VM was running out of resources and unable to process traffic. This was the second time this had happened from the same ISP, the previous occurence was a year earlier. The queries were spread across a specific /21 on their network and seemed to be using varying source IP addresses.
I was unable to successfully rate limit the traffic and ended up blocking a /24 subnet at time until I was able to stablise the server. I reached out to them using contacts I found on their RIPE DB listings, but I never heard back. Months later I removed the firewall rules and the traffic had finally stopped.
The DNS queries looked fairly normal, I’m not sure if they were pointing their own customer resolvers towards my server and doing DNS resolution or what. It seems unlikely it was end users themselves hitting my service, I do wonder why it was being done and where the traffic is now being served from.
July
I was contacted by the hosting company who provides the VPS for the Adelaide location as they suspected my VM was compromised. I had to explain that the server was used for providing a public DNS service to which they weren’t terribly thrilled but agreed to look further.
On closer inspection of their traffic logs it seems someone had used the server IP as the source address of a spoofed DDOS attack, UDP port 123 (NTP) was getting a bunch of unexpected reply traffic from hosts around the Internet.
All my VMs I add to the NTP pool project and have done so for 15+ years. In this case even though there was nothing wrong with the server or it’s configuration, I took the VM out of the NTP pool to keep the hosting company happy.
November
I moved DNS for the domain to LuaDNS and then setup a script to do automatic SSL certificate renewal (DNS based verification via API) and application restarts. I’m not sure why I waited so long to do that, I’ve been manually renewing certs every 90 days for years, like a chump…
December
On suggestion of a friend, I added HaGeZi’s Light DNS Blocklist to the mix of blocking lists that I use across the servers, with a positive effect of catching a bit more junk.
A snapshot of 100,000 queries shows the effectiveness of the different lists.
| Blocklist | Blocked |
|---|---|
| AdGuard DNS | 5.81% |
| 1Hosts Lite | 2.12% |
| HaGeZi Light | 1.89% |
| OISD Light | 1.34% |
Future (2025)
A couple of items that I still have on my “thinking about it” list are:
- Opening up port 53 in AU for folk who have devices that can’t do DOH/DOT
- Expanding to add more servers, either inside or outside AU
Let’s see what 2025 brings!