diff options
| author |  Joe Banks <[email protected]> | 2024-06-06 00:33:50 +0100 |
|---|---|---|
| committer | Joe Banks <[email protected]> | 2024-06-06 00:49:32 +0100 |
| commit | 768c0aaf100709b765c147631197f8cba6f1349a (patch) | |
| tree | 0bcbaba80229e0dee5c776839bd6ebcdf397ad6c /dns | |
| parent | Set proxied to true for paste record (diff) | |
Switch to using designated placeholder IPv4 for originless records
We currently used something like 1.2.3.4 or 1.1.1.1 as placeholder IP
addresses for DNS records where we ran in "originless" mode (the request
is always answered by a Cloudflare Worker or a redirect).
This changes that so we use designated reserved IPv4
addresses (192.0.2.0) to capture that traffic instead, ensuring that in
no circumstance would we leak traffic to an address like 1.1.1.1 or
1.2.3.4 if there was a Cloudflare misconfiguration.
Despite the potential risk vectors here being very small, it's a minor
change and also helps us ensure configuration works correctly in the future.
Diffstat (limited to 'dns')
| -rw-r--r-- | dns/zones/pydis.wtf.yaml | 4 | ||||
| -rw-r--r-- | dns/zones/pythondiscord.com.yaml | 2 |
2 files changed, 3 insertions, 3 deletions
diff --git a/dns/zones/pydis.wtf.yaml b/dns/zones/pydis.wtf.yaml index f9867d1..21143bb 100644 --- a/dns/zones/pydis.wtf.yaml +++ b/dns/zones/pydis.wtf.yaml @@ -5,7 +5,7 @@ proxied: true ttl: 300 type: A - value: 1.2.3.4 + value: 192.0.2.0 # Reserved placeholder IPv4 address - octodns: cloudflare: auto-ttl: true @@ -127,7 +127,7 @@ paste: proxied: true ttl: 300 type: A - value: 1.2.3.4 + value: 192.0.2.0 pddc.devops: octodns: diff --git a/dns/zones/pythondiscord.com.yaml b/dns/zones/pythondiscord.com.yaml index 5422c09..ab436ec 100644 --- a/dns/zones/pythondiscord.com.yaml +++ b/dns/zones/pythondiscord.com.yaml @@ -86,7 +86,7 @@ challenge: proxied: true ttl: 300 type: A - value: 1.1.1.1 + value: 192.0.2.0 # Placeholder IPv4 address csp: octodns: |