[net] Add seed.bitcoin.wiz.biz to DNS seeds #19284

pull wiz wants to merge 1 commits into bitcoin:master from wiz:add-wiz-seed changing 1 files +1 −0
  1. wiz commented at 12:27 PM on June 15, 2020: contributor

    I've created the seed.bitcoin.wiz.biz DNS seed for the benefit of the Bitcoin community, and will operate it in accordance with the Bitcoin DNS seed operator policy. Since this is my first PR to the Bitcoin Core project, I also ACK the contributing guidelines.

    The data for this DNS seed is generated using redundant instances of TheBlueMatt's dnsseed-rust implementation, which connects to all discoverable Bitcoin nodes to verify their capabilities and speed, and utilizes the full AS-MAP data from my network's BGP tables to select Bitcoin nodes which are fairly distributed across different networks.

    As for my qualifications, I currently operate Bitcoin nodes for the mempool.space open-source block explorer project (mempool) and the Bisq Network open-source P2P trading community (bisq-network). I have 20 years experience as a network engineer, and all of my Bitcoin nodes are hosted on my own network across multiple datacenters. For personal references, the current Bitcoin DNS seed operators Emzy and TheBlueMatt can probably vouch for me.

    The DNS responses served from this instance are currently served with a TTL of 60 seconds, and the DNS resolvers do not log queries from users. Any inquiries related to the operation of this DNS seed can be sent to noc@wiz.biz.

    Here is a rough diagram of the seed.bitcoin.wiz.biz DNS seed architecture:

    seed bitcoin wiz biz

  2. [net] Add seed.bitcoin.wiz.biz to DNS seeds 313a081b90
  3. fanquake added the label P2P on Jun 15, 2020
  4. jonatack commented at 12:53 PM on June 15, 2020: member

    Concept ACK. I'm unsure how to review this, but it looks like no new seed operators have been added since December 2018 and the previous ones were in 2017. Started up a node after removing all the other seeds and re-building, and the debug log printed "2020-06-15T12:42:21Z 282 addresses found from DNS seeds". Running with it for now. AFAICT you seem like an excellent choice for this.

  5. practicalswift commented at 1:45 PM on June 15, 2020: contributor

    Concept ACK: seed diversity is good.

    With the increasing number of DNS seeds: would it at some point make sense to change the current "query all DNS seeds" code paths to "query p percent of all DNS seeds"?

    I imagine that would reduce the value of running a DNS seed node for passive data collection purposes, and it would also limit the exposure in case of active attacks.

  6. michaelfolkson commented at 2:14 PM on June 15, 2020: contributor

    Concept ACK. This follows the DNS seed operator policy and @wiz has the "minimum level of trust within the Bitcoin community" imo.

    I'm sure some maintainers/long term contributors are already doing this in practice but should it be documented what measures are being taken to monitor whether DNS seed operators turn malicious?

    At the moment it sounds like in the DNS seed policy the "small amount of risk for the network" is not and cannot be mitigated.

  7. Emzy commented at 4:08 PM on June 15, 2020: contributor

    Concept ACK: I also think seed diversity is good.

    I'm working online together with @wiz operating servers. I can confirm his experience as a network engineer.

  8. laanwj commented at 5:35 PM on June 15, 2020: member

    Concept ACK

  9. in src/chainparams.cpp:124 in 313a081b90 
     120 | @@ -121,6 +121,7 @@ class CMainParams : public CChainParams {
 121 |          vSeeds.emplace_back("seed.btc.petertodd.org"); // Peter Todd, only supports x1, x5, x9, and xd
 122 |          vSeeds.emplace_back("seed.bitcoin.sprovoost.nl"); // Sjors Provoost
 123 |          vSeeds.emplace_back("dnsseed.emzy.de"); // Stephan Oeste
 124 | +        vSeeds.emplace_back("seed.bitcoin.wiz.biz"); // Jason Maurice
    TheBlueMatt commented at 7:17 PM on June 15, 2020:

    Should note which x's are supported. I don't recall but you should be able to see it from the zone file. Feel free to update mine while you're at it :)

    wiz commented at 9:14 AM on June 16, 2020:

    Doesn't dnsseed-rust support all the service bits? In any case, the service bits will change over time, so I'm not sure it makes to hard-code it in the comment, and clearly others feel the same way

    TheBlueMatt commented at 5:34 PM on June 16, 2020:

    Right, I just figured match the existing comments, but it doesnt matter.

  10. TheBlueMatt commented at 7:23 PM on June 15, 2020: member

    Concept ACK! I helped Wiz set this one up, and am happy that we have more seeds that filter using BGP data to avoid returning too many nodes on the same AS. Diversity here is good. Also, good to have more seeds that are DNSSec-signed, which I believe sipa's seeder doesn't support.

    Looks like the responses currently fit just fine in non-DNSSEC packets, which is good, but DNSViz is pretty sad. https://dnsviz.net/d/seed.bitcoin.wiz.biz/dnssec/

  11. pstratem commented at 7:30 PM on June 15, 2020: contributor

    @michaelfolkson Short of only returning attacker controlled DNS results, there historically hasn't been very much that a malicious seed could do. This has changed with the adoption of EDNS where DNS servers forward some of the clients address to the upstream resolver.

    I'm not sure how much if any that changes what the DNS seed policy should be.

  12. MarcoFalke commented at 9:54 PM on June 15, 2020: member

    Approach ACK

  13. naumenkogs commented at 7:35 AM on June 16, 2020: member

    Concept ACK

  14. wiz commented at 9:11 AM on June 16, 2020: contributor

    DNSViz is pretty sad. https://dnsviz.net/d/seed.bitcoin.wiz.biz/dnssec/ @TheBlueMatt Thanks, I've just resolved that issue, but it was literally only affecting DNSViz.

  15. jonasschnelli commented at 9:23 AM on June 16, 2020: contributor

    Tested ACK 313a081b907bf0a5b56af99ec2d42814ef0638b0.

    Seed works as expected for IPv4 and IPv6. Tested a bunch of IPs and they where connectable bitcoin peers. Filtering works,.. though it is unclear (hard to evaluate) what filters are supported. Server uses default SSHd port 22 (just a note) (edit: was wrong about that).

    I agree with @wiz that constantly updating the supported filters in the source code makes little sense.

  16. laanwj commented at 5:31 PM on June 16, 2020: member

    ACK 313a081b907bf0a5b56af99ec2d42814ef0638b0

  17. laanwj merged this on Jun 16, 2020
  18. laanwj closed this on Jun 16, 2020
  19. Sjors commented at 6:05 PM on June 16, 2020: member

    Post merge ACK. Tested it's reachable via IPv4 and IPv6 (and return both types of addresses, and filters work):

    dig -t A +trace seed.bitcoin.wiz.biz
dig -t AAAA +trace seed.bitcoin.wiz.biz
dig -6 -t A +trace seed.bitcoin.wiz.biz
dig -6 -t AAAA +trace x5.seed.bitcoin.wiz.biz
  20. Emzy commented at 1:51 PM on June 19, 2020: contributor

    @michaelfolkson Short of only returning attacker controlled DNS results, there historically hasn't been very much that a malicious seed could do. This has changed with the adoption of EDNS where DNS servers forward some of the clients address to the upstream resolver.

    I'm not sure how much if any that changes what the DNS seed policy should be.

    Just to have some data points, I had a look at dnsseed.emzy.de. And got some stats for the last 24 hours of DNS traffic.

    Total number of queries (last 24h): 184860
Number of queries with option CSUBNET: 10228
Subnet size (IPv4)24: 9713
Subnet size (IPv6)56: 382

    So about 5.5% of the DNS queries are send with a client subnet.

  21. laanwj referenced this in commit ef144a3f1b on Jul 2, 2020
  22. wiz referenced this in commit 397fc6f8d0 on Oct 12, 2020
  23. wiz referenced this in commit 397a4fee51 on Oct 12, 2020
  24. wiz referenced this in commit 1019d964c1 on Oct 12, 2020
  25. schildbach referenced this in commit 20364cb7b2 on Feb 14, 2022
  26. DrahtBot locked this on Feb 15, 2022
Contributors
wizjonatackpracticalswiftmichaelfolksonEmzylaanwjTheBlueMattpstratemMarcoFalkenaumenkogsjonasschnelliSjors
Labels
P2P
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-02 12:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me