Part of the Furniture
I’ve done some more research into the Skynet code and I think the problems some of you are experiencing can be explained as:
- nslookup github.com only returns 1 IP address, but future calls of nslookup github.com might return a different IP at different times. Not sure if this DNS behavior changed recently or not for them.
- Skynet’s manual whitelisting of a domain name will only “remember” the IP or IPs returned from the most recent nslookup it runs when refreshing the manual whitelist (i.e. during firewall start, or daily banmalware update). If nslookup github.com later resolves to a different IP (temporarily or not), there is no update to the Skynet whitelist until the next firewall restart or daily banmalware update.
- Skynet purges any previous manual whitelisted IPs for a manual whitelist of a domain when it refreshes the whitelist, probably to avoid stale IPs from continuing to be whitelisted. Therefore, Skynet does not “remember” previous IPs that github.com resolved to. To me, it’s a design problem in assuming a domain name will not change its DNS response throughout the day. It doesn’t “forget”, it just chooses not to remember old IPs.
- Whitelisting the banned github.com IP instead of the domain name would avoid this DNS lookup dependency.
- More energy should be spent logging issues with the Firehol list maintainers to remove the github IP from their lists. See https://github.com/firehol/blocklist-ipsets/issues/188