diff --git a/api/desecapi/management/commands/stop-abuse.py b/api/desecapi/management/commands/stop-abuse.py
index 97c13e6f1..dc3f3655e 100644
--- a/api/desecapi/management/commands/stop-abuse.py
+++ b/api/desecapi/management/commands/stop-abuse.py
@@ -47,10 +47,11 @@ def handle(self, *args, **options):
                 ).exists():
                     try:
                         blocked_subnet = BlockedSubnet.from_ip(rr.content)
-                    except dns.resolver.NXDOMAIN:  # for unallocated IP addresses
+                    except dns.resolver.NXDOMAIN:  # IP address unallocated/private
                         continue
-                    blocked_subnet.save()
-                    blocked_subnets.append(blocked_subnet)
+                    if not blocked_subnet.subnet.is_private:
+                        blocked_subnet.save()
+                        blocked_subnets.append(blocked_subnet)
 
             # Print summary
             print(
diff --git a/api/desecapi/models/abuse.py b/api/desecapi/models/abuse.py
index ab36ae958..ed19777b7 100644
--- a/api/desecapi/models/abuse.py
+++ b/api/desecapi/models/abuse.py
@@ -29,11 +29,16 @@ def from_ip(cls, ip):
         qname = IPv4Address(ip).reverse_pointer.replace(
             "in-addr.arpa", "origin.asn.cymru.com"
         )
-        answer = dns.resolver.resolve(qname, "TXT")[0]
-        parts = str(answer).strip('"').split("|")
+        try:
+            answer = dns.resolver.resolve(qname, "TXT")[0]
+            parts = str(answer).strip('"').split("|")
+        except dns.resolver.LifetimeTimeout:
+            # In over a year of operation, there was never a smaller network than /24
+            print(f"Could not determine ASN and subnet for {ip}, using 0 and /24")
+            parts = ["0", f"{ip}/24", "", "", str(date.today())]
         return cls(
             asn=int(parts[0].strip()),
-            subnet=IPv4Network(parts[1].strip()),
+            subnet=IPv4Network(parts[1].strip(), strict=False),
             country=parts[2].strip(),
             registry=parts[3].strip(),
             allocation_date=date.fromisoformat(parts[4].strip()),
diff --git a/api/requirements.txt b/api/requirements.txt
index 067671b8f..354172cce 100644
--- a/api/requirements.txt
+++ b/api/requirements.txt
@@ -1,7 +1,7 @@
 captcha~=0.5.0
 celery~=5.4.0
-coverage~=7.5.1
-cryptography~=42.0.6
+coverage~=7.5.2
+cryptography~=42.0.7
 Django~=5.0.6
 django-cors-headers~=4.3.1
 djangorestframework~=3.14.0
@@ -16,5 +16,5 @@ psycopg~=3.1.19
 psl-dns~=1.1.0
 pylibmc~=1.6.3
 pyyaml~=6.0.1
-requests~=2.31.0
+requests~=2.32.2
 uwsgi~=2.0.25
diff --git a/www/conf/sites-available/90-desec.static.location b/www/conf/sites-available/90-desec.static.location
index cc4d570f3..e7f0fd4fb 100644
--- a/www/conf/sites-available/90-desec.static.location
+++ b/www/conf/sites-available/90-desec.static.location
@@ -8,7 +8,7 @@ location / {
     gzip on;
     gzip_types *;
 
-    location /index.html {  # Also includes / via internal redirect, see https://nginx.org/en/docs/http/ngx_http_index_module.html#index
+    location /index.html {
         expires epoch;
         add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
         # CSP hashes are for legacy browser support.
@@ -21,8 +21,8 @@ location / {
     }
 
     location / {  # all other files
-        index  index.html;
-        try_files $uri $uri/ /index.html =404;
+        index index.html;  # causes internal redirect, i.e. above location applies
+        try_files $uri $uri/ /index.html;  # only last parameter causes internal redirect
         expires 1M;
     }
 }