Your DNS server knows a lot about you - in fact it knows every single website your visit. Between ISP’s intercepting both valid and invalid domains, and potentially selling your browsing history to advertisers, it’s both prudent and remarkably simple to encrypt all of your DNS to prevent this and to more importantly, encrypt this traditionally plain-text data to prevent prying eyes.
A semi-authoritative zone enables you to provide authoritative records for a given zone for records the DNS server is aware of, and forwarding all unknown requests to an upstream server.
Available as a CoreDNS plugin, Partial is a drop-in replacement for the CoreDNS file plugin that allows for partially or semi-authoritative DNS zones, and is available on Github at https://github.com/charlesportwoodii/coredns-partial.
If you’ve ever lost an important document or file you know how essential timely and reliable backups are. Getting backups done effeciently can prove to be challenge however, especially on Linux where a dozen different tools exist and do a variation on the same theme.
Until recently I’ve been using Duplicati which is an excellent tool, but struggles to start reliably on newer Linux kernel version, resulting in inconsistent backup states and data loss when you need to recover something.
In this article I’ll cover how I automate backups of all my Linux desktops, servers, and laptops to a locally encrypted BTRFS store, and off-site to a cloud provider.
Unable to tolerate the significant performance losses I was seeing on my aging i5-2500 desktop, I recently elected to upgrade my desktop to something a bit more powerful that would enable me to work faster and get more done.
While planning out this process, I stumbled up this article from mid 2017 detailing the process of getting GPU passthrough working on Fedora 26 with Ryzen.
Exhausted by the constant performance losses incurred by Spectre and Meltdown I was experiencing on my old i5-2500, and wanting to capitalize on the cost-per-core benefit Ryzen 2 offered, I decided to take the plunge into GPU passthrough and to see if it would be a viable long term solution for me, and my have I been pleased.
This write up details my experiences getting PCI passthrough working through Ubuntu 18.04 to Windows 10 using OVMF+VFIO and libvirt. While this document shouldn’t be considered a comprehensive guide, it will cover what I needed to do to get this working (mainly so I can set it back up again if I ever need to), while also covering a few tips and tricks I’ve learned along the way.
Wireguard is an extremely simple, fast, and modern VPN. With it’s introduction into the mainline linux kernel, Wireguard promises to provide a simpler, faster, and more secure way for setting up a VPN without needing to deal with traditional solutions like OpenVPN and L2TP/IPSEC, which can be cumbersome and slow.
In this article I’ll cover how to install Wireguard on a Ubiquiti router, and how to connect a remote client to it.
Similar to Bitlocker on Windows, the native Ubuntu installer provides the capabilities during installation to encrypt your primary hard drive. Getting secondary, or even external devices encrypted however is a bit more complicated.
In this article I’ll cover how to encrypt a second hard drive after installing Ubuntu, and set it up with LVM for easy expansion later. Additionally I’ll cover the steps necessary to automatically decrypt external drives on boot when you decrypt your primary hard drive, and how to access this media once logged into the system.
Starting with PHP 7.3, Argon2id may be used as part of the
password_* functions to provide better password security.
This article I cover the benefits of Argon2id, how to compile Argon2id into PHP, how to use Argon2id within your PHP 7.3 applications, and some useful pieces of information about Argon2id usage within applications in general.
For more information on Argon2id support within PHP 7.3, reference the Argon2 Password Hash Enhancements RFC on the PHP Wiki.
One of the common problems developers run into when creating their own Docker images is the sheer size of the final output image. Even after compressing and squashing, images based off of Ubuntu or CentOS can still be hundreds of megabytes in size.
As part of my personal dockerization efforts I’ve spent the past several weeks working on repackaging my PHP and Nginx packages so that they work on Alpine Linux with the aspiration of significantly reducing the size of the Docker images I provide.
To reduce the complexity of my Docker images, I pre-build packages for a given operating system, then install them using the operating system’s built in package manager. After creating packages for Alpine Linux (which was troublesome in it’s own right), I discovered there was little to no accurate documentation on how to create a web repository for Alpine Linux.
In this article I’ll cover the steps I needed to take to create a maintainable ALpine Linux web repository.
A lot has been said recently about ECSDA certificates and elliptical curve cryptography (ECC), and about how they are the future of the humble SSL Certificate. Cloudflare has written serveral articles describing what excatly ECSDA certs are and how they function with ECC.
If you’re not familiar with ECC yet though, Cloudflare provided a pretty basic TL;DR; of what exactly ECC is and why it is important:
[…] ECC is the next generation of public key cryptography and, based on currently understood mathematics, provides a significantly more secure foundation than first generation public key cryptography systems like RSA. If you’re worried about ensuring the highest level of security while maintaining performance, ECC makes sense to adopt. _https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/_
Based upon our current understanding of mathamatics, ECC provides significantly better security and performance than a typica 2048 RSA certificate. In this article, we’ll cover how to make a ECDSA Certificate Authority, a ECDSA compatible CSR, and how to sign ECDSA certs.