DoT w/ Stubby & dnsmasq on macOS

OK, let’s start with DoT definition: DNS over TLS (DoT) is a security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. https://en.wikipedia.org/wiki/DNS_over_TLS There are, of course, multiple ways to […]

Kernel 5.6 →

As mentioned the last time, I’m still tracking and building latest kernel releases. 5.6 was on my radar for some time and I’m going to stick to it for longer period. One of the most important features of this release is addition of WireGuard. I was building it in for the older releases but now […]

bpftrace v0.9.4 →

Not long ago I wrote about backporting BCC & bpftrace in Ubuntu with focus on bionic (18.04 LTS). With this new release, there’s a lot of going on: release notes. I “backported” this one already into my PPA. On that note, I did drop support for the disco (19.04) and added support for the upcoming […]

NGINX Extended Security Update #2 →

NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer. That’s the essence of the CVE-2019-20372. Yet again, as I mentioned in my NGINX Extended post I was not going to work […]

Backporting BCC & bpftrace

I’m following Brendan Gregg’s performance-related content for years now. I started when he was still in Joyent, later on I bought his Systems Performance book and I get back to it whenever I’m doing any profiling. Now I follow closely all of the latest work he’s doing on BPF front. There’s a small problem though. […]

Dynamic upstreams in NGINX w/ Consul

I already briefly wrote about the idea of having dynamically discoverable upstreams in NGINX when I covered the topic of NGINX Extended. With the boom of microservices and containers scattered all over the place there was suddenly a need for something that would serve as a single source of truth. When solutions like Mesos/Marathon or […]

Restic 0.9.6 →

Backups are one of those things that are usually afterthought. Maybe reason for that was a bit too much of necessary configuration or not enough sensible default choices to fit the bill in the older apps I’ve been trying. Either way — this small, single-binary go application simply nails it. All backups are automagically encrypted […]