Running a Public DNS Resolver for fun

When I’ve set up my Odroid Server earlier this year, I’ve wondered if it was a good idea to run a public-facing DNS resolver based on Pi-Hole. Against all the voices telling me no, I decided nonetheless to try it and see what happens. In the end, the traffic will be limited at some point by the CPU power available, and the Operations Team at CommunityRack.org will give me a hearty slap on the wrist saying, “you broke it, you’ll fix it”, and they will make me buy some Pizza and/or Doughnuts for the next time we meet in person. So the experiment began towards mid-February.

You can see the traffic I was making most of the time until around May. Primary clients connected to the VPN using the DNS Resolver following mostly standard day/night/weekend traffic patterns.

There’s a noticeable bump in July, a considerable Spike towards august, and then in October, the floodgates opened entirely with a couple of million DNS queries per day. My theory is that at some point in July, the resolver got on some well known DNS list and started to gain “trust” as it was always online.

A few observations:

  1. First, there was only my traffic, but soon after, someone or a small group of people discovered the resolver and started using it.
  2. Discovery — I was confused why and how people found the resolver, but they seemed to use it steadily.
  3. Service-Thoughts — But you can’t get in touch with someone like that, so I’ve set up a small landing page on the IP and added an email address for anyone to reach out if they plan to use the service for an extended time, so I could give them at least a heads up in case the service needs to shut down. If you ever debug a failing DNS server, you would know why – Nobody deserves this.
  4. Privacy — It was when I noticed that I’d need to shred the log files at some point and started lowering the data logged to disk. The less I know, the better. At this point, I only cared for the raw numbers.
  5. Trust? — And last and the most concerning one for me personally is that people seem to blindly trust a random IP on the internet that gives them DNS responses. (I kind of pride myself that I was able to run a DNS resolver with seemingly good uptime and minimal maintenance).

So how long?

The answer is 7 months and 3 days (15th March till 18th October).

Sorry to the people that have a broken DNS resolver now. And sorry if my resolver has been part of some sort of a DNS Amplification Attack (based on the traffic it should not have, but that’s hard to say).

The experiment has ended; thanks for participating. I’ve just shredded all logs.

Bye Evernote, Hi Joplin

Well, Evernotes past year or so was a bummer as a customer. Don’t take it from me; just have a look at the Evernote Reddit, and it echoes exactly what I saw for quite some time:

  • The new Android App was much slower than before – scans of documents suddenly were barely usable – it took around a minute to snap a picture of a document and scan it, and the app sometimes crashed in the process.
  • Mac App also got terribly slow and memory hungry; the old app was fast.
  • New Pricing model – I mean… why…

As my renewal would have come around soon, I’ve started looking into all sorts of alternatives, and the most promising one seems to be the open-source note-taking app Joplin.

As I rarely need the online Sync for note-taking exporting from Evernote and importing everything into Joplin was easy, just two or three notes that had issues, but that was an easy fix — or better said a cleanup as those notes were ancient and not needed anymore. And OMG, the web clipper of Joplin is so fast and has a few features I like a lot.

My workflow for Document scans currently runs through Dropbox, something I’ll look into when I got more time. But for now, that’s enough, and the Dropbox App gives me a nice PDF that I can Import and File where it’s needed. Also, having documents in the Note-taking app is something I stopped a while ago, so the PDFs live in a separate file structure that works for me.

The really cool thing about Joplin is that there are tons of Plugins available to tweak the app to your needs. And suppose I ever need Joplin to sync my data to secondary devices. In that case, there are several ways of getting this done, as it supports Dropbox, Nextcloud and Joplin Server – which is just another Container to run somewhere.

So far, I’m happy having liberated my notes into a System that works better and provides a lot of flexibility.

Abt. kognitive Dissonanz

In einer Woche lädt die SVP interessierte Mitglieder zu einer «Arbeitstagung» ein. Das Thema: «Luxus-Sozialisten in den Städten diktieren der Landbevölkerung das Leben». Geleitet wird die Tagung vom Zürcher Nationalrat Thomas Matter. Das Vermögen des Bankiers und Unternehmers wird auf 200 Millionen Franken geschätzt. Er lebt in Meilen an der Zürcher Goldküste. Einer Gemeinde, die über weniger Landwirtschaftsfläche verfügt als die luxussozialistische Stadt Zürich.

Quelle Zuger Zeitung / Schweiz am Wochenende – 21. August 2021

Wenigstens Spalten wir die Bevölkerung nicht mehr nach Herkunft, sondern weiten den Stadt-Land-Graben ein bisschen aus. Als sogenannter Luxus-Sozialist Städter finde ich es befremdlich, mir von Multimilionärinnen in meinen Mandelmilch-Kaffee spucken zu lassen (der war teuer!).

Alternativ sollte man sich den Twitter Thread zu den neuen “Feinden” der SVP zu Gemüte führen.

Angelesen #80

Here’s another free CA as an alternative to Let’s Encrypt! (scotthelme.co.uk)

Now, if Let’s Encrypt are having a bad day and you can’t get a certificate from them for whatever reason, you have a problem. This is why a backup CA is so important, we must have other options.

New CAs with the ACME API – I like this a lot!

macOS 11’s hidden security improvements (blog.malwarebytes.com)

Who benefits from NO_SMT and TECS? Google.

I’ve looked everywhere and no one else seems to use these mitigation APIs. The only source code match (outside of the macOS 11 and 12 SDKs, and the XNU source code itself) is Chromium. The only binary matches on my macOS 11 machine (outside of system libraries) are the Chrome and Electron frameworks, i.e. Chromium. Not even Safari seems to use them!

MacOS 11 has quite some security improvements under the hood and it seems that they are not widely adopted yet.

My Philosophy on Alerting (docs.google.com)

My Philosophy on Alerting based my observations while I was a Site Reliability Engineer at Google

I stumbled over this within the Alerting Documentation of Prometheus.

Tempo 30 in Schweden – Die Jugend fährt Zeitlupe (tagesanzeiger.ch)

In Schweden dürfen schon 15-Jährige Autofahren – aber nicht schneller als 30 Stundenkilometer. Im ganzen Land sind deshalb viele stolze Verkehrshindernisse unterwegs.

Irgendwie geil 🙂

How does Cloud SQL maintenance work? (cloud.google.com)

The good first part of how Cloud SQL Instances get maintained – Waiting for Part 2 as there might be much more to it than meets the eye in the first place.

Wie sehen die tierischen Ersatzprodukte der Zukunft aus? (urkraut.ch)

Braucht es Ersatzprodukte überhaupt?

Zuerst zum Elefanten im Raum: Ja, es braucht pflanzliche Ersatzprodukte. Unsere Ernährung basiert auf Traditionen. Mit dem Erwachsenwerden kristallisieren sich auch unsere Vorlieben heraus. Dadurch können wir nicht einfach verlangen, dass alle Menschen auf die ihnen gewohnten Produkte, wie beispielsweise Fleisch, verzichten. Das wäre ungesund.

Zusammenfassung und Empfehlungen Welle 47 (projekte.uni-erfurt.de)

Risikowahrnehmung und Schutzverhalten — Impfbereitschaft und Impfpflicht — Bereitschaft zur Impfung eigener Kinder — Vertrauen, Ablehnung von Maßnahmen und Demonstrationsbereitschaft — Delta-Variante und Vierte Welle

Bei einer Recherche bin ich über die grossartige Publikation der Uni Erfurt, RKI und vielen andern, welche eine gute Übersicht in Deutschland über das Wissen, Risikowahrnehmung, Schutzverhalten und Vertrauen in der Pandemie untersuchen.

Slack Certified Admin (slackcertified.com)

For Slack admins at organizations of all sizes, you’re in the right place to learn and prove your skills.

I am not sure what to think of it…

H/T Toby

Vor und nach der Flut 2021: Die Ahr-Rotweinstraße von Altenahr nach Dernau (youtube.com)

Embrace ephemerality with default disappearing messages (signal.org)

Until now, disappearing messages had to be enabled on a per-conversation basis, but for those who want to take ephemerality to the fullest, Signal now supports the ability to preconfigure all conversations you initiate with a default timer.

We’ve also added the ability to set custom timer durations on your conversations, so that some content can be gone in 60 seconds and others can exist for 18 minutes or 4 weeks. Install Signal, and give it a shot today!

Default on 4 Weeks it is!

Open sourcing a more precise time appliance (engineering.fb.com)

we’ve built a new dedicated piece of hardware called Time Appliance, which consists of a GNSS receiver and a miniaturized atomic clock (MAC). Users of time appliances can keep accurate time, even in the event of GNSS connectivity loss. While building our Time Appliance, we also invented a Time Card, a PCIe card that can turn any commodity server into a time appliance.

Alternatively: Build a Stratum-1 NTP Server for normal people.

Effective Alerting in Practice (newrelic.com)

No one ever said that alerting was easy. How do we ensure that alerts are delivered in a timely manner while preventing as many false positives and negatives as possible? Additionally, how do we make sure we’re detecting issues on time and not waking up our users in the middle of the night with false alarms? Alert fatigue is a real thing.

Very good documentation on effective Alerting strategies from New Relic.

Angelesen #79

One Glitch to Rule Them All: Fault Injection Attacks Against AMD’s Secure Encrypted Virtualization (arxiv.org)

This paper introduces a new approach to attack SEV-protected virtual machines (VMs) by targeting the AMD-SP. We present a voltage glitching attack that allows an attacker to execute custom payloads on the AMD-SPs of all microarchitectures that support SEV currently on the market (Zen 1, Zen 2, and Zen 3). The presented methods allow us to deploy a custom SEV firmware on the AMD-SP, which enables an adversary to decrypt a VM’s memory. Furthermore, using our approach, we can extract endorsement keys of SEV-enabled CPUs, which allows us to fake attestation reports or to pose as a valid target for VM migration without requiring physical access to the target host

Power glitch attacks against AMD’s Secure Encrypted Virtualization

Universal income for open source maintainers (futureu.europa.eu)

First reaction : Yes
Second reaction: No, UBI should be there for everyone

GPSD time will jump back 1024 weeks at after week=2180 (23-October-2021) (gitlab.com)

This code is going to trigger a 1024 week backward time jump from Saturday October 16, 2021 to Sunday March 3, 2002.

whoopsie time and date are still very complex problems – yes, looking at you year 2038 problem

usb-c cable colour codes (sa.lj.am)

USB-C was supposed to be the answer to the chaos that is charge and data cable compatibility. And to an extent it was. It unified ports and reduced the amount of cables and chargers I need to travel with. The cables themselves, however, turned out to be a mess. They come in many varieties with obtuse names, confusing markers, and unclear compatibility rules. Yet they all look exactly the same.

This is a very neat colour scheme to patch my cables with – the main issue is… how do I identify those cables?

Amazon’s older Kindles will start to lose their internet access in December (theverge.com)

My Kindle has come of age; sad to see the internet go – I think that was one of the first devices I got that just came with Cell-Based internet right from the start.

Having the very rustic browser and internet wherever you go was a great thing to have several years ago. Now with easier roaming, it’s a thing of the past.

SSD belonging to Euro-cloud Scaleway was stolen from back of a truck, then turned up on YouTube (theregister.com)

Lechelle said Scaleway worked with the YouTuber to recover the disk. The French-language video creator has written to Scaleway with assurances they have not copied the information contained on the disk. It is said some customer data was on the drive, unencrypted, including the source code and SSH keys of an Italian VPS provider.

wow what a nightmare when a disk of a cloud provider just shows up on a marketplace

Bundesgerichtshof: Cum-Ex-Geschäfte sind strafbare Steuerhinterziehung (correctiv.org)

Anders ausgedrückt: Die Geschäfte, mit denen Hunderte Beteiligte über Jahre hinweg viele Millionen Euro, wenn nicht Milliarden Euro, verdient haben, sind nach Ansicht des Karlsruher Gerichts strafbar. Diese Entscheidung hat Auswirkungen auf viele Prozesse, die derzeit bei deutschen Gerichten laufen. In den kommenden Monaten und Jahren dürfte es zu weiteren Verurteilungen kommen, bei denen die Hauptverdächtigen mit harten Haftstrafen rechnen müssen.

Das wird spannend, wenn die Cum-Ex-Geschäfte strafbare handlungen nach sich ziehen, wird es vermutlich einige Rückzahlungen geben (hoffentlich)

Special Swiss Hosting: «Man darf von digitaler Kolonialisierung sprechen» (itmagazine.ch)

Die grosse Geopolitik findet nun auch online statt, das ist so. Die Schweiz ist ihr Spielball und hat nur eine Option: Sich für eine Weltordnung einzusetzen, die auf Regeln basiert, nicht auf dem Recht des Stärkeren." @anderageru

Das Europa ziemlich viele technologische Schritte verpasst hat wird nicht nur in der IT sichtbar sondern eigentlich fast in jeder Branche wo China quasi der einzige Ansprechspartner ist (Solarpanels, Windanlagen, Lithium-Ionen-Akkus etc.)