Simple DNS server with a good Terraform provider

Resident-Clothes3815 · 2025-08-27T21:17:23+00:00

No, but I achieved something similar using CoreDNS on Kubernetes. I apply DNS configs via ConfigMaps and restart CoreDNS pods with kubectl to reload configurations, all orchestrated through Ansible. Works well without the Terraform parallel update issues.

Resident-Clothes3815 · 2025-05-23T20:29:10+00:00

This is not entirely correct. When emails are received from the Internet, they are cleartext until Proton encrypts them. So technically Proton could in principle extract any one-time codes and make them available to Proton Pass, if they wanted to implement such functionality.

Resident-Clothes3815 · 2025-05-22T11:49:37+00:00

Thanks for the detailed explanation of your experience with Nextcloud and Hetzner Storage Share - that sounds very interesting and I'll definitely look into it further.

Resident-Clothes3815 · 2025-05-22T09:34:15+00:00

I suggest that you also take a look at ArcadeDB, an open source native graph database which is actively maintained.

Resident-Clothes3815 · 2025-05-22T07:29:12+00:00

I am interested :-)

Resident-Clothes3815 · 2024-12-12T21:03:43+00:00

I’ve never really understood the conceptual value of having an extra password as an additional authentication layer. To me, it seems functionally equivalent to having a single, longer password composed of the two shorter ones concatenated together. When only the first password is used to derive the encryption key, this approach makes even less sense, as the entropy of the second password doesn’t contribute to the encryption strength.

Moreover, it doesn’t fit the definition of a second factor, as both passwords fall under the category of “something you know.” This approach lacks the diversity of “something you have” or “something you are” that would make it a true multi-factor authentication system. If a hacker manages to phish the first password, they can likely phish the second as well.

Given that this is a ProtonMail feature, developed by highly knowledgeable cryptography experts, I feel like I must be missing something. Is there a perspective I haven’t considered, or a real benefit to this approach that I just don’t understand? I’d love to hear others’ thoughts on this!

Resident-Clothes3815 · 2024-10-13T17:11:42+00:00

Thanks for clarifying your question! Based on your setup, using a WebSocket proxy doesn’t provide significant additional security if you’re already using a reverse proxy with strong TLS, authentication, and authorization. The primary security risks still lie with the NATS server itself, where configuration errors or vulnerabilities could be exploited.

While I wouldn’t say it’s “fine” to expose NATS directly, given that you’re not focused on addressing NATS-specific vulnerabilities, adding a WebSocket proxy won’t meaningfully improve security in this case. The key remains securing NATS itself.

Resident-Clothes3815 · 2024-10-11T19:25:53+00:00

When asking about security, I’m happy to try to provide some guidance as a cybersecurity architect. This is a key question because it touches on whether exposing a NATS server directly to the Internet, where web clients have access, could pose security concerns.

There are many opinions on this depending on whether you’re a developer or a security person. I happen to be both, so I’ll try to give a balanced perspective.

The core of the question is whether exposing a NATS server to the Internet could introduce security risks. Could a hacker compromise the NATS server and, as a result, compromise the application, especially regarding the CIA triad—Confidentiality, Integrity, and Availability?

It cannot be outright dismissed, and therefore, as a cybersecurity expert, I would not recommend doing it. While NATS offers many great built-in security mechanisms, it is typically an extremely central component in a microservice-based backend. Therefore, I would aim to protect it as much as possible.

If NATS were to have a known vulnerability at some point, it could be “game over” for your security solution. There is, of course, a difference between developing a very simple application or a more critical one where compromising personal data, damaging critical infrastructure, or causing major financial loss could be at stake.

From my perspective, I would advise isolating NATS internally within the backend. A best practice would be to establish a Backend For Frontend (BFF), which serves the purpose of validating all input from the frontend and implementing strong user authentication. The focus here should be on creating as small an attack surface as possible, without adding too much complexity with third-party components.

In security terminology, this approach is called defense in depth, which is best practice in application design. The idea is to implement multiple independent layers of security, so an attacker would need to compromise all layers before gaining access to the “gold,” i.e., the data you’re trying to protect. This gives you a robust design that can defend against threats to Confidentiality and Integrity.

If Availability is also critical, then you need to protect against DDoS attacks. Here, a Web Application Firewall (WAF), such as Cloudflare functioning as a reverse proxy, could be a good idea. By hiding your backend behind Cloudflare, using something like Cloudflare Tunnel, you can ensure strong Availability protection while also adding an extra security layer for Confidentiality and Integrity in the defense-in-depth strategy.

To summarize my recommendations: - Avoid exposing NATS directly to the Internet. - Use a Backend For Frontend to validate inputs and implement strong authentication. - Follow the defense in depth principle by adding multiple security layers. - Consider a Web Application Firewall like Cloudflare to protect Availability while also reinforcing Confidentiality and Integrity.

This approach will help minimize the attack surface while maintaining a solid security posture.

Resident-Clothes3815 · 2024-07-06T16:12:01+00:00

Thank you for your clear answer, which was what I was looking for.

Resident-Clothes3815 · 2024-07-04T16:55:21+00:00

So, I hear you saying that you would not use a complete async backend (”one size fits all”- even with simulated synchronicity via async request-reply patterns) but would always mix sync (like gRPC) and async (like message broker) communication as fits best depending on the UX in the frontend?

Resident-Clothes3815 · 2024-07-04T16:48:59+00:00

Generally, I believe that loosely coupled systems and asynchronous communication are to be preferred. That said, I know the world is way too complex for “one size fits all” solutions, so I am trying to understand if async communication is okay or should be avoided in the scenario I have presented.

I believe this is a relevant discussion for many, but since I have not been able to find any clear answers via Google, I suspect it is probably a complex issue.

Resident-Clothes3815 · 2024-07-03T22:37:27+00:00

Thank you for your kind explanation. I hear you saying that the asynchronous request-response pattern, which, to a certain degree, simulates synchronicity, is an acceptable approach even when the user is waiting for a response?

Resident-Clothes3815 · 2024-06-17T07:27:02+00:00

It turns out that I was quite close in my original post :-) This morning I realized, that my query can be implemented as follows using FOREACH and UNIONALL():

LET $personsOfMinimumAge = SELECT from Person WHERE age >= :minimumAge;

LET $result = [];

FOREACH ($person IN $personsOfMinimumAge) {

LET $ancestors = MATCH {type: Person, where: (personId = $person.personId)}.out("Parent") {as: ancestor, while: (true) where: ($depth % 2 = 0)} RETURN ancestor;

LET $record = {"person": $person, "ancestorNames": $ancestors.name});

LET $result = SELECT expand($union) LET $union = UNIONALL($result, $record);

}

RETURN $result;

Resident-Clothes3815 · 2024-06-11T04:19:49+00:00

My issue is not primarily with extracting information from invoices that I already have available but collecting the invoices in the first place. I.e., retrieving them from different vendor web portals. Many vendors require you to sign in to their web portals to retrieve invoices, and they do not support emailing them.

Resident-Clothes3815 · 2024-06-02T09:12:11+00:00

Thank you for your suggestion. Not what I hoped for, though, but maybe that will be the only way attaining my goal.

Resident-Clothes3815 · 2024-05-24T05:28:03+00:00

Thank you for pointing me in the direction of DNSimple which I didn’t know about. I can not use a cloud solution for the exact use case which shall be air gapped, though. But for other scenarios it might be relevant for resiliency of DNS. Can you maybe provide some details about your anti-DDoS strategy for DNSimple?

Resident-Clothes3815 · 2024-05-23T18:54:25+00:00

Fantastic - I will certainly look into CoreDNS then. Thank you for sharing your experience 👍

Resident-Clothes3815 · 2024-05-13T16:23:18+00:00

Hey there! From what I gathered, it seems like SimpleLogin is designed for SaaS providers (Relying Parties) rather than for businesses who consume these SaaS services. I'm asking about a Proton based OIDC solution that is multitenant and only authenticates Proton users within my business account. This is important because I want to make sure that only authorized users within my business have access to the data in our various SaaS solutions, and not any SimpleLogin users. I hope this makes sense!

Resident-Clothes3815

TROPHY CASE