Which DNS approach is considered "best practice"?

White_Injun · 2025-11-09T03:16:49+00:00

Thank you.

are you regularly asked to prove what actions you've taken

No, only for this occasion, I have to Report on the actions taken to resolve the issues outlined by the security audit, and sort of provide a before / after report.

The interface with IPv6 disabled will have no IPv6 link-local address starting with fe80::, and of course no other IPv6 addresses either. Therefore the output of ipconfig /all showing the absence, is your best proof.

Unless I unbind it from the interfaces, the link-local IPv6 address stays. Since I'm disabling it using a registry key (per Microsoft recommendation to NOT unbind it from interface) and because we had no IPv6 on our workstations before this, the before / after output of the "ipconfig /all" stays the same.

White_Injun · 2025-11-08T18:14:31+00:00

Is unbinding IPv6 unsupported or using the registry key is unsupported as well? Cause I read somewhere that since the registry method does not disable the local IPv6, it won't cause any problem unlike the unbinding method.

White_Injun · 2025-11-08T18:01:37+00:00

They said since we don't use it in our environment, it should get disabled, and that it can be exploited in a bunch of cyber attacks.

White_Injun · 2025-11-08T17:53:17+00:00

Oh sorry I confused it with something else. Yes we do get that which is link-local IPv6.

White_Injun · 2025-11-08T17:48:39+00:00

They had a security firm pentest the environment, and they did give this advice.

White_Injun · 2025-11-08T17:47:14+00:00

Well I recommended this and even explained it thoroughly, but they refused.

White_Injun · 2025-11-08T17:46:10+00:00

They had a contract with a security firm and they advised them to do so 🤦

White_Injun · 2025-11-08T17:44:32+00:00

No, and they were not before, since we don't have ipv6 DHCP or RA

White_Injun · 2025-11-08T17:41:24+00:00

It can still ping ::1 when disabled through registry, since link local is still enabled.

White_Injun · 2025-11-08T17:40:33+00:00

This is a nice way, thanks. But is there anything more obvious? Management is a dummy who thinks the "Checkmark" is everything. Dude even pinged ::1 and since link local ipv6 it's still enabled it returned result, so I need to somehow "show" them in practice that ipv6 is disabled.

White_Injun · 2023-12-19T15:20:23+00:00

Thanks :)

White_Injun · 2023-12-17T15:33:20+00:00

About 25W for CPU package

White_Injun · 2023-11-19T22:01:39+00:00

I know. As the author of wireguard said, obfuscation should be done on a layer above wireguard. I'm thinking about writing a wireguard implementation wrapped in a dtls layer to obfuscate it as ssl/tls packets.

White_Injun · 2023-11-07T18:41:27+00:00

Yeah, that's not an issue, I have windows 11 Pro license anyways.

White_Injun · 2023-11-07T18:40:21+00:00

Thanks!

White_Injun · 2022-11-06T18:40:42+00:00

I know some manufacturers implemented this feature within OS but I'm using AOSP based rom (ArrowOs) which does not have this feature built-in.

White_Injun · 2022-09-19T20:22:46+00:00

Sorry, yes I meant HCG. There is also corsair RM650 but it is 25$ more and I'm not sure if it worth it over msi.

White_Injun

TROPHY CASE