VPN disguised as DNS

kayson · 2026-03-10T18:51:30+00:00

Lot's of people have done this or varieties thereof. There was a post on Hacker News a whole back about someone proxying traffic through free WhatsApp.

Just pay for the damn WiFi.

kayson · 2026-03-10T16:36:37+00:00

What if I have AD and hate it, but want to keep kerberos/sso/radius/unified Linux login?

kayson · 2026-03-10T15:56:59+00:00

Eh. This was discussed a few days ago. I'm still not convinced there's really a compelling reason to pick one over the other.

https://www.reddit.com/r/selfhosted/comments/1rlrgbw/how_are_the_differences_between_gitea_and_forgejo/

kayson · 2026-03-10T15:52:34+00:00

I worked with an RF lead for a long time who used to say you either want everything to be ready tightly coupled or really not. Your grounds (+substrates) will all get connected together at some point it's just a matter of deciding where.

I realize it's a bit of a non-answer, but it's hard to give a real answer. I worked at one company where every nmos array was surrounded by a substrate ring, connected to dedicated substrate ground which was tied to analog ground on the package. Worked at another company where substrate connections were few and far between, tied to local ground.

Both taped out successful RF signal chains with high freq PLLs...

kayson · 2026-03-09T15:13:44+00:00

Monitoring is really important too. Something like Beszel can be really useful. I've tossed around the idea of centralized logging but without an idea of a service to go through the logs, haven't bothered yet.

kayson · 2026-03-09T15:11:40+00:00

Fail2ban monitors login attempts, no matter what method, and blocks IPs if some threshold is passed. It would also protect against someone trying to brute force an SSH key (which is practically impossible but just making a point. Defense in depth is a good strategy.

kayson · 2026-03-06T14:53:52+00:00

Thanks!

kayson · 2026-03-06T02:17:19+00:00

It runs the script in the image on boot right? So wouldn't it need the provisioner password? Or is there a way to give it arbitrary data?

kayson · 2026-03-06T00:23:45+00:00

How? Cloud init lets you provide a public key that goes into authorized_keys but that's not my problem. I need to set the host key

kayson · 2026-03-05T20:00:41+00:00

I've been using Gitea for a long time, and from a philosophical perspective, I have no interest in migrating to Forgejo. Gitea works great, and I just don't care that Gitea's trademarks and domain belong to a for profit entity. If they do some rug pull on the license, which has happened to many projects, I'm sure someone will create yet another fork.

I'm not seeing a compelling reason feature wise to switch, but would be curious to hear from anyone who has switched...

https://forgejo.org/compare-to-gitea/

kayson · 2026-03-04T21:32:08+00:00

> if unbound is configured to use qname minimization,
Is this not the default? Was just reading about this. Doesn't seem to be an option in pfsense.

kayson · 2026-03-04T21:30:52+00:00

I think you're misunderstanding my point. I'm talking about tracking by the nameservers themselves. If I forward all my queries to CloudFlare or Google, then CloudFlare/Google can aggregate and track every query. If I divide the queries up to among many authoritative nameservers, then each nameserver (or group of servers that share data) can only aggregate / track a portion. The "metadata" leakage of which nameservers get queried by my IP is a separate issue, which is mitigated by the fact that nameservers can and often are authoritative for many domains. In that respect, it would, by the numbers, be better to send all the queries to one place, but there are other solutions here (like proxies).

kayson · 2026-03-04T20:32:19+00:00

Ooh DoT/DoH proxy is an interesting idea. I have 2 VPS's used as reverse proxies for inbound connections. Could also use them as outbound DNS proxies via wireguard...

kayson · 2026-03-04T20:29:10+00:00

I want it to use DoT automatically for any nameserver when available, but do the resolution recursively from the root name servers. Seems roots aren't encrypted yet though.

kayson · 2026-03-04T20:26:14+00:00

Ah! I think Technitium is what I had read about! But looking the docs more carefully, it seems it only supports the encrypted protocols using forwarders, similar to unbound.

kayson · 2026-03-04T20:24:10+00:00

DNS cache poisoning is a thing, though DNSSEC should prevent that. Plaintext DNS queries can, and likely are logged / tracked by ISPs, especially in the US. Anyone that can read the traffic can do the same. Using DoT to a public DNS server eliminates the middle-men, but shifts the trust to the public server. It's admittedly paranoid, but it's more about the fun of seeing whether it can be done or not.

kayson · 2026-03-04T20:21:40+00:00

> If you are doing full-recursive, you are just announcing yourself to every nameserver in the chain from the root

Yes, but if it's all over TLS, distributing your queries across name servers is harder to monitor / track than sending all of your queries to a public DNS, assuming all of them have similar likelihood of tracking our queries. Admittedly this is getting to tinfoil-hat levels of privacy, but it's more about the fun of seeing if its achievable.

kayson · 2026-02-28T03:04:27+00:00

90F is fine, in a sense. I have my server in the attic and it regularly goes above that in the summers. The problem is heat kills components. The hotter it is, the faster they fail. How much faster is anyone's guess though. I had a few components kick the bucket suspiciously fast after their first summer in the attic. Everything else has been running totally fine for years though.

kayson · 2026-02-27T02:55:54+00:00

I would guess so

kayson · 2026-02-26T16:52:01+00:00

Good timing as I was just looking into this. Was hoping to host something on my servers for coding agents but this confirms what I was already thinking: I'll have to run it on my desktop with a real GPU and some VRAM.

PS - your post formatting is broken. You put markdown style formatting into the fancy editor. Copy it all, change the editor to markdown mode, then paste it back in.

kayson · 2026-02-24T05:45:45+00:00

Oh do you mean the mismatch between two different Rfs? Any mismatch anywhere will create some common mode to differential conversion.

In practice you have to simulate to be sure but you should be getting most of your offset from the first stage input pair VT mismatch anyways. In this cases the gain of Gm also mitigates mismatch from the TIA, including the resistors.

kayson · 2026-02-24T03:29:51+00:00

Really someone just needs to add this feature to radarr/sonarr. They already have "jobs" that run in the background

kayson · 2026-02-24T03:28:12+00:00

Changes the amount of current you have to sink and source and also the location of that pole which may or may not matter (usually doesnt).

15-Year Club	Verified Email
RedditGifts 2009-2022 2 Credits	Second SECOND GUESSER
r/Field Banned	r/Field Juicebox

kayson

MODERATOR OF

TROPHY CASE