Cyber security, infotech
Finding errors in a postfix log file is tedious work. The job gets even more complicated if you have to dig through old postfix log files which might no longer be relevant. logrotate comes to the rescue, but only if you configure it correctly. Here is how you can do it on Fedora.
[Updated 2022-11-30] This post explains how to set up robust security headers in NGINX to protect your web application from malicious payloads and other forms of attacks. Choose your HTTP(S) headers wisely.
In the stormy race of the digital transformation, the hybrid landscape of corporate IT is increasingly evading manageability. Could the control plane of a hyperscaler provide a lasting remedy? Would you need special hardware?
Here is one nifty service that can dig up useful information about a website, a domain or an IP address and it doesn’t cost a dime.
Many government agencies and multinationals alike have repeatedly fallen victim to hacking, but little to nothing has been done to fix the problem once and for all.
There is no silver bullet. In matters of cyber security, a so-called solution can only offer a time-limited value. Cyber security threats are always evolving. Cyber criminals never stand still. You have to keep shooting your silver bullets if you even happen to have them.
DNS-over-HTTPS protocol (IETF RFC8484) (DoH for short) is such a solution to the pressing cyber security problem of unencrypted communications. It was designed by the Internet Engineering Task Force, Google, Mozilla and others.
Actually, DoH sounds like something of an overkill. After all, HTTPs connections are encrypted already, so why bother implementing DNS over HTTPS?
DoH works by sending DNS requests via an encrypted HTTPS tunnel instead of using a classic plaintext UDP request.
Wait, there is more to it. DoH is not just encrypted, it works on the app level instead of the OS level. The idea behind DoH is to use DNS-over-HTTPS connections between an app (e.g. a browser or a mobile app) and an encrypted DoH-compatible DNS server, called a resolver.
The complete DoH-traffic relies exclusively on HTTPS without any exceptions. That’s the beauty of the DoH concept.
All DoH domain name queries are encrypted and then camouflaged in regular web traffic, which is in turn sent to the DoH-compliant DNS-resolver. The latter one replies with a domain name’s IP address over HTTPS.
While open source operating systems like Linux, BSD or Solaris are designed to be highly secure, commercial off-the-shelf operating systems like Windows and macOS usually don’t hold a candle to the standards of enterprise-grade security. As a house owner you wouldn’t secure just the front and the garage doors while keeping the side doors wide open. But that’s how commercial operating systems nowadays work.
Cyber security in commercial operating systems is only skin-deep. Where no one is looking, security is usually non-existent.
As a result of the DoH-design, apps can re-gain control of DNS queries from intentionally half-baked operating systems by hard-wiring a list of trusted DNS-over-HTTPS servers (resolvers). This way, you can set up a list of your own trusted IPs with trustworthy resolvers.
The list of cyber security mishaps reads like the Who is Who of the IT industry and government. No one seems immune. DoH is one way you can regain a bit of security.