Friday, July 13, 2018

Enabling DNSSEC on Cloudflare and Godaddy

In my previous post, I talked about how you can set up a local DNS resolver using a Raspberry Pi and how that device can utilize DNSSEC to validate the integrity of domain records as they pass through the intenets.  In this post, I would like to share with you my experience in configuring's DNS provider and registrar to support the feature.

As you can see from the short video, the process is relatively straightforward. does a pretty good job of making the setup easy.  If I have time over the weekend I'll run through the same process on my Google Cloud DNS to compare.

Thursday, July 5, 2018

Secure your DNS with DNS over HTTPS and CloudFlare

So I recently set up a spare Raspberry Pi at my house in order to act as a local DNS server which blocks requests based on ad-lists and rules.  The software that does this is called, appropriately, Pi-Hole and is fully open source.  This has been great because it works across all devices on the network without having to install ad-blockers on each device.

After running this setup for a while and having it use the standard Google Public DNS servers at, I found an article about a new public DNS service hosted by CloudFlare on, which is a much faster server.  Instead of responses in and around the 30-50ms range, the CloudFlare DNS server typically resolves hosts around 11-20ms, or almost twice as fast!

In addition to changing the Pi-Hole software to use this DNS resolver, I read that the CloudFlare DNS server is also offering DNS over HTTPS.  (Google Also offers this service)  This is great because normal DNS queries are sent unencrypted, meaning anyone on the network between you and the resolver can eavesdrop on your requests and log which sites and services you are visiting with minimal effort.  In addition, some Internet Service Providers have even gone so far as to modify the DNS responses to some sites in order to inject ads into your browsing experience!! (pure evil, IMHO)

In order to protect against this type of hijacking and eavesdropping, you can encrypt and send your DNS requests using the HTTPS protocol.  The same protocol which protects secure web sites like your bank from being intercepted and read while they travel over the internet.

The guide that I used for configuring the DNS over HTTPS proxy can be found here:

Another benefit of using Pi-Hole is that it supports DNSSEC, which everyone should be using.  DNSSEC adds signature verification to detect and prevent tampering with the records in transit.  It's an extra layer of protection to the HTTPS protocol and it's supported by the Pi-Hole.  (just make sure to turn it on, as it's off by default!)

Thursday, May 24, 2018

OpenStack Summit 2018 - Encrypt your Volumes with Barbican

Sorry for the lack of updates!

I had the privilege today to present at the 2018 OpenStack summit in Vancouver.  Thanks everyone who was able to make it out to see the session, and thanks for all the folks that made it possible. 

Here is the slide deck on SlideShare, and the recording of the talk can be found here:

Also, the videos I created for setting up your own OpenStack Queens PoC with Barbican can be found here:

Part 1:   (Deploying PackStack All-In-One OpenStack Controller)
Part 2:  (Deploying the Barbican API)