a random walk through technology

Eliminating cloud IPv4 costs with IPv6 and 464XLAT


The big 3 cloud providers charge for public IPv4 addresses. Going IPv6-only avoids that cost, but sometimes it’s still necessary access services that are IPv4-only. In this post we’ll look at how to bridge the gap with 464XLAT, a technology originally developed for internet service providers.

We’ll focus on the case of an IPv6 client in the cloud making connections to remote IPv4 services. If you instead want to make a server in the cloud accessible by IPv4 clients, there are other solutions for that. Of course, both can be combined, even in the same VM.

Read more ⟶

A simple way to hide an SSH server behind TLS


If you host an SSH server on a public IPv4 address, then you’ll be greeted within minutes by an onslaught of password guessing attempts from bots. On a quiet system the resulting failed logins can easily dominate the logs, and with some configurations they can even interfere with authorized logins. One solution is to hide the SSH server alongside an HTTPS server on the same port, and in this post I’ll describe how I’m doing that.

Read more ⟶

What I wish was covered in DNSSEC tutorials


Over the Christmas break I enabled DNSSEC on several of my domains. For a technology that’s been around over two decades and viable to actually deploy for at least one, it was surprisingly hard to find a comprehensive guide on how to do it. In this post I’ll share what I learned from numerous tutorials, blogs, and RFCs.

Who is this for?

This post if focused on authoritative DNS. If you own a domain name then you have an authoritative DNS server. This is different from a recursive DNS server which looks up names for you in other people’s domains. If you want to use DNSSEC for the latter, simply configure any validating resolver over a secure transport and you’re done.

Read more ⟶