Unsupervised Design

Follow @thatguygriff on Micro.blog.

A little bit of Homework

This past week I did a few homework projects applying some of the “best practices” from work to my home technology setup. My goal was to improve the security of my home network and the reliability of my hobby project infrastructure. Like any good homework it felt like I should “show my work”.

DNS Setup

Working for technology security companies has definitely led me to be a bit on the paranoid side of device and home network security. I have run content blockers on my mobile devices, little snitch on my mac with block lists, and even experimented with running a Pi-hole setup on my Mac Mini last year.

All of these options have resulted in different pain points:

  • The Pi-hole would need to be rebooted regularly and broke my Guest Wifi network
  • Content blockers
    • only work in Safari
    • only on my devices on the network (not my partner’s or things like a smart TV)
  • Little snitch was WAY overkill for my use.

For the last year I had mostly settled on using a combination of [Quad9 DNS]() and Cloudflare DNS (First 1.1.1.1 and more recently their malware blocking 1.1.1.2) configured on my Router as the solution the got me the most benefit while producing the fewest headaches. It didn’t do much for me around ad or malware blocking per device, but it was something.

Last weekend I found out about a startup, NextDNS, that might just be exactly what I wanted. First, this is my favourite kind of startup, one whose monetization plan is “charge people money”. It brings all the benefits of the Pi-hole DNS server without me having to run a DNS server in my house, plus the block lists I was using with Little Snitch were available in NextDNS. Early this week I configured my home network to use NextDNS and the graph below shows the early results.

Graph of DNS requests over the past week

Overall I am very pleased with the service as it has meant that I have to do less per device configuration, and I have also gotten to play with some DNS over TLS and DNS over HTTPS configurations.

Terraform

For over a decade I have managed too many domains and run servers manually, assuming that nothing would break and that I wouldn’t forget anything. Technically this bit of the homework didn’t happen this week, I actually started this 4 or 5 months ago and just tied a bow on it this morning. For those that don’t know what terraform is, it is a way to describe Infrastructure as Code and make any updates by editing the configuration files.

I run a small server using Linode that hosts a few websites and is a place for me to run some little experimental side projects. The server itself is nothing complicated, but it felt good to move it from beings something I created in a web dashboard, to something that could be reliably recreated if I needed to.

The more impactful use of Terraform was moving all of the DNS configuration into configuration files for all of my DNS configurations. Over the last decade I have moved Nameservers used for all my domains a few times and every time it involved copying all of the entries by hand from one website to another. This was also the only time when I would check for old entries and remove anything not useful. Not really the best process for me to manage anything. Having all the DNS records in a single file per domain makes it much easier to review and update.

Cloudflare

The final bit of homework was that I decided to experiment with using Cloudflare’s CDN product on my domain. I have heard lots of good things about their ability to efficiently cache requests and responses so I thought it would be interesting to see what sort of impact that will have on this blog and on various videos, silly gifs, and random images that I host on my Linode instance.

It will be interesting to see how this performs over time. The early results are interesting, in less than 2 hours I am already seeing almost 30% of all requests being cached and served from Cloudflare. Unlike with NextDNS or Terraform I don’t have a specific goal in mind with this experiment, this one is definitely more of a “just for fun” experiment.

Let’s hope I didn’t break my email setup. 🤞🏻