Security

DNS over TLS using BIND and Nginx

Since our BIND server currently does not support TLS secured queries natively, we will be using nginx rather than stunnel to provide a secured endpoint. Not only is Nginx already part of our system, i...

Nftables netfilter rules

Nftables simplifies dual stack handling and atomic rule updates compared to iptables which will replace all rules even if only one rule needs to be replaced. We will be using a table of address fam...

Securing transaction signatures using ACLs

Dynamic updates using TSIGs are relatively easy to setup in BIND. The mechanism to limit keys to specific hosts and their IPs may not be apparent per se on the other hand. TSIGs provide point-to-poin...