Posts

DNS Load Balancing: The Easiest Free Solution You Can Set Up Today

Image
🏎️ The Analogy: 4WD vs. AWD (How Traffic Flows) 🧠 What Exactly is dnsdist? (The "Brain" of the Operation) Most of us are already familiar with DNS resolvers like AdGuard Home, Pi-hole, or BIND. They are responsible for translating website names (like google.com ) into IP addresses. But what is dnsdist ? Simply put, it is not a DNS server. It is a DNS-, DoS-, and abuse-aware load balancer . Using the store analogy: If your DNS servers are the Cashiers , dnsdist is the Store Manager and Security Guard standing right at the entrance of your shop. It doesn't have its own cash register, but it decides exactly where the customers should go. Here are the three main things it does for your network: 🔀 Smart Traffic Routing (Load Balancing): It doesn't just blindly pass traffic along. It evaluates which DNS server is available, responding quickly, and not overloaded before handing over the query. ⚡ Instant Caching: dnsdist has its own memory. If five devices in your ho...

IaC Tips(yaml and json)

Image
Separation of Concerns in IaC: Why We Pair YAML Templates with JSON Parameters When designing scalable Infrastructure as Code (IaC), one of the earliest architectural hurdles engineers face is configuration sprawl. Hardcoding values directly into infrastructure templates quickly leads to code duplication and maintenance nightmares. To solve this, a widely adopted industry best practice is the Separation of Concerns (SoC) : utilizing YAML for the core infrastructure blueprint and JSON for the environment-specific parameters. Here is a technical breakdown and practical guide on why this specific combination serves as an ideal design pattern for modern DevOps pipelines. Why the Split? (YAML vs. JSON) YAML for Main Templates: Highly readable and human-centric. It uses indentation instead of noisy brackets, making complex, multi-resource architectures easy to audit. It also natively supports inline comments ( # ) for documenting architectural decisions. JSON for Param...

Beyond the Spooler: Building a Fault-Tolerant Print & Scan Infrastructure for the Modern Home

Image
Summary Legacy USB multi-function peripherals are notoriously unreliable in modern multi-device households. Proprietary vendor software is often bloated, platform-dependent, and prone to "Printer Offline" errors. This case study details the engineering of a Network-Native Print & Scan Gateway using Proxmox VE, CUPS, and eSCL. 1. Why Virtualize? The Homelab Paradigm Deploying this within a Proxmox homelab environment offers critical engineering advantages: Hardware Abstraction: The print server is encapsulated in an LXC container, decoupling it from physical hardware. Snapshot Resilience: We utilize Proxmox snapshots as "undo points" for configuration changes. Resource Isolation: Negligible resource consumption (50-100MB RAM) in an isolated sandbox. 2. Network Topology [ Windows Clients ] [ macOS / Mobile ] │ │ └────────────┬───────────┘ ...

Architecting an Active Defense in a Network specifically with Mikrotik

Image
Automating OpenCanary Honeypot Integration with MikroTik In the modern cybersecurity landscape, relying solely on static firewall rules to drop packets is a failing strategy. Automated botnets and malicious actors constantly probe network perimeters. To truly secure an infrastructure—whether it is a complex enterprise environment or an advanced homelab—we need a system that actively fights back. Today, we are building an automated "Active Defense" pipeline that turns reconnaissance attempts into instant hardware-level bans. Network Security Topology - Honeypot to MikroTik Router Automation Flow 1. Core Concepts: The Deep Dive Before deploying code, it is critical to understand the architecture and why we select specific tools to make this setup completely "idiot-proof." The Honeypot (Decoy Concept): A honeypot is an intentionally vulnerable system placed on your network. It serves no legitimate business purpose. Therefore...

Architecting a Collaborative Defense: Integrating CrowdSec with Mikrotik

Image
In this post, we’ll move beyond static firewall rules and integrate CrowdSec with Mikrotik RouterOS v7 . We are shifting from a traditional "set-and-forget" firewall to an Intelligence-Driven Defense that reacts to global threats in real-time. The Goal To offload the heavy lifting of log analysis to a dedicated Debian 12 LXC and use the Mikrotik API to dynamically block malicious IPs at the edge. This setup ensures your router stays fast while benefiting from a global community of threat intelligence. Figure 1: Logical Topology of the CrowdSec Engine and Mikrotik Edge Enforcement. Why CrowdSec? Behavioral Analysis: It doesn't just look at IPs; it looks at patterns (e.g., SSH brute force). Community Powered: If an IP is banned in Europe or the US, it’s automatically added to your Mikrotik’s blacklist. Resource Efficient: The LXC does the "thinking," the Mikrotik does the "dropping." Note: This setup is p...

DNS Redundancy using Keepalived and VRRP

Image
Case Study: Non-Invasive High Availability DNS with AdGuard Home & Keepalived Ensuring 99.9% Uptime without modifying Core Router configurations. 1. Executive Summary In any home lab or small office, DNS is a critical service. A single point of failure here means a total network-wide "internet outage." This case study explores a Non-Invasive High Availability (HA) setup using AdGuard Home and Keepalived on Proxmox LXC . The goal: Zero downtime during maintenance while keeping the core router configuration simple and untouched. 2. Key Technical Concepts Keepalived: A routing software that monitors services and manages failover automatically. VRRP (Virtual Router Redundancy Protocol): The protocol used by servers to "talk" and share a single Virtual IP (VIP) . Keep Alive: A mechanism to check if a connection or a neighbor node is still active. Non-Invasive Design: Failover logic ...

Achieving High-Availability DNS

Image
Implementing Anycast with MikroTik OSPF and AdGuard Home In high-availability infrastructure, DNS is a non-negotiable critical service. Conventional "Primary and Secondary" DNS configurations often suffer from client-side timeout issues. By leveraging Anycast via OSPF , we ensure that DNS failover is handled instantly by the router, providing a truly redundant and load-balanced experience. I. The Evolution: Before vs After Traditional Setup (Unicast) Clients have two separate IPs. If Server 1 dies, the client "hangs" waiting for a timeout before trying Server 2. This causes perceptible delays. [ CLIENT ] (DNS: .3 & .4) | (Waiting for .3...) v +----------------+ | ROUTER | +-------+--------+ | +----+----+ | | v v [ ADGUARD 1 ] [ ADGUARD 2 ] (.88.3) (.8...