A domain made my home lab more accessible and more secure at the same time
If you rely on self-hosted services, spending a few dollars on a custom domain will make things more convenient and secure.
Jun 3rd, 2025
If you rely on self-hosted services, spending a few dollars on a custom domain will make things more convenient and secure.
Learn why reserving a domain name for your newborn is a proactive step in digital parenting, ensuring control over their online identity and future opportunities.
The PNG University of Technology has launched the change of its website address to in Lae on Friday, May 30, 2025.
This June marks the 11th anniversary of the ever-popular .xyz, and to celebrate, Domains.co.za is offering new .xyz registrations for just R18.99*...
Domain name are more than just a web address — they are vital part of your brand identity and SEO strategy. Selecting the ...
Thunderbolt uses domain names instead of phone numbers, promising privacy but raising questions about accessibility and ...
The Nigerian alleged that the defendants shut down his domain and business name and transferred the rights over the name to Google LLC.
Ethereum Name Service price is up 35% this past month as ENS hits a two-week high, but can the altcoin buzz sent it to $100 ...
Speaking at ETH Prague, Tim Berners-Lee said that if he were to build a domain system now, he’d make it more decentralized, ...
Many domain investors go out and find buyers or they get someone who contacts them through email or X. Those domain investors ...
Thunderbolt, a new app developed by domain registrar Spaceship, aims to replace phone numbers and email addresses with domain ...
Encrypted Client Hello (ECH) has been in the news a lot lately. For some background and relevant and recent content, see: IETF Proposed Standard Cloudflare Blog from 2023 announcing ECH support RSA 2025 talk: ECH: Hello to Enhanced Privacy or Goodbye to Visibility? Corrata White Paper “Living with ECH” Security Now podcast coverage of the above in Episode 1027 C Suite and Security Operators’ concerns about ECH The push for ECH primarily is of interest to privacy-seeking end users using an untrusted transit. The dynamics are at odds with security professionals responsible for their users and endpoints, regardless of transit. This blog article is written for the latter group. There are enough motivations for ECH adoption that it is bound to happen since ECH client support is already present in modern browsers. In my own lab network, I just checked my ech logs over the last few hours. These domains have been contacted, all via ECH: api.ecomsend.com app.backinstock.org cdn.discordapp.com discordapp.com oidc.iam.cfapi.net textify-cdn.com ublockorigin.pages.dev vector.im As articulated in Corrata’s White Paper titled “Living with ECH”, the following statement caught our attention: "A rapid increase in the use of Encrypted Client Hello would mean that it would no longer be possible to directly detect the destination of much internet traffic. Security tools designed to keep enterprises safe would lose some of the visibility they rely on.” In a world where security operators have good reasons to be concerned about the destination of any connection made over the internet, this is a legitimate concern, especially considering these two trends that the paper points out: Phishing use: "Our analysis of phishing detections shows that over 90% use Cloudflare infrastructure” Spike in ECH adoption: “The spike in detections of the cloudflare-ech.com domain observed in the latter part of 2024 was the catalyst for this research.” How SNI has traditionally been used for lightweight target domain detection Even encrypted traffic still offers the Server Name Identification in clear-text. This can be seen with a simple packet capture on any gateway, for example: gateway#: tcpdump -i eth1 port 443 -w capture.pcap (where eth1 is the LAN interface) For any device on the LAN of such a gateway, can attempt to make a browser connection to www.google.com and the packet capture will contain the domain as can be extracted like this: % tshark -r capture.pcap -Y "tls.handshake.type == 1" -T fields -e tls.handshake.extensions_server_name www.google.com The visited domain is available in plain text. At this point, it is trivial for the gateway security appliance to map the destination FQDN and allow (or deny) by policy. Most security appliances rely on this mechanism for detection, with or without a protective DNS resolver in play. How SNI fails when ECH is used If we repeat the same exercise as above for a domain where ECH is enabled, the packet capture does not include the actual visited domain, let’s use one of my visited domains from above, vector.im and we see the ech= response when making a TYPE65 query: endpoint$ kdig @1.1.1.1 +https TYPE65 vector.im +short 1 . alpn=h3,h2 ipv4hint=172.64.80.1 ech=AEX+DQBB3gAgACCtcqyZIqDPl/JQduQQfIk5c+oiXxPWNUECS9qO7zLoIwAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA= ipv6hint=2606:4700:130:436c:6f75:6466:6c61:7265 gateway#: tcpdump -i eth1 port 443 -w captureECH.pcap endpoint$ curl -v -k --ech true --doh-url https://cloudflare-doh/dns-query https://vector.im % tshark -r captureECH.pcap -Y "tls.handshake.type == 1" -T fields -e tls.handshake.extensions_server_name cloudflare-ech.com Note that there’s no vector.im showing up anywhere in cleartext. Only cloudflare-ech.com is visible. This is the loss of visibility that concerns the security community. Protective DNS to the rescue (partially) Any available Protective DNS Resolver can block by policy on a per-FQDN basis, whether known-bad or untrusted by another assessment. However, it is only a partial solution because of the ease of the endpoint using an alternate DNS resolver, including widely-available DoH providers such as 1.1.1.1. This is a common circumvention strategy used by browsers/applications as well as by malware. In such a case, the designated Protective DNS server isn’t even in use, so it offers no protection. The complete FIX: DNS at the root of trust The way this is accomplished is with Don’t Talk To Strangers (DTTS) which is a default-deny-all approach for every connection, unless first permitted by policy, and subsequently looked up by adam:ONE’s caching resolver. Each destination allow-rule is permits a single source and a single destination for the period of the Time To Live (TTL) offered to the query source. This includes well-known as well as unknown DoH servers. Note that it isn’t a list of known DoH servers to block. Here’s a logical flow of the DTTS approach: When DNS is treated as the root of trust for all network connections, every destination IP network connection is necessarily mapped back to a fully qualified domain name. The only exception to this would be for IPs that are not discovered by DNS, and are explicitly trusted. Closing other DNS vulnerabilities Hijack Do53 traffic destined anywhere except as authorized - this approach allows simultaneous convenience for any legacy endpoints using another DNS server (such as commonly hard-coded 8.8.8.8 operational devices), while still offering answers by policy Offer DNS encryption internally as well as upstream via DDR and DNR standards - this approach makes the DNS environment immediately compliant with CISA DNS Security standards Conclusion The biggest gains with this approach can be summarized as: ECH adoption no longer a security risk Security-focused: from before the connection begins, security is the proactive model, not a reactive one Lightweight - the replacement of the middle box now requires less horsepower, offers a faster experience with lower latency Future-proofed, when DNS is treated as the root of network trust 1 post - 1 participant Read full topic
The name Realm represents a domain or space where everyone has the freedom to grow, transform and thrive—however that may look like for them.
Thunderbolt, a new app developed by domain registrar Spaceship, aims to replace phone numbers and email addresses with domain ...
As we celebrate Africa Month this May, there’s no better time to embrace the power of the .africa domain name. The .africa ...
To actually protect DNS traffic, you need to use: DNS-over-HTTPS (DoH): Encrypts DNS queries using HTTPS protocol.
Crypto still uses names people can’t read or remember. That’s not just confusing — it’s risky. A better system could help ...
AllDomains, a leading multi-chain web3 name service provider, has announced the launch of .sol Plus, a new upgrade programme that transforms traditional .sol domains into renewable, revenue-sharing ...
The most recent news about crypto industry at Cointelegraph. Latest news about bitcoin, ethereum, blockchain, mining, cryptocurrency prices and more ...
Endpoints News announces URL change from endpts.com to endpoints.news effective June 1, 2025, with legacy redirects planned ...