The full writeup: one VPS sharing port 443 between a real site and a VLESS+REALITY tunnel, decoy validation, the nginx stream SNI mux, a Cloudflare-fronted CDN fallback, full sing-box client setup with TUN and mux, …
The defensive counterpart: how to catch encrypted tunnels - REALITY, VLESS-over-WebSocket, DoH, QUIC/MASQUE - with self-hosted, open-source tooling. Threat model and obfuscation levels, a controls-vs-evasions matrix, …
One VPS, one IP, port 443 shared between a real public website and a VLESS+Reality tunnel on the same TCP socket. DPI cannot split them apart because both are real TLS.
Host public services from a residential line without the home IP ever landing in DNS. A 5 EUR VPS, a WireGuard tunnel, and three OPNsense NAT rules.
Configure BIND9 as an authoritative server, recursive resolver, or both, covering zone files, ACLs, zone transfers with TSIG, DNSSEC signing, performance tuning, and testing.
Set up an outbound-only cloudflared tunnel that exposes local services through Cloudflare's edge without public IPs or inbound ports. Covers installation, ingress rules, DNS, systemd, token rotation, monitoring, and …
Protocols that encrypt DNS queries and responses: DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ). Covers transport, ports, RFCs, a protocol comparison, and implementation examples for systemd-resolved, …
Reference for common and specialized DNS resource record types, their syntax, and zone-file usage examples. Covers address, mail, security, service discovery, and DNSSEC records.
Windows Server DNS administration via the DnsServer PowerShell module: zone management, records, conditional forwarders, stub zones, zone transfers, scavenging, DNSSEC, DNS policies, and diagnostics.
Reference for the Docker command-line interface: container lifecycle, image management, builds, volumes, networking, resource constraints, backup, and troubleshooting.