RSA SecurID gone crazy

May 15, 2014


Twenty Billion Dollar note

January 9, 2014

from Instagram:

Don’t lean on me. I’m knackered.

May 7, 2013

from Instagram:

Bath Avenue bridge ready to be taken apart.

from Instagram:

Baking Bad

April 22, 2013

from Instagram:

One million volt particle accelerator

March 17, 2013

from Instagram:

Apollo 10 capsule

from Instagram:


from Instagram:

The Power of Proxies in HTTP Streaming

February 7, 2013

On the 5th of December 2012, Budget Day, we had 59,689 unique viewers who generated 1.85 Gbit/s of traffic and 642 request per second as peak.

varnish_transfer_rates-day varnish_hitrate-day copy


On the 6th / 7th of February 2013, the Government’s all-night session, to pass the Irish Bank Resolution Corporation Bill 2013, had 8,168 unique viewers, who generate 2.2 Gbit/s of traffic and 657 request per second.

varnish_hitrate-day if_eth2-day


Interesting that 8,000 viewers generate more traffic than nearly 60,000. This is because nearly everyone watching the all night session was watching from home rather than work, meaning more direct requests from viewers to our servers rather than via corporate HTTP proxies that would have cached the requests. A very good demonstration of  the scalability of HTTP Adaptive Streaming.

Secure Microsoft DNS

March 30, 2012

Trying to setup a Windows domain with a publicly accessible domain name is more difficult than I had expected.

The setup

Setup two servers as domain controllers with DNS installed. Have all the servers in the domain use the domain controllers as their DNS servers, which means recursive DNS is enabled on the domain’s DNS servers / domain controllers.

The problem

If the DNS servers are publicly accessible and recursion is enabled, they are a security risk. But if I switch off recusion the servers within the domain can’t find anything outside the domain, including security updates.

First try

Change the DNS setting on the servers in the domain to use a properly configured recursive DNS server (non-Microsoft) and switch off recursion on the domain controllers. This didn’t work since the new DNS servers did not return the needed SRV records to find the domain controllers. This can be setup but seemed like a lot of work and a fragile setup.

Second try

The domain controllers have recursion switched on, but only respond to servers within the domain’s network and the two non-Microsoft DNS servers. The non-Microsoft DNS servers act as secondary DNS. So when a DNS query is done externally, the secondaries respond since the primaries block the external queries. This worked reasonable well, but there were failed and slow DNS queries because the primaries don’t responded.


The solution I have currently is; domain controllers respond to external queries and have recursion switched off. The servers in the domain use two Microsoft DNS, not the domain controllers, which have recursion switched on and do not respond to queries from outside the domain. These new DNS servers also have conditional forwarders setup for the domain’s dns name pointing at the domain controllers.

The domain controllers and DNS servers are virtual machines, so the resource usage is not as bad a having four physical servers.

The ideal solution would be that Microsoft fixed their DNS server to allow recursion from defined address ranges.