System Administration

Docker on Fedora 31 and 32

For “Developing inside a Container” with Visual Studio Code, one of the requirements is to use Docker Community Editon as the version of Docker that ships with Fedora is too old and misses certain features. Also the new Docker alternative Podman from Red Hat isn’t supported by Visual Studio Code.

After installing Docker CE on Fedora 31, cgroups version 1 needs to be enabled as Linux switched over to cgroups version 2, but Docker still depends on version 1. With the commands below cgroups version 1 can be enabled again and requires a rebooting of the system.

$ sudo grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=0"
$ sudo systemctl reboot

Now with the upgrade to Fedora 32 something interesting happens as firewalld is switching from iptables to nftables as a new way to do firewalling on Linux. It basically stops all traffic for the docker0 network and made Molecule fail to build container images for the tests. With a simple test as in the example below, the broken situation can be confirmed.

$ docker run busybox nslookup
 ;; connection timed out; no servers could be reached

One of the solutions is to put containers directly into the host network, but this is unwise as it exposes containers to network and directly reachable for others. Another solution that requires fewer changes is to assign docker0 interface to the trusted zone within firewalld.

$ sudo firewall-cmd --permanent --zone=trusted --add-interface=docker0
$ sudo firewall-cmd --reload

Running the test case again, then it gives back the correct result as the container can communicate again via the docker0 interface to the assigned name server.

$ docker run busybox nslookup
 Non-authoritative answer:

While this solves the problems with Docker for now it is good to know that these changes should be temporary as Docker needs to support cgroups version 2 as support for version 1 may be dropped in the future. Secondly firewalld needs to get propper nftables support as the migration from iptables currently isn’t as smooth as it should be.

Software Development

PowerDNS service for get coordinates for IPv4 addresses

Bert Hubert from PowerDNS made an interesting announcement today. Retrieving the coordinates for an IPv4 address with just a DNS query.

Hopefully the country code will also be included, but this is an interesting way of using DNS as a directory service with public data.

System Administration

Removing SPF Resource Records

With the creation of RFC 4408 also new a record type 99 for DNS was created to identify SPF Resource Records. It was advised to have both TXT and SPF records in DNS with the same content.  RFC 4408 was obsoleted by RFC 7208 in 2014 with paragraph 3.1 stating the following:

SPF records MUST be published as a DNS TXT (type 16) Resource Record (RR) [RFC1035] only. The character content of the record is encoded as [US-ASCII]. Use of alternative DNS RR types was supported in SPF’s experimental phase but has been discontinued.

RFC 7208, paragraph 3.1

Now that the SPF Resource Record has been discontinued for a while, the time has come to remove it from DNS (if not done already) and make sure it never comes back. Luckily most code libraries already preferred the TXT variant, but still, this is one to put on the maintenance checklist to remove it for any application code and/or infrastructure.

Security & Compliance

Emoji in URLs are probably a bad idea…

On the dns-operations mailing list, there were already discussions about parties who bought domains like ?.com (, but the following is also an interesting development.

When will we find pages with “special” Web Open Fonts and that become active when you press Ctrl-Shift?

Internet, Unix en security Life and society

Blocking the piratebay

In a previous post, it became clear that censorship in The Netherlands has started. Due to the nature of the Internet and how it has been implemented in most lands, it means there is no central point of control to stop all to an IP-address. This means every network owner needs to take action, but how do they do it?

In the case of, it looks like it has been done by manipulating DNS-answers. The first attempt is just using the DNS-resolver from the internet access provider and the second is an attempt using Google public resolvers.

$ dig

; < <>> DiG 9.8.1 < <>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 6811
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;		IN	A


;; ADDITIONAL SECTION:	10	IN	TXT	"Forged by XS4ALL for Stichting B.R.E.I.N."

;; Query time: 19 msec
;; WHEN: Sat Feb  4 08:15:35 2012
;; MSG SIZE  rcvd: 104

$ dig @

; <<>> DiG 9.8.1 < <>> @
;; global options: +cmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 4847
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;		IN	A


;; Query time: 26 msec
;; WHEN: Sat Feb  4 08:16:16 2012
;; MSG SIZE  rcvd: 50

By just changing DNS resolvers on the client or internet router the censorship can be bypassed for now. The question remaining is how long this is going to stand when the first article is published by a big computer magazine on how to bypass it. Or when sites also get a .onion to bypass DNS completely.