Today I Learned

Microblogs of some small things I've learned.

Today I Learned

Using dynamic DNS for home server

Nov 28, 2024

It is often joked about sharing localhost URL with others, but there are scenarios where exposing a local port to the internet is genuinely useful. For instance, individuals running their own media servers or self-hosted cloud services can relate. Many internet providers use CGNAT for IPv4, which, combined with NAT in home routers, complicates exposing local services to the internet. While this is beneficial for security, it can be frustrating for those who know what they are doing.

With the advent of IPv6, things are changing. ISPs are now providing public IPv6 addresses. By opening the necessary port in your router’s firewall, you can access your local services using the public IPv6 address from anywhere. The challenge, however, is that IPv6 addresses are typically dynamic and change frequently. This is where dynamic DNS comes into play. By obtaining a domain name and running dynamic DNS software, you can keep the DNS record updated whenever the IPv6 address changes. This allows you to access your local services using a static domain name instead of the ever-changing IPv6 address.

Exposing local services to internet can heavily undermine security of your network. Not recommended unless you know what you are doing.

Here is my setup of Plex media server with dynamic DNS https://gist.github.com/ramenhost/9d26175abcbebf5c739e8de7d3ec3d13


Typecasting pointers in C is arch-dependent

Nov 12, 2024

I’ve been writing C for 8 years and have confidently downcasted pointers after checking for value overflow. Today I learned that typecasting pointers to a smaller datatype works only on little-endian architectures. On big-endian systems, the pointer will reference the most significant bytes, leading to unexpected results. I realized this the hard way when my OpenSSL PR failed CI tests on big-endian architectures.

C pointer typecasting issues with big-endian


Cloudflare knows what http library you use

Sep 20, 2024

In X, @zoriya_dev shared an issue where an API request was blocked by Cloudflare when using Python’s aiohttp library, while the same request worked fine with curl and the requests library. People got together to investigate the issue.

Initial analysis suggested that Cloudflare was blocking requests based on the User-Agent header. However, this theory was quickly disproven as the User-Agent header was identical in both aiohttp and curl requests. Even after ensuring that the entire HTTP request was the same for both libraries, the issue persisted. This indicated that the detection mechanism was operating at a lower level, likely involving TLS records.

Using Wireshark, I discovered that the TLS extensions differed between aiohttp and curl. By adding any single TLS extension to aiohttp, the block was bypassed, effectively disrupting the blacklisted fingerprint.

Adding TLS extension to bypass TLS fingerprinting

TLS fingerprinting is a common technique used by Cloudflare and other services to detect bots and malicious traffic. Cloudflare offers varying degrees of protection that can be configured by the domain owner. In this case, it is possible that the domain was put in a higher protection level where TLS fingerprint of aiohttp is blacklisted.


This post is licensed under CC BY 4.0 by the author.