Having Fun With: DNS Records + Signed Certificates + Cryptographic Algorithms!

So I was experimenting and if you can get signed certs from let’s-encrypt and dns records from cloud-flare, then you could store your public signed certificate as a set of split txt entries which anyone could verify with a set of trusted root certificates. You can then use the private key to sign an encryption key (stored as another txt record) along with the encrypted message (also another txt record).

This would allow you to sign, store, and send short messages (in a single direction) with confidentiality, integrity, and authenticity all through a plain text protocol (as long as the root certs exist)!

Verification Chain:

  • The message data is hashed into -> The encryption key
  • The encryption key is signed with -> The private key
  • The private signature is decrypted with -> The public key
  • The public key is embedded into -> The signed certificate
  • The signed certificate is verified with -> The root certificates
  • The end verify -> The root certificates + The domain name + The expiry time
# ./dns_fun.sh fossjon.com d

        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
            Not Before: Oct  9 18:35:11 2021 GMT
            Not After : Jan  7 18:35:10 2022 GMT
        Subject: CN=*.fossjon.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)


this is just a test of the emergency broadcast system, this is not the real thing!

d="$1" ; z="$2" ; m="$3" ; k="$4"

if [ "$z" == "e" ] ; then
  h=$(echo "$m" | openssl dgst -sha256 -r | awk '{ print $1 }' | tr -d '\t\r\n')

  e=$(echo "$m" | openssl enc -aes-256-cbc -e -k "$t" -S 00 | base64 -b 255)
  echo "$e" ; echo

  s=$(echo -n "$t" | openssl rsautl -sign -inkey privkey.pem | base64 -b 255)
  echo "$s" ; echo

  p=$(cat crt.pem | grep -iv '^---' | base64 -d | base64 -b 255)
  echo "$p" ; echo

if [ "$z" == "d" ] ; then
  c=$(dig "z.pubcrt.$d" txt +short | tr -d ' "\n' | base64 -d | base64 -b 64)
  ( echo '-----BEGIN CERTIFICATE-----' ; echo "$c" ; echo '-----END CERTIFICATE-----' ) > /tmp/crt.pem

  t=$(openssl x509 -text -noout -in /tmp/crt.pem | grep -i 'exponent' -B 64)
  echo "$t" ; echo

  v=$(dig "z.pubkey.$d" txt +short | tr -d ' "\n' | base64 -d | openssl rsautl -verify -certin -inkey /tmp/crt.pem)
  echo "$v" ; echo

  o=$(dig "z.pubmsg.$d" txt +short | tr -d ' "\n' | base64 -d | openssl enc -aes-256-cbc -d -k "$v")
  echo "$o" ; echo

Having Fun With: DNS Records + Signed Certificates + Cryptographic Algorithms!

Using Cloudflare NS Records For Better Web Proxying & DNS Service

So I decided to switch the nameserver records on my fossjon.com domain over to Cloudflare’s service for two different reasons. One is that they offer more advanced https reverse proxying tech along with a better dns management interface as well! I still have the domain registered with Google Domains as they also offer pretty good mx record email forwarding via gmail.

Cloudflare won’t let you directly rewrite the HTTP HOST header field anymore, however, they will let you setup a more advanced HTTP JavaScript worker process. This process can handle the incoming web proxy requests along with the outgoing responses and perform some modifications on them. This is an extremely powerful framework and it behaves more like a proper reverse proxy server would!

I created a GitHub repo to track the worker javascripts: github.com/stoops/cfworkers

Note: It seems like CF offers a better DNS API service, however, I couldn’t yet find a DNS backup button to help save all my records locally (hacky webarchive file but at least it’s sorted nicely).

var t = document.getElementsByTagName("table")[0];
var s = t.getElementsByTagName("tr");
var m = {}, l = [], z = 1;
for (var i=0; i<s.length; ++i) {
  var d = s[i].getElementsByTagName("td");
  if (d.length > 4) {
    var k = d[2].innerText.trim();
    if (k.endsWith(".com")) { k = "@"; }
    if (!(k in m)) { m[k] = {"r":[]}; l.push(k); }
    var r = d[1].innerText.trim();
    if (!(r in m[k])) { m[k][r] = []; m[k]["r"].push(r); }
    m[k][r].push([d[3].innerText.trim(), d[4].innerText.trim()]);
var b = "style='border: 1px solid black;padding: 4px;white-space: nowrap;'";
var o = "<table style='padding: 8px;'><tr><th "+b+">No.</th><th "+b+">Time</th><th "+b+">Record</th><th "+b+">Type</th><th "+b+">Value</th></tr>";
for (var i in l) {
  var k = l[i];
  for (var j in m[k]["r"]) {
    var r = m[k]["r"][j];
    for (var d in m[k][r]) {
      o += ("<tr><td "+b+">"+z+"</td><td "+b+">"+m[k][r][d][1]+"</td><td "+b+">"+k+"</td><td "+b+">"+r+"</td><td "+b+">"+m[k][r][d][0]+"</td></tr>"); ++z;
o += "</table>";
document.head.innerHTML = document.head.innerHTML.replace(/script/ig, "xscript");
document.body.innerHTML = o;
Using Cloudflare NS Records For Better Web Proxying & DNS Service

Star Cert via Let’s Encrypt via DNS TXT via Docker Container (manual process)

Source Code: https://github.com/stoops/dockerssl

If you want to get a wild-card certificate with let’s-encrypt then you’ll have to use the DNS verification method. I made an example Docker file and script that can quickly and easily spin up a Debian container to install and run the certbot application. You can then connect to the container via a local URL ( and interact with the process to setup the TXT record and then verify the DNS entry and then download the signed cert chain + key pem files!

Note: I do wish Google had API access to their Domains service which would allow for automated TXT records!

$ c=fullchain.pem ; k=privkey.pem ; openssl x509 -noout -modulus -in $c | md5 ; openssl rsa -noout -modulus -in $k | md5

$ openssl x509 -text -noout -in fullchain.pem

        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
            Not Before: Oct  9 18:35:11 2021 GMT
            Not After : Jan  7 18:35:10 2022 GMT
        Subject: CN=*.fossjon.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:
            Authority Information Access:
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/
            X509v3 Subject Alternative Name:
            X509v3 Certificate Policies:
                  CPS: http://cps.letsencrypt.org
    Signature Algorithm: sha256WithRSAEncryption
$ openssl s_client -connect lo.fossjon.com:8443

Certificate chain
 0 s:/CN=*.fossjon.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Server certificate
issuer=/C=US/O=Let's Encrypt/CN=R3
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
SSL handshake has read 4628 bytes and written 289 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 5A9CA7F699D780CFD9FAFBC197FDBA14FC4307F225CE6C90E55CE0658E3055F8
    Master-Key: C84D32162158587663310FB67F482AE63CA9F964158B74C1E40806D8915E1B25AFB3DC2F22E15D58450F7CFCA0FAA8B4
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 48 82 2b be 43 84 b1 13-11 7a e5 bf 39 97 89 55   H.+.C....z..9..U
    0010 - 43 41 ce 61 42 f8 16 e7-89 28 67 af 8d 73 6d 5c   CA.aB....(g..sm\
    0020 - 60 c0 13 20 cc e9 77 0d-5a 34 73 50 85 23 57 b0   `.. ..w.Z4sP.#W.
    0030 - 10 fd 8e c7 6b d4 37 8b-59 4e f4 30 b3 46 b4 d7   ....k.7.YN.0.F..
    0040 - aa c6 79 ff c0 f9 50 c2-54 f0 8e ca 64 3e 49 15   ..y...P.T...d>I.
    0050 - f5 42 fa 29 12 73 a6 f2-92 b0 a8 e0 9f 13 fa 89   .B.).s..........
    0060 - d1 8c c0 93 19 bf ea 81-32 0c 86 e7 37 42 f8 20   ........2...7B.
    0070 - f6 9d 94 d3 38 d8 c9 38-07 9f b6 99 79 b5 43 6a   ....8..8....y.Cj
    0080 - c5 11 fd a1 30 3a d6 e0-74 d3 ba b6 6f 35 47 f4   ....0:..t...o5G.
    0090 - eb c9 af c3 0f 69 95 9f-d1 4c f2 21 80 cc b5 db   .....i...L.!....
    Start Time: 1633812734
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
Star Cert via Let’s Encrypt via DNS TXT via Docker Container (manual process)

Reddit Refresher Javascript Bookmark

Note: This is only compatible with the good old.reddit.com website!

function w() {
  document.title = (document.title+" . [*]");
  var y = Math.random(), x = new XMLHttpRequest();
  x.onload = function() {
    var c = 0, d = document.createElement("div");
    d.innerHTML = this.responseText;
    var l = d.getElementsByClassName("thing");
    for (var i=(l.length-1); i>=0; --i) {
      var p = (l[i].getAttribute("data-permalink") + "");
      if (!p.startsWith("/r/")) { continue; }
      var f = 0, z = [null, null]; c = 0;
      var m = document.getElementsByClassName("thing");
      for (var j=0; j<m.length; ++j) {
        var q = (m[j].getAttribute("data-permalink") + "");
        if (!q.startsWith("/r/")) { continue; }
        if (q == p) { f = 1; }
        if (!z[0]) { z[0] = m[j]; }
        c += 1; z[1] = m[j];
      if (c > (36-(parseInt(y*5)+1))) {
      if (f == 0) {
        z[0].parentNode.insertBefore(l[i], z[0]);
    var a = (new Date() + "").replace(/[ ]*[^ ]*-.*$/, "");
    var h = ("<b><font color='red'>" + a + "</font></b> &nbsp; &nbsp; pop in: ");
    document.getElementsByClassName("menuarea")[0].getElementsByTagName("span")[0].innerHTML = h;
    document.title = ("("+c+") . reddit");
  var s="?", r=location.href;
  if (r.includes("?")) { s="&"; }
  x.open("GET", r+s+"r="+y);
w(); setInterval(w, ((9 * 60) + 1) * 1000);
Reddit Refresher Javascript Bookmark

Decided to purchase a domain for 2021

So I thought I’d try something new/different these days and buy a domain again! I’ve purchased some in the past but never made much use of them personally speaking…

Domain Example: [fossjon.com]/2021/10/06/…a-domain-for-2021/

I chose Google Domains because they offered some extra valuable & useful features:

  • easy record management
    • whois info privacy
    • backup yaml file
  • email forwarding inbound
    • including mx-records
    • including star-matching
  • web redirection proxying
    • including sub-domains
    • including preserve-paths
    • including https-certificates
  • outbound email records (spf+dmarc)

The only thing I can’t do is send email outbound with a domain address via gmail itself (without an extra smtp server setup) because Google removed the ability to modify the FROM field in the message headers directly with an alias email (it now requires a persistent external smtp auth login)!

Edit: If you can find a third-party smtp mail provider that allows you to add & verify email aliases more easily, you can instruct gmail to connect to that external smtp server with your other account and then you’ll be able to send email from an alias address via gmail directly!

Got a score of 90+ which is not-too-bad for a super-simple domain-name email address!

$ dig fossjon.com txt | grep -i spf

fossjon.com.		550	IN	TXT	
"v=spf1 include:_spf.google.com include:_spf.mail.yahoo.com ~all"

# dig fossjon.com txt +short | grep '!' | tr -d '"' | base64 -d
Decided to purchase a domain for 2021

A history of cell phone ownership…

I wanted to make a historical list of phones that I’ve owned over the years and the reasons why I purchased them in particular. I generally buy phones on the ‘S’ year (tick-tock cycle) when the small improvements have been made to it over time versus the major redesign years!

2007: An important day to remember in the history books…

<=2009: A long long time ago, we used to have flip phones, and at this point I had a BlackBerry Pearl !

2010: One of the first affordable smart phones I owned was the HTC Desire which ran an early version of Android OS and it was very mod-able/customize-able at the time vs the first iPhones back in those days!

2011: After some time of using an Android phone I remember my main complaint being that the battery life barely got me through the day. I then received a hand-me-down phone called the Apple iPhone 4S which had a beautifully-solid-all-glass design, much better battery life, and my first intro to iOS which felt much more put together but more limited in terms of what it allowed me to do with it!

2012: I then switched back to vanilla Android with the Google Nexus 4 because it offered a bigger screen size, a clean OS / unlocked phone, and it was a very low price compared to the competitors. Battery life again was so-so but the back glass looked amazing and sparkly!

2013: I switched back again to the Apple side with the Apple iPhone 5S even though it had a smaller screen size compared to the Android phones. I liked the square edge design in the Gold color and mainly because it was the first phone in the whole market to offer a fingerprint unlock. I grew tired of entering in the long PIN codes by hand with the Nexus and I also got the good battery life back again!

2015: I kept the 5S for a bit and then upgraded to the Apple iPhone 6S for the same reasons as before except this time it offered the bigger screen size and greater battery life. However, it was still an LCD panel compared to the Android phones which were leading the way with their more advanced screen technology!

2017: I had been waiting since the 6S for Apple to release a bigger-sized-but-less-than-6-inches, edge-to-edge OLED screen and they never did for quite some time. So I purchased the Samsung Galaxy S8 which offered best quality screen on the market in addition to a headphone jack, a fingerprint reader, and a modern version of Android OS. My main issue with this phone was not so much the phone part but the Samsung-as-a-company part where they only provided us with 2 years worth of OS updates for a thousand dollar phone… We also couldn’t unlock the boot-loader very easily (to upgrade the OS manually) or remove their forced apps (press F in the chat for Bixby) and I was getting worried about the security of the device over time!

2020: After nearly 5 years of waiting, Apple finally released a phone that had a smaller-than-6-inches + edge-to-edge OLED display. It was called the iPhone 12 Mini and I immediately purchased it and retired my old Samsung phone. I really appreciated the form factor of this phone and what it had to offer. Even though I do miss the headphone jack and fingerprint unlocker, it is very hard to find a small-sized, full-screen phone these days for those of us with smaller hands!

2021: And now, back to today, with the Apple iPhone 13 Mini Blue — it’s the ‘S’ year again! 🙂

A history of cell phone ownership…

Trying to live a simpler life

Gear List:

So I have been waiting and saving up for the future-rumoured M1X Macbook Pro (while still hanging on to my 2017 Macbook Air, for nearly 5 years now). I also have been trying to support the sales of the iPhone Mini because it’s such a great form factor and size and the rumours are saying that Apple may not produce it next year with the iPhone 14! :/

– –

Since I have been working from home during this fall/winter season up north, in the woods, I also setup a mini-network here with a nice: UniFi tri-band-ac POE-UAP, Netgear gigabit-ethernet POE-SWITCH, and the famous TP-Link archer C7-V5 OpenWRT ROUTER+FIREWALL. These all make for a great, stable, and reliable home network configuration when used together! 🙂

Trying to live a simpler life

The last of the Intel Mac Mini is upon us!

So before Apple’s last event, I decided to buy a brand-new-yet-also-pre-out-dated Intel Mac Mini to use as a WiFi bridge / router / firewall in place of the Linksys WRT32X. It took me a little bit to re-figure out the BSD Packet Filter firewall again but I got some good routing speeds out of it (I had to use the NAT option in PF because without it I was only getting ~45MB/s vs the Linksys +80MB/s — I dunno why, maybe some sort of kernel level network driver bug going on?). Anyway, I chose to order the Intel version for the following reasons (as of writing this post):

  • Intel 6-Core i5 CPU
  • Optioned 16GB RAM
  • Upgraded to 10-GigE
  • 802.11ac-3×3 WiFi Radios
  • VirtualBox VMs with Debian Linux (Bridgeable Network Adapters)
  • 4x Thunderbolt-3 Ports (plus a Sonnet Solo10G Ethernet Adapter)
  • It signals the end of an x86-era which won’t exist much longer!

The last of the Intel Mac Mini is upon us!

Small Network Speed Testing Web Server

So I wanted to test the internal LAN speeds of our wireless bridge, switches, and cables in between – from one end of the network to the other. There’s an older iMac running on one side of the bridge and I didn’t want the speed test to slow down due to disk I/O reasons. I wrote a small python based web server which pre-initializes a memory buffer with random data and then sends random chunks inside of it throughout the fake “download” process (jumping around from index to index).
This is just a single stream test but there are other tools available if you want a more advance multi-stream performance testing (tools like iperf and what not). This will give you at least the real world output/speeds of your network setup (not just theoretical, I was able to get 111MB/s through a CAT-6 gigabit TP-Link Archer C7 V5 and nearly 75MB/s over a dedicated Linksys 802.11ac-3×3 WiFi bridge).

curl 'http://192.168.X.Y:8080/download' > /dev/null ; echo

Edit: Trying to maintain a stable and consistent WFH WiFi network setup! (the bridge is limiting clients to 13MBps ~ 104mbps via a iptables hashlimit rule set). It also has a good quality backchannel connection to carry all of the WiFi traffic:

import random,socket

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind(("", 8080))

rr = [chr(x) for x in range(0, 256)] * 2048
rs = "".join(rr)
rl = len(rs)
rb = (8 * 1024)
az = (rl - (rb + 1))
sz = (800 * 1024 * 1024)

while True:
	(conn, addr) = sock.accept()
	data = conn.recv(1024)
	if ("get / " in data.lower()):
		d = "HTTP/1.1 200 OK\r\ncontent-type: text/html\r\n\r\n hi : "+str(random.randint(0,az))+" : <a href='/download'>link</a>"
	if ("get /download " in data.lower()):
		d = "HTTP/1.1 200 OK\r\ncontent-type: application/octet-stream\r\n\r\n"
		sl = 0
		while (sl < sz):
			i = random.randint(0,az)
			d = rs[i:i+rb]
			sl += rb
Small Network Speed Testing Web Server

Running the UniFi Network Controller in a Docker Container

If you are needing a more generalized and containerized method to run the UniFi Network Controller and you don’t want it running on your main system, you can use a trusted app like Docker to achieve this task!

I made a new repo that has some Dockerfile supported scripts which will pull in the latest Debian container and customize a new image from scratch to run MongoDB + Java8. This is useful if you don’t particularly trust the pre-made, public Docker containers that are already out there!

git clone && cd dockerfi/ — The build and run commands are listed in the main script file (once the container has been started, just browse to https;// and restore from backup). The UI version is statically set to the previous stable release of 6.0.45!

Note: If you need to help layer 3 out: set-inform http;//192.168.X.Y:8080/inform


Edit: I made a small YouTube video running the script:

Running the UniFi Network Controller in a Docker Container