Bojie Li

DNS service is an important basic service of the Internet, but its importance is often underestimated. For example, in August 2013, the .cn root domain server was attacked by DDoS, causing .cn domains to be inaccessible; on January 21, 2014, the root domain server was polluted by a famous firewall, causing all international domains to be inaccessible. Many internationally renowned websites cannot be accessed in mainland China, partly because they have suffered DNS pollution, that is, the wrong IP address is returned for the domain name.

Building an anti-pollution DNS is not as simple as using a VPN to resolve all domain names. There are mainly two problems:

I helped a friend with port mapping and encountered two pitfalls since I haven’t touched iptables for a few months. I’d like to share them with you.

Network Virtualization is the creation of a virtual network that differs from the physical network topology. For example, a company has multiple offices around the world, but wants the company’s internal network to be a whole, which requires network virtualization technology.

Starting from NAT

With the improvement of computer processing capabilities and the increasing complexity of software, performance is often not the most important criterion for measuring software. But sometimes we do need to squeeze the performance of the computer. Especially when doing research, in order to make the performance indicators surpass the opponent, not only the algorithm (asymptotic complexity) needs to be optimized, but also the implementation (the constant in the complexity) needs to be optimized. This article tries to summarize some rules and hopes to discuss with everyone:

Do not use open source software

Open source software often considers a general problem, so there are many configuration parameters and conditional judgments that are almost never used; open source software often requires code readability and maintainability higher than performance, so it generally does not use so-called “tricks”.

Bitcoin, after experiencing two drastic rises and falls in April and November last year, has become more than just a toy for IT guys, but a focus of debate among all sectors of society. However, most articles about the technical principles of Bitcoin are superficial. During the New Year’s chat with good friends, we raised these questions, hoping to understand after reading this article:

1. How to verify a Bitcoin transaction to make it undeniable?
2. How to avoid spending a Bitcoin twice?
3. If I alone have 10% of the network’s computing power, is it possible to rewrite history?
4. Why do Bitcoin transactions have to wait for tens of minutes?
5. How does Bitcoin ensure a limited quantity (21 million)?
6. How to ensure exactly one Bitcoin is mined every 10 minutes?
7. What does it mean to mine 0.1 Bitcoin at a time?
8. Does a transaction of 10,000 Bitcoins require generating 10,000 transaction information?
9. With such a large volume of Bitcoin transactions, how are transaction records transmitted and stored?

Many embedded devices such as smartphones and routers have a “factory reset” function. According to the “backup” practice that everyone is used to on PCs, it seems necessary to back up the entire system at the factory in read-only ROM. If this is the case, every time you restore the factory settings, the content in the ROM has to be copied to the Flash storage, wasting a lot of storage space, and restoring the factory settings takes a long time. But in fact, restoring the factory settings is just a restart, and the Flash storage in the newly restored system is basically empty.

(Thanks to BW’s comment, the factory reset of the Android system does not use differential technology, but simply clears the data partition. The modification of the /system partition has not been restored, I got it wrong)

Sometimes, we need to remotely access websites that can only be accessed from the server’s network, such as the router’s Web control panel. Using links on the server is obviously unreliable. We can establish a tunnel between the local machine and the server using ssh, allowing the local browser to access restricted websites through the tunnel.

First, use ssh -D to establish a socks5 tunnel between the local machine and the server: (60000 is an arbitrary integer greater than 1024 and less than 65536)

1

ssh -C2qTnN -D 60000 user@remote-host

Then, let Chrome access through the socks5 tunnel. The Chrome plugin ProxySwitchy no longer works because Chrome no longer supports NPAPI, and ProxySwitchySharp sometimes doesn’t work. Some articles online say that chrome –proxy-server is enough, but in fact, it doesn’t work when you have another Chrome instance open, because Chrome will automatically find the open instance.

A more reliable method is to open Incognito mode and use a non-existent Chrome user data directory to prevent it from finding open instances. After use, it is best to delete the newly created user data directory (in the following example, it is C:\Temp\Chrome). Note that the following socks5 cannot be replaced with http, as they are different protocols.

1

PS C:\Program Files (x86)\Google\Chrome\Application> .\chrome.exe --proxy-server="socks5://127.0.0.1:60000" -incognito -user-data-dir=C:\Temp\Chrome

Is the blunder far from us? Not really. A while ago, the LUG server malfunctioned and mistakenly sent out 70,000 text messages, depleting the balance of the school’s text message platform. It was not until the teacher from the network center called me that I found out.

The trouble started with the service monitoring script. It retrieves site information from the database, periodically visits the monitored sites, and if a problem is detected, it will send a text message alert to the website owner. When the service monitoring script fails to connect to the database, it will also send me an alert text message. Initially, it would not attempt to reconnect to the database, so it would only send an alert once, but the monitoring service could not automatically resume operation after the database was restored. This bug was discovered during a blog malfunction, so it was changed to automatically reconnect, but the logic for sending alert text messages was not modified, so if the database could not be connected continuously, it would keep sending.

To prevent text message bombing, the messages sent out had to go through my “risk control”, limiting the number of text messages sent to each phone number every 24 hours. Risk control is to query the text message log table in the database to get the number of text messages sent to this number in the last 24 hours. When the database crashes, the value queried is NULL, which is implicitly type converted to 0 in PHP, so it is considered that it has not exceeded the limit and is sent out. The school’s text message gateway also has no “risk control” , resulting in a large number of text messages flooding into the operator’s network.

Those who have used Windows Vista/7/8 may have had this experience: after modifying a file on the C drive with a 32-bit program (such as cygwin), when you look at it from the Windows Explorer, it’s still the version before the modification! Does the file system have different views for different programs? You’re right, since Vista introduced UAC and VirtualStore, don’t trust the changes made by 32-bit programs in the C drive.

After Windows Vista introduced stronger security mechanisms, some important system directories are not modifiable by everyone. These directories include the C drive root directory, Program Files, Program Files (x86), Windows, and the registry’s HKEY_LOCAL_MACHINE, etc. But some old applications still assume these directories are writable, and if the system API simply returns access denied, these programs can’t run.

Therefore, Vista provides VirtualStore. For 32-bit programs running without administrator privileges, as long as there are write operations to these directories, the modified or added files will be copied to this user’s VirtualStore. The file at this path seen by the 32-bit program running under this user’s identity is the corresponding file in VirtualStore, and it knows nothing about any modifications to the file at the original path.

Some users of the LUG VPN hope to use the VPN only for certain specific IPs, while OpenVPN defaults to using the VPN for all. Perhaps my search skills are too poor, I didn’t Google a reliable answer. Readers without patience can directly look at my solution:

1
2
3
4
5
6
7
8
9
10
11

$ echo "script-security 2" >>/etc/openvpn/client.conf
$ echo "up /usr/local/bin/remove-ovpn-defroute" >>/etc/openvpn/client.conf

$ cat /usr/local/bin/remove-ovpn-defroute
#!/bin/sh
(
    sleep 2 # wait for routing table to be flushed
    ip route del 0.0.0.0/1 dev tun0
    ip route del 128.0.0.0/1 dev tun0
) &
exit 0