T-Shirt: “I own a /48 and I am not afraid to use it.” and other IPv6 gimmicks from HE

June 24th, 2012 Comments off

I recently got this T-Shirt on Hurricane Electric’s website:

I've got a /48 and I am not afraid to use it.

   And also this coffee mug:

HE's IPv6 mug

Categories: Fun Tags:

Enabling HSTS on nginx II

June 24th, 2012 Comments off

I have to add a correction to my previous article “Enabling HSTS on nginx“:

You can and should enable it on http as well, so that visitors of your website offer from this additional security benefit as well – when they come back.

Categories: Security Tags:

Nginx + IPv6: “98: Address already in use”

April 12th, 2012 Comments off

If you get this message, you have to change your “listen” statement from

listen [2a01:348:226:dead:beef:dead:beef:dead]:80;


listen [2a01:348:226:dead:beef:dead:beef:dead]:443 ipv6only=on;

For some add reason the first statement (without “ipv6only”) was working for me for some time… odd.

Categories: New technology Tags:

Enabling HSTS on nginx

March 28th, 2012 Comments off

If you want to enable HSTS on your nginx webserver, this is how you do it:

add_header Strict-Transport-Security "max-age=315360000; includeSubdomains";

You need to put this only on the https server, not on the http only server – it wont work on http only.

Categories: Security Tags:

Strange DNS queries when Google Chrom(ium) is running – Part 2

March 28th, 2012 Comments off

I wrote – quite some time ago about those strange DNS queries what I have seen when Chromium (with the latest version of 17.0.963.79 (Developer Build 125985 Linux) Ubuntu 11.10 as well) is running, like this one:


I was still puzzled and wanted to know whats going on, what this is for.

First problem was, I needed an easy configurable DNS server to respond to all those queries, to respond with something I am in control. My assumption was that they are quite likely HTTP requests – maybe even POST requests, but that would be scary and potentially for another post on here.

After some searching I came across a mini DNS server written in Python, downloaded and – it just works. Ok, so lets have a look. I changed that mini DNS server to respond to any query with my machine’s IP and made sure that a webserver is running on that, at least for serving just /, I only wanted to see the initial query from Chromium.

Fired up Wireshark (brilliant tool!) and Chromium. Visiting any site was kinda funny, as I always ended up on my local machine… anyway, Wireshark was collecting nicely data and here you go:

 Host: asdclvxexk
 Connection: keep-alive
 Content-Length: 0
 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.11 (KHTML,
       like Gecko) Ubuntu/11.10 Chromium/17.0.963.79 Chrome/17.0.963.79
 Accept-Encoding: gzip,deflate,sdch
HTTP/1.1 200 OK
 Date: Wed, 28 Mar 2012 20:02:54 GMT
 Server: Apache/2.2.20 (Ubuntu)
 Vary: Accept-Encoding
 Content-Encoding: gzip
 Content-Length: 20
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Content-Type: text/html;charset=UTF-8

Nothing exciting here. RFC 2696 states for HEAD:

The HEAD method is identical to GET except that the server MUST NOT return
a message-body in the response. The metainformation contained in the HTTP
headers in response to a HEAD request SHOULD be identical to the information
sent in response to a GET request. This method can be used for obtaining
metainformation about the entity implied by the request without transferring
the entity-body itself. This method is often used for testing hypertext links
for validity, accessibility, and recent modification.

Puzzled. Confused. Why oh why?

You could say the HEAD request is some sort of a “Ping” request on a high level – does this URI exist? But where does this lead us to? The hostname of the queries I have seen so far is always 10 characters long.

I fired my tools up again, checked whether it is all still “working” and closed Chromium, at least no data is sent someplace else.

Categories: Security Tags: