Things I build, break, fix, and write about

8 July 2026
Local DNS proxy now preserves DNSSEC records

Cloudflare One Client for Windows now leaves DNSSEC records alone, which is exactly the sort of change I like, because it stops the client quietly meddling with answers. I have seen enough broken name resolution to know that a neat tunnel can still hide a messy DNS state.

8 July 2026
Cloudflare One Client for macOS DNS search suffixes

Cloudflare One Client for macOS can make a short hostname behave very differently, and most of the pain sits in the suffix list rather than DNS itself...

7 July 2026
Tracing acme.sh certificate handling in TLS interception

I spent too long chasing the neat version of TLS wiretapping reconstruction, then found the mess: shell parsing, token limits, and renewal timing. The...

7 July 2026
Reverse engineering game binaries with static analysis

Game binaries give up more than they should, if you know where to look. I start with binary analysis, not the folklore around the game, then use...

Latest blog posts you might like

20 June 2026
Rotating AWS GovCloud secrets after repo disclosure

AWS GovCloud credential leakage is not a tidy mistake, it is a time problem. Once a secret hits public GitHub, I treat revocation, search, and handoff as one job, because leaving even one copy alive...

19 June 2026
Checking Proxmox VE 9.2 cluster networking before upgrade

Before I touch Proxmox VE 9.2, I make the cluster prove itself under strain, because corosync, migration, and storage paths always fail in the places you skipped. A node that looks fine at idle can...

19 June 2026
Tracking false positives after managed rule merges

Cloudflare WAF rule merge changes more than a label, and I have seen neat alerting fall apart because the detection moved, not because the noise went away. If you are counting rule IDs, you may be...

18 June 2026
Adjust rule actions when Java deserialisation detection

Cloudflare Managed Ruleset changes are rarely neat, and this one is no exception. The old Java deserialisation beta rule went quiet while the real detection moved elsewhere, which is exactly how a...

18 June 2026
Assessing bot access control with URL Scanner API

Cloudflare URL Scanner Agent Readiness is useful because it shows where access breaks for machines, not where the dashboard looks neat. I trust it more when the score is awkward, because that is...

17 June 2026
nginx rewrite module heap corruption from escaped captures

nginx rewrite module heap corruption is one of those bugs I distrust on sight, because the failure sits in ordinary rewrite handling, not some odd corner. Once the length pass and copy pass disagree,...

17 June 2026
Tracking attack pattern detection in the Security Events

Cloudflare Managed Ruleset changes rarely arrive with much drama, which is exactly why I keep an eye on Security Events. A rule moving from beta to Block can alter the shape of the traffic overnight,...

16 June 2026
Using CONTENT_TYPE to split HTTP traffic by format

Cloudflare Radar API traffic share is one of those measures that looks tidy until you check the rules behind it. I like that; it stops you mistaking a neat chart for the truth, which is how you end up...

16 June 2026
Filter large zones in Cloudflare DNS records page

Cloudflare’s DNS records page is finally usable when a zone turns ugly, but only if you stop treating it like a flat list. I set filters, pin the useful row, and hide the clutter; otherwise I waste...

15 June 2026
Using network_id: 'cf1:network' with remote: true

I keep coming back to Cloudflare Workers VPC because the clever bit is not the binding, it is the return path. Set `remote: true` carelessly and you get traffic that looks fine on paper, then falls...