This webpage contains various configurations, tweaks and hacks to improve my working experience at the Salzburg University of Applied Sciences.
Operators of mail infrastructure are in a constant battle against various threats like phishing mails. As in politics, sometimes measures are taken that have a broad impact on the user experience, freedom and privacy. As in politics, there companies that earn money by providing security solutions, which some describe as snake oil (here, here).
One such measurement is URL rewriting through some Email Security Appliance (ESA) vendor, like Cisco. One can argue that an ESA is ineffective, impacts privacy1, impairs usability and I personally do not like the idea that the mails I receive have been altered. But on the other hand, I do not2 need to fight against cyber criminals.
Nonetheless, I now receive mails that contain URLs like
I wrote a script ciscoclean that undoes this transformation and nicely integrates with text-based mail clients like mutt.
Local DNS resolvers
Update 2020-03-09: DNS queries are not blocked anymore, but the general hint may still be useful for other networks.
There are a few good reasons to run a DNS resolver on localhost.3 Linux users often like to use dnsmasq, which is supported by NetworkManager as a configuration option. I personally use bind, which I also run as authoritative DNS servers for my domain.
However, sometimes network providers – such as FHS or the ÖBB federal railways – block outgoing DNS traffic and your local DNS resolver cannot resolve any requests anymore. One option is to resolve DNS queries via VPN.4 This would be a clean solution from security’s point of view but it slows DNS resolving down. In a foreseeable future, DNS over HTTPS partially changes the situation.
In case of the FHS, for me personally, the lesser evil would be to resort the
FHS DNS resolvers if I am in their network, but otherwise I would like to use
my local resolver. This can be done with NetworkManager by using the
simply by placing the following script
99-localhost-resolver in the directory
if [ "$2" == "up" ]; then
# We got up in the FHS network
if ip a | grep -q "inet 78.104.1" ; then
echo "# On FHS network" >> /etc/resolv.conf
# Set resolver to localhost
echo "nameserver 127.0.0.1" > /etc/resolv.conf
The new URL redirects users through some vendor website, like websecure.cisco.com, which does some checks. That means that every access is reported and enables tracking. ↩
I do run my own mail server, but the situation is of course a different one when you have hundreds or thousands of users and it requires only one to belief in a forged phishing mail from administrators or authorities. And after all I am not blamed by anyone but myself when things go wrong. ↩
A local DNS resolver is a fast cache, can be configured to support conditional forwards, can supports DNSSEC. ↩
For instance, set up a DNS resolver on your VPN server. ↩