Blog
-
"Setting Numa as your tailnet resolver""Point your tailnet's global nameserver at a Numa node and every device on the tailnet resolves through it over WireGuard - laptops, servers, and phones alike, with nothing installed on the clients and no changes to Numa. This is the exact setup: three steps, the one toggle that gates the whole thing, how to lock the node down with allow_from, and how to confirm from the query log that traffic is really flowing over the tailnet."May 2026
-
"Anonymous DNS without an account: shipping ODoH client + relay in one Rust binary""Every existing anonymous-DNS option (Apple Private Relay, NextDNS, Cloudflare Families) requires signing up. ODoH (RFC 9230) is the protocol that splits 'who you are' from 'what you asked' across two independent operators. Numa v0.14 ships the client, the relay, and a public deployment in one MIT-licensed binary. Here's what the protocol actually does, what it doesn't fix, and what it took to deploy the second public relay in the ecosystem."April 2026
-
Fixing DNS tail latency with a 5-line config and a 50-line functionPeriodic 40-140ms DoH spikes from hyper's dispatch channel. The fix was reqwest window tuning and request hedging — Dean & Barroso's "The Tail at Scale," applied to a DNS forwarder. Same ideas took cold recursive p99 from 2.3 seconds to 538ms.April 2026
-
DNS-over-TLS from Scratch in RustBuilding RFC 7858 on top of rustls — length-prefix framing, ALPN cross-protocol defense, and two bugs that only the strict clients caught.April 2026
-
Implementing DNSSEC from Scratch in RustRecursive resolution from root hints, chain-of-trust validation, NSEC/NSEC3 denial proofs, and what I learned implementing DNSSEC with zero DNS libraries.March 2026
-
I Built a DNS Resolver from Scratch in RustHow DNS actually works at the wire level — label compression, TTL tricks, DoH, and what surprised me building a resolver with zero DNS libraries.March 2026