Best of NetworkingOctober 2025

  1. 1
    Article
    Avatar of cloudflareCloudflare·30w

    From .com to .anything: introducing Top-Level Domain (TLD) insights on Cloudflare Radar

    Cloudflare Radar launched a new Top-Level Domain (TLD) insights page that provides comprehensive data on TLD popularity, traffic patterns, and security metrics. The page uses DNS Magnitude—a metric measuring how many unique networks query domains within a TLD—to rank over 2,500 TLDs. Surprisingly, .su (Soviet Union's legacy TLD) tops the ranking due to queries from a popular online game. Individual TLD pages offer detailed information including DNSSEC support, RDAP availability, DNS query volumes, certificate issuance data, and geographic distribution. The feature extends existing DNS insights to all delegated TLDs and integrates with Cloudflare Registrar for domain registration. All data is accessible via API and the Radar Data Explorer.

  2. 2
    Article
    Avatar of antonzAnton Zhiyanov·31w

    Go proposal: Compare IP subnets

    Go 1.26 introduces a new Compare method for the netip.Prefix type, enabling standardized comparison and sorting of IP subnets. The method follows IANA conventions and Python's netaddr implementation, ordering prefixes by validity, address family (IPv4 before IPv6), masked IP address, prefix length, and unmasked address. This eliminates the need for developers to write custom comparison logic when organizing routing tables or sorting IP subnets.

  3. 3
    Article
    Avatar of cloudflareCloudflare·30w

    So long, and thanks for all the fish: how to escape the Linux networking stack

    Cloudflare engineers developed a custom service called SLATFATF ("fish") to handle IP packet forwarding using their soft-unicast addressing system, which shares IP addresses across machines. The team encountered fundamental conflicts between Linux's socket subsystem and Netfilter's conntrack module when attempting to use both packet rewriting and bound sockets simultaneously. After exploring solutions including Netlink interfaces, TCP_REPAIR, and TCP Fast Open with cookieless connections, they discovered that Linux's "early demux" optimization bypassed custom routing rules. Despite successfully implementing workarounds, they ultimately chose to terminate TCP connections rather than forward raw IP packets due to better observability and minimal performance impact.

  4. 4
    Article
    Avatar of notedNoted·31w

    Introducing Networking Toolbox: Self-Hosted Network Tools in One Place

    Networking Toolbox is an open source, self-hosted web application that consolidates over 100 network utilities into a single interface. It handles DNS lookups, IP calculations, port checks, and HTTP/TLS diagnostics without requiring external APIs or internet connectivity. The tool can be deployed via Docker or built from source, making it particularly valuable for air-gapped environments and situations where offline network diagnostics are needed. Created by the developer behind Dashy, it offers custom branding, theming, and multi-language support.

  5. 5
    Article
    Avatar of jnzbj0vldwcbkgbvjvwx4Paweł Kraszewski·32w

    Don't ever use .local TLD

    The .local top-level domain is reserved for mDNS/Avahi and should never be used in regular DNS configurations, even for isolated networks. RFC 6762 mandates that .local queries must be sent to multicast addresses, causing conflicts with traditional DNS services and breaking service discovery on Linux and macOS systems. Organizations using .local in Active Directory face significant compatibility issues.

  6. 6
    Article
    Avatar of giantswarmGiant Swarm·30w

    The Gateway API shift: how Kubernetes networking actually works at scale

    Gateway API is replacing Kubernetes Ingress as the standard for traffic management at scale. Unlike Ingress, which relies on controller-specific annotations and lacks proper role separation, Gateway API provides a structured model with GatewayClass, Gateway, and Route resources that enable platform teams to manage infrastructure while application teams control routing rules. It supports advanced features like GRPC routing, service mesh integration through GAMMA, and safe cross-namespace delegation via ReferenceGrant. The API includes conformance testing for portability across controllers and vendors, making it suitable for multi-cluster, multi-team enterprise environments where consistent, scalable networking is critical.

  7. 7
    Article
    Avatar of securityboulevardSecurity Boulevard·30w

    Randall Munroe’s XKCD ‘’Ping”

    A humorous XKCD comic by Randall Munroe about the ping network utility. The comic uses dry wit to explore networking concepts in an accessible and entertaining way.

  8. 8
    Article
    Avatar of inside_javaInside Java·31w

    JDK 26: HTTP/3 Support – Inside.java

    JDK 26 introduces HTTP/3 support to Java's HttpClient API, built on the QUIC protocol over UDP instead of TCP. Developers can enable HTTP/3 by setting it as the preferred version on HttpClient or HttpRequest instances. The implementation automatically downgrades to HTTP/2 or HTTP/1.1 if the server doesn't support HTTP/3. The HttpClient can discover HTTP/3 support through mechanisms like HTTP Alternative Services headers, allowing subsequent requests to use the preferred protocol. Early access builds are available for testing and feedback.

  9. 9
    Article
    Avatar of gomonkGo monk·33w

    Playing with TLS and Go

    A hands-on exploration of TLS encryption through practical Go examples. Starting with basic TCP servers, the guide demonstrates how plaintext communication can be intercepted, then shows how to implement TLS encryption using Go's crypto/tls package with certificates and private keys. The tutorial progresses from raw TCP to TLS-secured connections, and finally to HTTP/HTTPS implementations, illustrating the TLS handshake process and how encryption protects data from network eavesdropping.

  10. 10
    Article
    Avatar of cloudflareCloudflare·29w

    Go and enhance your calm: demolishing an HTTP/2 interop problem

    Cloudflare engineers discovered that Go's HTTP/2 client implementation sends unnecessary RST_STREAM and PING frames when closing response bodies without reading them first, even when empty. This behavior triggered Cloudflare's PING flood DDoS mitigations, causing connections to close with ENHANCE_YOUR_CALM errors. The solution is to always fully read response bodies using io.Copy(io.Discard, resp.Body) before closing them, especially when reusing connections for multiple requests. The issue highlights how legitimate HTTP/2 client behavior can inadvertently mimic attack patterns and trigger security defenses.

  11. 11
    Article
    Avatar of hnHacker News·30w

    example.fi

    A minimalist IRC server implementation written in AWK (around 60 lines) is now available at example.fi. The server provides basic IRC functionality as a tribute to the 1988 protocol created by Jarkko Oikarinen. Due to its AWK implementation, advanced IRC features like channel listings, topics, and operator privileges are not supported. Users should connect with basic clients like Irssi (with -nocap option) or HexChat, avoiding fancy protocol features.

  12. 12
    Article
    Avatar of lobstersLobsters·34w

    Systems Programming with Zig

    A comprehensive guide to Zig, a modern systems programming language designed for high-performance, low-level development. Covers writing idiomatic Zig code, integrating with C and system libraries, and building systems programs like OS kernels, device drivers, and utilities. Explores networking, interpreters, and graphics implementation from scratch, positioning Zig as a productive alternative to C, C++, and Rust that emphasizes performance and safety without heavy framework dependencies.

See all Networking archives