Santosh Pandit

Santosh Pandit

Santosh Pandit, London
Santosh Pandit, London

My day job: Yes, I have one. I work in the City of London as a regulator in financial services.

My passion: My evenings and weekends are dedicated to academic experiments in cybersecurity, zero trust computing, applied cryptography and quantum safe computing. I try to be the best in what I do. Pandit.Tech is one of my three laboratories.

My views: Please note all views in the blog are solely mine and may not be shared by my employer.

My systems: Please also note all of my systems are entirely my own and those are not connected to my work laptop or employer's servers.

My money: Finally, please note all labs and the bug bounty are financed entirely by myself. I do not accept sponsorship or any financial help from anyone.

Servers in the Pandit.Tech laboratory

Servers in the Pandit.Tech laboratory

List of ready servers
List of ready servers

The following servers are fully operational. Most of them are available to friends (*) and some are available to the whole world (**).

    VPN *

    VPN

    Features

    • Built using Wireguard (open source)
    • Theoretical speed 800 mbps. Real life speed c.275 mbps.
    • Continuous roaming. No breaks when you switch between Wi-Fi and 5G/4G, or travel across countries.
    • Compatible with everything except smart watches and routers (feature under research)
    • ZERO LEAKS. ZERO LOGS.

    Wireguard does not claim to be Quantum Safe. I have improved upon Wireguard to protect against the "store now, decrypt later" risk.

    Recursive DNS Server

    Recursive DNS Server

    Features

    • Built using Unbound (open source)
    • Includes DNS-over-UDP/53 ("Do53") and DNS-over-TCP/53 ("Do53/TCP")
    • Includes IPv4 and IPv6
    • Uses DNSSEC
    • Speed within +/- 2 milliseconds of Cloudflare, Quad9, etc.
    • Protects against DNS hijacking and DNS poisoning.
    • Protected against DNS amplification attacks (on others!)
    • ZERO LEAKS. ZERO LOGS.

    Unbound already contains the DNS cache feature. I have improved upon Unbound by bootstrapping the runtime.

    DNS-over-HTTPs (DoH) Server **

    DNS-over-HTTPs (DoH) Server

    Features

    • In the browser's DNS settings, please use: https://pandit.tech/dns-query
    • (Note: If you try visiting the above url using a browser, it will give an error and that is perfectly normal. "/dns-query" only responds to encrypted DNS queries and it is not a webpage!.
    • Built using the project "m13253/DNS-over-HTTPS" and Nginx mainline reverse proxy (both open source)
    • Compatible with Chrome, Firefox, Edge and some smartphone apps.
    • Includes IPv4 and IPv6
    • Uses DNSSEC
    • Protects against "man-in-the-middle" attacks.
    • For better privacy, please use DoH along with any VPN. Otherwise, you internet provider can still see the website you are visiting.
    • ZERO LEAKS. ZERO LOGS.

    Of course, Cloudflare, Quad9 and many others offer free or paid DoH servers. My DoH server has better encryption than all of them (as at 23/6/2022). Not just that, my server already delivers what the others are trying to achieve through an Oblivious DoH (ODoH) server.

    DNS-over-TLS (DoT) Server **

    DNS-over-TLS (DoT) Server

    Features

    • On Android (or like) devices, please use pandit.tech on Port 853. The IP address is 149.102.156.58
    • Built using Nginx mainline reverse proxy (open source)
    • Includes IPv4 and IPv6
    • Uses DNSSEC
    • Protects against "man-in-the-middle" attacks.
    • For better privacy, please use DoT along with any VPN. Otherwise, you internet provider can still see the website you are visiting.
    • ZERO LEAKS. ZERO LOGS.

    Of course, Cloudflare, Quad9 and many others offer free or paid DoT servers. My DoT server has better encryption than all of them (as at 23/6/2022).

    Webserver *

    Webserver

    Features

    • Built using Nginx (open source)
    • Extremely fast (This page takes 0.5s from Western Europe, 2s from US West Coast and 3s from Australia).
    • None of the Fortune 10 global giants have the same level of encryption.
    • Not using third party CDN or TLS termination; protecting against man-in-the-middle attack.
    • Uses handmade filters for Geoblocking and bots.
    • Uses a combination of 444 drops and fail2ban.
    • BEST PRACTICES - Show me a single company in Fortune 10 whose best practices are better and I will buy you a drink.
    • SUPER STRONG Encryption - Show me a single company in Fortune 100 whose webserver is better and I will buy you a drink.
    • Scores in full on internet.nl, hardenize.com, Mozilla Observatory, etc.

    Nginx is probably the most popular webserver in the world. What I have tried to is to establish the ultra-high standard that beats Fortune 100 companies, MSPs, and CDNs.

    Hackers are getting good at detecting honeypots. I have therefore established honeypots that are extremely difficult to detect.

    SSH Server

    SSH Server

    Features

    • Built using OpenSSH (open source)
    • Uses ed25519 encryption (sntrup761 is being added).
    • Uses a super strong combination of SSH Keys, 2FA, firewall and fail2ban.
    • Scores in full on SSHaudit.

    OpenSSH has a bit of a history so I have tried to set the standard for best practice on its use.

* Free for friends / ** Free for the whole world

Servers under migration or construction

Servers under migration or construction

The cost of cloud services in the UK has dropped. All servers in France, Germany and USA have been now decommissioned and are being replaced by servers in the UK. A new server in India is coming up soon.

The following servers are under migration or construction

  • Mailserver: Built on Postfix and Dovecot (both Open Source)
  • Fileserver: Built on NextCloud (Open Source)
  • Video conferencing: Built on Jitsi (Open Source)

We use a strictly necessary technical cookie (__Host-PHPSESSID) to ensure secure browsing. No consent is required under GDPR. See our Cookie Policy and Privacy Policy for details.