Dnsmasq is awesome
Yesterday I wrote about upgrading my Linksys router to dd-wrt. I'm very happy with the upgraded software; dd-wrt isn't exactly user friendly, but it's very powerful and it's Linux, so I can make it do what I want. And it's certainly much more user-friendly than I expected.
Related to that, I just wanted to tell you about dnsmasq, a very cute little application that I hadn't heard of before I tried dd-wrt. It's a combined DHCP server and DNS server/forwarder that's custom-built for little local NAT routers, and it works great. Basically, it registers a hostname (instantly!) for every machine that requests a name from its DHCP server, which means your LAN always has valid DNS service. Modern DHCP clients (Windows, MacOS, and most Linux) include the configured hostname in the DHCP request packet, so you don't have to do anything by hand.
It's extremely cool. They also seem to be good about handing the same IP to a given MAC address each time, so you're not needlessly hopping around the LAN when you unplug/replug the ethernet cable.
As a major bonus, you don't have to run the extremely suspicious ISC DHCPD and BIND daemons, which both are increasingly badly written as time goes on, and which have both been subject to major security flaws in the past. You also don't have to run djbdns, which is great but has insane license restrictions.
With these two features combined, you get everything I was begging for about a year ago when I wrote Please, please, steal my idea! In other words, the DHCP/DNS server hacks we put into Nitix are now obsolete.
Update 2008/02/18: pmccurdy tells me that djbdns (and qmail, for that matter) are now in the public domain, so that reason for avoiding djbdns is now moot. Cool! Of course, djb can't help but take a final stab at our sanity by only posting the license on his web site, not in the packages themselves. He could change his web site at any time, making it trickier to prove in court exactly what license he gave you. (That said, I've never heard of djb doing anything underhanded, so it's rather unlikely you'd end up in court.)
ssh+2FA to all your machines, anywhere, without opening firewall ports.