More info on Zones in Firewalld - firewalld

I want to know more about how firewalld zones work, like, can I say if my ip is 192.168.153.12 then it belongs to home zone. How does it distinguish between zones? Is there any way(command) to at least view the iptable(old school) equivalent? I have never used firewalld before please pardon the misconception if any.

Related

SaaS DNS settings

I run a small e-commerce platform, and over the past two years have grown customers.
There's around 100 customers now and their domains point to our server IP by the use of two A records (# and www).
I'm not experienced in this area so I need someone who's knowledgable about setting up major SaaS projects.
The worry I have is, if for whatever reason I change host, wouldn't I lose the IP address? And surely at that point, I may need to ask over 200 customers to change their DNS settings to point to our new server?
A friend said to me about using a CNAME (pointing to a domain I own), but another professional server contact told me that it's not ideal. What further confuses me is this:
If my point remains true (and that an IP isn't able to be owned), then how come Squarespace and a few other major players have an option to instruct their users that they can use an A record to point to their (squarespace/wix..) IP address? Do they know something I don't (do they own an IP?)? What happens if squarespace for whatever reason have to change IP, surely 100,000's+ customers would need to change their IP A records? This seems very impractical and not realistic. It really confuses me.
I'd really appreciate some enlightening in this area, because I need to know sooner rather than later if I dig myself into a hole if I get over 500 customers and for whatever reason I end up having to ask 500 of them to change DNS settings.
Thanks.

What to do about "VA2065 - Server-level firewall rules" in SQL Vulnerability Assessment?

Working through an SQL Vulnerability assessment and one of the warnings is "VA2065 - Server-level firewall rules should be tracked and maintained at a strict minimum".
There then is a list of firewall rules in red, with IP addresses next to them (usually just one number but sometimes a range).
I am trying to understand these rules and this assessment. I think these are the IP addresses that we allow to access the server. For example, when I access a db on the server in question from SSMS I will occasionally get an error that to proceed I have to add the IP to the firewall rule. So I say yes. I see some rules with names like "ClientIPAddress_2019-05-21_01:24:15" that are probably the result of this.
I also see some weird rules like "AllowAllWindowsAzureIps" with an IP range of 0.0.0.0 to 0.0.0.0. What is that all about? My guess is that allows any Azure process to access the server, but I do not know.
Assuming my analysis is correct, and that all of the rules are OK, what is remediation is necessary? Set the current rules as a baseline and send out an alert when a new rule is created? Or disallow any automatic rule creation?
Any guidance would be most appreciated.
"AllowAllWindowsAzureIps"
I'm not saying this is the correct answer but since it's been over 2 years and nobody has answered, I'll give it a shot.
This is how we handled/fixed this. You either add the rule to the baseline(saying it's supposed to be here) or you delete the rule(saying it's not supposed to be here). Think of this scan as a reminder that these rules exist and to clean them out when they aren't needed. All your ClientIp rules. The baseline is what is expected.
If you think of it like a party that has a list of attendees it might help. Your party has 2 guests on the list: Martha (your mom) and Jeff (your mom's special friend). If you go into your party and see 3 people there, you know something isn't right, except it is right, because you forgot that you told Samantha (your hot cousin) she could come. So you add her to the list. Now everything is ok to your party advisor because 3 names are on the list and 3 people are in the party.
But then you come back later and now there are 4 people at the party. Chad (Samantha's boyfriend) showed up! Your party administrator knows Chad's gotta go because he's not on the list. He got in to the party because Samantha let him in. But it's not Samantha's party and she shouldn't have done that.
Good thing we have this list that tells us who's actually supposed to be at the party or we wouldn't be able to spend alone time with Samantha.

Understanding load balancing and DNS records

I am curious on how to setup multiple load-balancers (with different IP addresses) with a specific domain.
I understand that it is possible to setup multiple A-records in a DNS to all of my load-balancers, but I can understand that this is not ideal.
DNS' doesn't do any kind of is-alive checks, so if a load-balancer dies, the DNS will still send users to this address, right?
So how do you connect a domain/DNS with multiple load-balancers, while preventing a dead load-balancer from getting requests...
I read something about anycast, but is this the only solution?
I am just curious about how this issue is normally handled.
Thanks.
You have multiple solutions.
On a pure DNS level you can publish your records with a low TTL (say 5 minutes), and have your monitoring systems change the content of the zone by removing the dead record when detected. This does not provide immediate fail-over but can be often good enough.
It does not involve too complicated systems.
Also, some DNS servers allow some "programmed part", with a dynamic backend that can compute records based on some external parameters, like doing live checks and replying only with the live records.
Anycast is another solution indeed, and has then no relationship with the DNS anymore (although the DNS itself can be "anycasted" but then it is to resolve its possible failover needs, not the ones of your application).
Basically your multiple systems, on various places in the world, are advertised with the same IP address. So the DNS has only one record.
With the "magic" of BGP, each instance announcing a given IP address will collect all the nearby traffic, so you get load-balancing for free in fact. And you need some specific tooling so that, as soon as some local instance is dead (or in maintenance mode for example), you stop announcing its IP address there, so that all other networks in the world, again because of BGP, learn that to reach "something" behing that IP they need to go somewhere else, to another instance of yours announcing this IP.
This is far more complicated to setup as you need a proven BGP setup (and making errors in BGP can have even greater consequences than in DNS), and multiple instances located in different datacentres, and possibly multiple AS numbers, depending on how you want to do your anycast done. This clearly needs skilled professional in BGP routing where the first solution with only DNS (in the first case of just changing a static zonefile) is reachable by any enthousiastic amateur.
So the answer also slightly depend on the network locations of your load-balancers.

WHM nameservers have been changed yet still populating to the old ones

Right, so i've been trying to transfer a website to a different company, and in order for them to host it i have had to change the nameservers to point at them. i have changed them in the WHM settings through the "edit DNS Zone" tab, yet whenever i use something like mxtoolbox it tells me that the old nameservers are still the parent ones. how can i change this or remove them?
i am very new to all of this website hosting intricacies so apologies for any follow up questions if i do not understand :)
You should change your domain nameservers at the registrar so they point to the new DNS servers provided by your web hosting company. That's the first step.
Then issue a whois on the domain and check if the correct nameservers appear there in the whois info (you can use a tool like http://whois.domaintools.com). If the nameservers shown there are not the correct ones then you have to change them.

DNS server in country A and hosting in B

This is something where I get confused..
Say I acquired a domain name blabla.ge (ge is for Georgia) and hosting my files with US based hosting company. What are the downsides if any and is there an option to change the DNS server?
Cheers!
Agreed, there is no real downside. The tld is really not that important to basic usage. Yes root servers factor in here but really nothing that will impact your daily activities and you don't really need to worry.
For the nameservers, you can change these to any servers you wish and have access to manage the records. Location isn't important other than basic routing and response time. Nameservers generally should be on diverse networks and diverse locations per Best Practices. I have nameservers available in multiple countries and there's nothing wrong with that. If you are using the nameservers provided by your registrar, you likely have the diversity I mentioned, although they may be located in a single country (which is fine).
I have multiple domains registered with tlds such as .nl, .im, .com.de, etc. Some of these point to US-only nameservers, some use nameservers in multiple countries and a couple use the nameservers provided by my registrar (who I purchased the domain from).
From there, my A records point to servers in diverse locations.. Primarily the US and Netherlands. This set up works great, performance is adequate and there are no major downsides to doing it this way. You can change your nameservers for the .ge domain to use US servers or you can leave them overseas and use A records to point to your server(s) in the US. You can debate which method would be "best" given a situation but neither method is "wrong."
So in short, no major downside to doing this at all. And yes, changing your DNS server (nameserver) is always an option. Hope this helps.

Resources