SaaS DNS settings - dns

I run a small e-commerce platform, and over the past two years have grown customers.
There's around 100 customers now and their domains point to our server IP by the use of two A records (# and www).
I'm not experienced in this area so I need someone who's knowledgable about setting up major SaaS projects.
The worry I have is, if for whatever reason I change host, wouldn't I lose the IP address? And surely at that point, I may need to ask over 200 customers to change their DNS settings to point to our new server?
A friend said to me about using a CNAME (pointing to a domain I own), but another professional server contact told me that it's not ideal. What further confuses me is this:
If my point remains true (and that an IP isn't able to be owned), then how come Squarespace and a few other major players have an option to instruct their users that they can use an A record to point to their (squarespace/wix..) IP address? Do they know something I don't (do they own an IP?)? What happens if squarespace for whatever reason have to change IP, surely 100,000's+ customers would need to change their IP A records? This seems very impractical and not realistic. It really confuses me.
I'd really appreciate some enlightening in this area, because I need to know sooner rather than later if I dig myself into a hole if I get over 500 customers and for whatever reason I end up having to ask 500 of them to change DNS settings.
Thanks.

Related

immediate deletion of DNS entries because of switching name servers

I had a disastrous downtime of my website domain after replacing the name servers of my registrar Host Europe by those of a service provider.
Host Europe technical support told me that they immediately delete DNS entries on their name servers if you do so.
Is it possible, that the downtime of my website was because machines still asked the old name servers and they said “don’t know”? (I don’t know much about DNS.)
And is it normal for registrars to act this way?
How does it Google Domains? How Cloudflare Registrar?
And how to avoid the problem? Is a big TLL better or a small one? I think I had set it to 10 Minutes before switching.
Your question is offtopic here as not related to programming so might get deleted, but the following was too long to put in a comment to help you:
Host Europe technical support told me that they immediately delete DNS entries on their name servers if you do so.
This is very bad behaviour. Their nameservers will still get queries for basically the amount of time being the TTL of the NS records at parent.
Is it possible, that the downtime of my website was because machines still asked the old name servers and they said “don’t know”?
Yes this is exactly what happened.
An old provider should never pull the plug immediately. There are a lot of caches in the DNS.
If you can control the TTL values on your records, you can try adjusting them upwards at old provider, before the nameservers change. It may help a little or not at all, and not all DNS providers let people choose TTL freely. Somewhere around 1 week would be a good ballpark here.
And is it normal for registrars to act this way? How does it Google Domains? How Cloudflare Registrar?
Normal as in "unfortunately widespread", probably yes, but can't comment on any specific company. Note also that here the problem is not with the registrar role, but the DNS provider role. Both can be same companies, but are different roles. There are no worldwide DNS organization, where for registrars many of them are ICANN accredited (but they say nothing about this case IIRC), and in all cases are accredited by registries. I can say for sure that at least one registry (AFNIC for .FR) does mandate/require/recommend (not sure of the wording) registrars/DNS providers to keep the old DNS configuration in case of a change. I don't think though that it is checked nor enforced unfortunately.
And how to avoid the problem? Is a big TLL better or a small one? I think I had set it to 10 Minutes before switching.
It does not matter because what comes into play is the TTL (Time To Live) of the NS records at the parent (the registry handling the TLD under which your domain is registered), which you have 0 control over.
Unfortunately there is no real proper counter measure here, your DNS provider needs to do its job properly and not cut down resolution immediately.
A partial solution could be something akin to:
add nameservers without removing current one: note that they need to be listed in the zone, AND you need to change the domain at the registry, otherwise you will be in a lame delegation case (which you can also decide to sustain, but it is bad in general)
after some time (typically again the TTL at parent), you can now remove the old servers (again both in the zone and at parent).
That way even if the old nameservers stop to work immediately for your domain, all resolvers would have time to learn about the new ones, and even if they try to contact old nameservers, and get an error, they may (not guaranteed to always work and of course at least introducing some delays) switch to the new ones. Until again the same TTL passes after second point after which all resolvers will know only about the new nameservers.
Another trick that could work but means you will be in a lame delegation case is the following. It works because a lot of resolvers, including big ones like Google Public DNS are child centric instead of parent centric: you change the zone content to list the new nameservers as NS records, removing old ones and you do NOT do any change at the registry side. This will let some resolvers (but not all) learn about new nameservers and after some time you can do the switch at the registry.

Access load-balanced website when DNS lookup is restricted on server

The scenario is - I need to send push notification to Apple push server hosted at gateway.sandbox.push.apple.com. This Apple server is load balanced and the destination IP address can be anything in 17.x.x.x block.
Now my server which will be requesting Apple server is in secure environment and is behind firewalls. I have got the IP range 17.x.x.x unblocked, but DNS resolving is not possible on that server. That server also doesn't have Internet access on it.
What I did was - I pinged the Apple server from another system and got the Apple server's IP address for the moment. Then I mapped that IP address with the DNS name in the hosts file of my Windows server. This worked, but now the IP address can change anytime at the Apple end, and this will break things.
What can I do in this scenario?
You can talk to your security people and in cooperation with them come up with a proper, internally supported, way to provide what you need. What you need is to look up an address, and then talk to that address. Currently, you are only provided half of that.
What you're asking us for is a way to circumvent your own organization's security policies (policies that admittedly appear stupid, but that's another matter entirely). Even if someone here can come up with a technical way to do what you ask that works for now, it's likely to break at any time, since you're working at odds with your own workplace. Also, what will your bosses say if they find out that you're violating security policies?
Security very often comes down to tradeoffs. As the saying goes, the only truly secure system is one that has been encased in concrete and sunk to the bottom of the sea. But such a system will also be somewhat difficult to get useful work out of, so usually we accept lesser security in order to get work done. In your case, the tradeoff currently sits in a place that prevents you from doing whatever it is you're working on. So your organization needs to make a choice: change the tradeoff so that your machine can look up names, or keep the current tradeoff and accept that your task will not be done.
I'm sorry that I can't give you a straight up "Sure, do this" kind of answer, but your problem really is not technical.

DNS server in country A and hosting in B

This is something where I get confused..
Say I acquired a domain name blabla.ge (ge is for Georgia) and hosting my files with US based hosting company. What are the downsides if any and is there an option to change the DNS server?
Cheers!
Agreed, there is no real downside. The tld is really not that important to basic usage. Yes root servers factor in here but really nothing that will impact your daily activities and you don't really need to worry.
For the nameservers, you can change these to any servers you wish and have access to manage the records. Location isn't important other than basic routing and response time. Nameservers generally should be on diverse networks and diverse locations per Best Practices. I have nameservers available in multiple countries and there's nothing wrong with that. If you are using the nameservers provided by your registrar, you likely have the diversity I mentioned, although they may be located in a single country (which is fine).
I have multiple domains registered with tlds such as .nl, .im, .com.de, etc. Some of these point to US-only nameservers, some use nameservers in multiple countries and a couple use the nameservers provided by my registrar (who I purchased the domain from).
From there, my A records point to servers in diverse locations.. Primarily the US and Netherlands. This set up works great, performance is adequate and there are no major downsides to doing it this way. You can change your nameservers for the .ge domain to use US servers or you can leave them overseas and use A records to point to your server(s) in the US. You can debate which method would be "best" given a situation but neither method is "wrong."
So in short, no major downside to doing this at all. And yes, changing your DNS server (nameserver) is always an option. Hope this helps.

Is it a good idea to call an image by it's IP address instead of a domain?

Let's say there is a page with 100 different user photo's shown on the page,
that is at least 100 DNS lookups right there, would this be reduced if I were to link using the an IP instead of a domain url?
http://217.345.33.444/images/photo.jpg instead of http://domain.com/images/photo.jpg
It lowers DNS lookup overhead but will force painful, monotonous, error-prone changes if that IP ever changes down the road.
Also, once a single name is resolved, it shouldn't be looked-up again ...
Its a bit late at night for my timezone, but I thought that DNS lookups are cached in various spots, (even on the local machine??) so it is not as bad as you think.
Thus the first call to lookup the domain will travel a fair way, but the results should be cached on in-between machines so that there is less performance hits with the later calls.
I am sure that this sort of thing was thought long and hard about by the designers of the DNS protocols.
Edit notes
Its taken me 3 edits just to get my spelling and grammar straight - it is definitely too late at night for me
DNS lookups are cached by your computer, so there will only be a single lookup per unique domain.
Additionally, most people use their internet provider's DNS server, and it will typically cache DNS lookups as well, so a lot of the time, the DNS lookup will just be a single network hop away.
You have no way of knowing when the IP address of a domain will change, so I do not recommend this approach.
Is there a reason you don't store the images on your own domain? If you did that:
the DNS issue would go away.
A lot of web servers don't allow hot linking of images, so this problem would be solved as well.
that would also create the possibility of spriting images together, if the set of images shown together doesn't change often.
Why is that 100 DNS lookups? Are all the images on different domains? You should only typically incur one lookup per unique domain (and that's assuming that domain has never been resolved before).
How confident are you that your IP address will never change? Also if you had those 100 images on 4 different domains performance would increase.
Every browser I know looks up for the DNS only once and than cache it. Even if it doesn't, the system does. There's no 100 lookups as you suspected.
You can take a proof of that with any simple traffic sniffer, as I did.

How to simulate browsing from various locations?

I want to check a particular website from various locations. For example, I see a site example.com from the US and it works fine. The colleague in Europe says he cannot see the site (gets a dns eror).
Is there any way I can check that for my self instead of asking him every time?
This is a bit of self promotion, but I built a tool to do just this that you might find useful, called GeoPeeker.
It remotely accesses a site from servers spread around the world, renders the page with webkit and sends back an image. It will also report the IP address and DNS information of the site as it appears from that location.
There are no ads, and it's very stream-lined to serve this one purpose. It's still in development, and feedback is welcome. Here's hoping somebody besides myself finds it useful!
Sometimes a website doesn't work on my PC and I want to know if it's the website or a problem local to me(e.g. my ISP, my router, etc).
The simplest way to check a website and avoid using your local network resources(and thus avoid any problems caused by them) is using a web proxy such as Proxy.org.
Well, DNS should be the same worldwide, wouldn't it? Of course it can take up to a day or so until your new DNS record is propagated around the world. So either something is wrong on your colleague's end or the DNS record still takes some time...
I usually use online DNS lookup tools for that, e.g. http://network-tools.com/
It can check your HTTP header as well. Only a proxy located in Europe would be better.
Besides using multiple proxies or proxy-networks, you might want to try the planet-lab. (And probably there are other similar institutions around).
The social solution would be to post a question on some board that you are searching for volunteers that proxy your requests. (They only have to allow for one destination in their proxy config thus the danger of becoming spam-whores is relatively low.) You should prepare credentials that ensure your partners of the authenticity of the claim that the destination is indeed your computer.
DNS info is cached at many places. If you have a server in Europe you may want to try to proxy through it
It depends on wether the locatoin is detected by different DNS resolution from different locations, or by IP address that you are browsing from.
If its by DNS, you could just modify your hosts file to point at the server used in europe. Get your friend to ping the address, to see if its different from the one yours resolves to.
To browse from a different IP address:
You can rent a VPS server. You can use putty / SSH to act as a proxy. I use this from time to time to brows from the US using a VPS server I rent in the US.
Having an account on a remote host may or may not be enough. Sadly, my dreamhost account, even though I have ssh access, does not allow proxying.
The only thing that springs to mind for this is to use a proxy server based in Europe. Either have your colleague set one up [if possible] or find a free proxy. A quick Google search came up with http://www.anonymousinet.com/ as the top result.

Resources