I'm not a routing expert. But what I know: It can be a really big topic. So, I'm currently thinking about geo-load balancing and how I can provide it. You can use Route 53 to create GeoDNS lookups. And this is fine and good. But I think about CDNs. I have only two location, while CDNs have tons of locations. Why not resolving my domain www.example.com with one of these CDNs IPs directly? My frontend is static. The dynamic stuff is created by Javascript. So, is it possible to resolve my domain example.com directly with the nearest CDN IP?
What you describe is quite usual setup. On AWS, after you create CloudFront distribution, you will simply create ALIAS in your Route53 console:
www.example.com A ALIAS xyz123xyz.cloudfront.net
If you are using other CDN/DNS providers, you will create CNAME record:
www.example.com CNAME xyz456xyz.somecdn.net
It is possible to resolve your domain to only one CDN IP. And when we talk about CDN IP, it is usually virtual IP (Anycast IP) where it maps to different physical edge servers globally. Depending on where the request is coming from, that virtual IP will map to the edge server closest to the end user.
Take this domain www.cloudflare.com for example, it is on Cloudflare (http://www.whatsmycdn.com/?uri=www.cloudflare.com), and it is pointing to two Cloudflare virtual IPs for failover purpose I suppose.
dig www.cloudflare.com +short
198.41.215.162
198.41.214.162
Of course, pointing that domain to only one Cloudflare virtual IP is completely doable, although it is not desireable.
Related
I am getting a bit into protecting my website but someone keeps posting the origin-ip of my website. I've found out that this website is exposing it: http://www.crimeflare.org:82/cfs.html
after some extra research I found that this site has been online for a couple years but no info on how it is made or what technique it uses. Does anyone have a clue how this website gets the direct-connection IP address? Thanks in advance.
I can answer this question. It's really all due to domain history in a nutshell. In order to avoid domain history fetching websites, so-called CloudFlare resolvers and Crimeflare, you need to change your origin IP while under the banner of CloudFlare. Then to stay hidden you MUST not use the email services from your domain otherwise a simple MX record lookup will expose your origin IP. So this means you now need to use third-party email services. If you are using a VPS or bare metal you need to setup IPtables so that ALL IPs are blocked and just allow CloudFlare's IPs. This way IP scanners like Censys can't find your origin IP either since all IPs would be blocked except CloudFlare's forcing all connections to go through CloudFlare. Thankfully CloudFlare IPs don't change that often and they do publish the IP list at their website.
If you are using a shared account you'll want to make sure your shared account uses a shared IP and not a unique IP. With a shared IP your website is mixed with others and these CloudFlare resolver websites can't distinguish between who's who to get your origin IP.
There are some other very minor trivial things to also consider. One trivial possible vector for origin IP exposure is allowing remote content to be published via the website. Be it a remote avatar or file. The link used from this remote content has the possibility of resolving your origin IP behind CloudFlare.
If you are using a shared account you can help block direct IP connections and keep all connections going through CloudFlare in one of two ways. In an Apache or Litespeed SAPI, add the following to your htaccess file:
RewriteCond %{HTTP:CF-IPCountry} ^$
RewriteRule ^ - [F,L]
What that code does is check for the CloudFlare Geo location header in the request from CloudFlare and if not present the user gets a 403. Thus all connections must go through CloudFlare. In order for this to work, the IP Geo Location option has to be turned on in your CloudFlare dashboard under Network.
The other really unique and awesome way of doing this is by using CloudFlare Workers. You can read about that here: https://community.cloudflare.com/t/stop-cloudflare-bypassing-on-shared-hosting/91203
I use all of these methods myself with my websites minus the fact of not using a VPS. So far my origin IP is not shown in Crimeflare or other websites.
Best of luck.
They very much explain it on that very site:
There are sites on the web that specialize in collecting registration and nameserver data. [..] CloudFlare maintains around 391 nameservers, and customers must change the nameservers on their registration in order to use most services. Each customer's domain is assigned two nameservers. This makes it easier to verify which domains depend on CloudFlare, and helps us keep our domain lists relatively current.
In other words, they look at public nameserver data and filter out the domains that have their nameservers pointed at one of CloudFlare's nameservers.
We are planning to use cloudfront distribution for our main domain and the setup will be as follows.
Cloudfront Origin - route.domain.com -> Remote Server IP address(xx.xx.xx.xx)
www.domain.com, domain.com -> d123.cloudfront.com
As we know, we can setup CNAME for www.domain.com to point to cloudfront distribution(d123.cloudfront.net). However, for domain.com we should point A record to IP address and its not possible to setup CNAME record.
In route53, there is an option called Alias which can be used to point the domain to Cloudfront. But, our domain.com nameserver uses different provider and we would like to stick with current nameserver.
Any help would be appreciated.
Since this is a limitation in DNS itself, there is no way to accomplish this without a DNS hosting provider that supports an alias-like feature, sometimes called an "ANAME" or "flattened CNAME". Route 53 is of course the canonical example. CloudFlare and DNS Made Easy are others.
Or use a service like this one¹ to redirect your naked domain name to the www address, which would be your "real" site. They give you a single IP address for your A record. Note that your current DNS provider may have a "redirection" option that does this. It is not properly a part of DNS, but some providers allow you to configure domain redirections in their DNS portal.
Or migrate your DNS hosting to Route 53, keeping your DNS registration with your current vendor. In my mind, there is really no compelling reason not to use Route 53. See Making Route 53 the DNS Service for a Domain That's in Use for migrating to Route 53 without disruption, noting that the final step -- Transfer Domain Registration to Amazon Route 53 -- is entirely optional, as mentioned in the docs.
¹ this one is not a service I am affiliated with or have ever used in production, because I built my own service for that purpose using EC2, which is another option but outside the scope of this answer. This is intended as an example, not an endorsement.
Bluehost is my DNS provider and my app is hosted on heroku. I'm trying to point the DNS at my heroku app but there's an issue. Heroku's documentation states the following:
Some DNS providers will only offer A records for root domains. Unfortunately, A records will not suffice for pointing your root domains to Heroku because they require a static IP. These records have serious availability implications when used in environments such as on-premise data-centers, cloud infrastructure services, and platforms like Heroku. Since Heroku uses dynamic IP addresses, it’s necessary to use a CNAME-like record (often referred to as ALIAS or ANAME records) so that you can point your root domain to another domain. See examples below.
They go on to recommend creating a CNAME record with the values # and your root domain alias, e.g. hidden-sierra-7936.herokudns.com.
But Bluehost won't allow this because they want an IPv4 IP Address only and won't accept something like hidden-sierra-7936.herokudns.com as a valid CNAME record. I've already done the www record and things aren't working, so I'm guessing I need the ANAME record as well.
Is there any way around this other than switching to a new DNS provider?
Bluehost does not support this. Google and Cloudflare do, perhaps others. Cloudflare worked for me.
My client have a dedicated server on liquedweb cloud service and we my web app is hosted on that server. We want our users to map their domain to our server. So they can enjoy our web app by using their domain name. What information I need to provide to my user so he can map domain and what information I need from them?
I don't know much(in fact anything) about domain mapping
thanks
It depends if the server has a dedicated IP address or is natted.
If the server has a dedicated IP address you can ask your clients to point their entire domain to you server by adding the following A records:
Host TTL Protocol Type IP Address
# 300 IN A 1.1.1.1
www 300 IN A 1.1.1.1
Not all domain hosts ask for TTL,if not dont worry about it.
If you want just their subdomain to point to your server (subdomain.website.com)
subdomain IN A 0.0.0.1
TTL is optional in some systems, in this case the default will be used.
Generally it is recommended that you use an IP for the Apex record and not a domain name. EG: example.com is the apex, www.example.com is the www subdomain.
A typical configuration would be below:
Host TTL Protocol Type Result
# 300 IN A 1.1.1.1
www 300 IN CNAME example.com
This is the same config as the top example but using CNAME example.com. It is the same as using A 1.1.1.1, it just means you only need to change one record.
If your server details are a hostname and not an IP address, most systems will not let you use the hostname for the apex so you will need to find out the IP address. (A simple method is to use the nslookup command or dig command).
TTL is how long in seconds a record last before it expires. If you are unsure what you are doing I recommend lowering this so you can correct mistakes more quickly.
Different methods for the different servers. For most of the servers, you have to change the nameservers of your domain.
This mostly needs when your domain registrar and hosting provider both are different.
First Login into your hosting account, navigate to the account details,
then copy the nameservers from there...which would be like :- dns1.hostingprovider.com
dns2.hostingprovider.com
After that, Go to control panel of your domain. Navigate to the nameservers
You will see the link:- dns1.domainregistrar.com
dns2.domainregistrar.com
Paste the above links at the place of below links.
They need the IP address (and possibly instructions on how to configure their DNS servers (which means a variety of different sets of instructions for different servers and control panels)).
You need the domain name.
This might be a stupid question but i would really appreciate any compact answer.
I have uploaded a Joomla site on my local machine using a static IP address (213.221.211.111 for example). I have registered a domain (like www.example.com) on Godaddy.com. Within their dashboard, I set the primary and secondary name servers (I looked it from my router setup page).
Is there any else I need to do so that entering e.g. www.example.com would take the user to 213.221.211.111.
Inside of godaddy, you need to map "www" to your static IP address. It would be a good idea to also map the default entry for your domain, sometimes called "#".
Edit: Upon further reading of your original question, you don't set the primary and secondary DNS servers for your domain to your ISP's servers. Your domain's primary and secondary servers are for the addresses of the servers that are responsible for serving your domain. Unless you have your domain hosted with your ISP and not with godaddy, then this is not the right thing to do at all. If you have your domain hosted with godaddy, follow their instructions for setting up a domain and pointing "www" at an IP address.
In addition to what jricher said, you will also probably need to port forward.