Hiding IP (SRV record?) - dns

I am using AMP (McMyAdmin3) as control panel for my minecraft and the servers are located at a secret address, except my bungeecord (proxy so multiple minecraft servers can be connected) ofcourse. Now I am trying to have a control panel for my admins, but I want them not to see the IP.
I was thinking of an SRV record, but I am not sure if this even CAN work or HOW it even works.
(Well I have an idea of how it works but I don't know if I am correct)
So I have pointed my domain 'manage.mydomain.com' to the IP I want, I put cloudflare protection on it, so if they resolve the IP, they cannot see the real IP. However, with this done they cannot type in the URL bar 'manage.mydomain.com:[port]' because cloudflare does not allow you to do that, because of the protection. So I tried setting up an SRV record like this:
_mcmyadmin._tcp.manage POINTS TO SRV 0 0 [port] manage.mydomain.com
I waited for 2 days now, and it still did not work, so I am sure that is not the case.
Is there any way to make this work? Or is not even possible with domain stuff :p
Or is there another way to fix this?
Kind regards,
Runefist

DNS is the public phone book of the internet. Its purpose is to take a domain name and map it to an IP Address. It is simply not possible to put anything in DNS and keep it secret.
When you put an address into your browser the first thing it does is find out the IP address associated with it.
In order to use a SRV record the application that uses it needs to be written to use them. Unless you are writing the frontend yourself, there are very few applications that will use SRV records. You can't just put data in there and expect it to be used.
If your intention here is to provide extra security to your servers, this isn't going to do you a lot of good. If you look at your server logs you are already being probed just by being online. The addition of a domain name won't do much change that.
You will be far better off understanding and hardening the security of your server than hiding it and hoping that nobody finds it, because it is almost guaranteed that they will if they have the inclination to do so.

Minecraft SRV records are _minecraft._tcp, you can't change the service name or the client won't be able to resolve it.
That being said, Michael B is right, what you're doing is implementing security by obscurity (which, as we all know, is no security). Instead, you should be using iptables to block all IPs except for the bungee from being able to reach the backend.

Related

Advanced DNS settings for BIND regarding a sub domain for my local home network that integrates nicely into its parent domain (on an external network)

The intent of this post is that I ran into things I had a hard time understanding and wish to implement things in a more professional and objectively better way. Some of my choices I simply don't know to be good or bad. I believe the open questions are very instructive for people that can follow documentation to set up a working local DNS server - but wish to understand and learn how things are done the right way. Hence I opted to ask here!
I have a domain sakujo.tld and use namecheap's FreeDNS service as the authorized DNS. I configured entries for the following host.domains in their zone configuration
nas.home.sakujo.tld, gateway.home.sakujo.tld (A record via DDNS via curl via cron to my router)
vps.sakujo.tld (A record to my VPS on lowendspirit)
*.home.sakujo.tld, home.sakujo.tld (they map to CNAME gateway.home.sakujo.tld)
mysql, ns01, nzbget, sonarr (.sakujo.tld) (they map to CNAME nas.home.sakujo.tld)
So far so good and very simple. I run a home NAS based on Arch linux on an eeePc that can handle quite a lot of things at once apparently. One of them is now a bind installation. My intent is to override home.sakujo.tld and all its hosts but apparently I have to introduce quite a bit of redundancy to achieve those things.
The need for a second zone
I want to achieve a set-up, naively speaking like this
gateway IN A 192.168.0.1
nas IN A 192.168.0.91
phone IN A 192.168.0.41
user2.phone IN A 192.168.0.42
tab IN A 192.168.0.43
htpc IN A 192.168.0.51
tv IN A 192.168.0.55
quad IN A 192.168.0.101
red IN A 192.168.0.111
I was hoping that a zone set up like this one would be all that is needed but sadly this turned out to be too naive and did not suffice. My hopes were that
nas.home.sakujo.tld (and gateway.home.sakujo.tld) would now resolve to 192.168.0.91 (and 192.168.0.1) instead of the DDNS A record on namecheap's external DNS.
That way, if I used mysql.sakujo.tld or for instance sonarr.sakujo.tld, a DNS look up would first find the canonical name (CNAME) nas.home.sakujo.tld (as it of course does) and I was hoping that that canonical name had an A record to now 192.168.0.91 as defined in the zone file above. Sadly, in reality, mysql or sonarr resolve to nas.home.sakujo.tld (which is fine and wanted), but that one still has the external A record as defined on namecheap (the place that also defined the CNAME for nas.home.sakujo.tld).
So in essence I had to set up a second zone. I already had home.sakujo.tld and now I added sakujo.tld. That new zone now uses all the info that is already defined in namecheap's configuration I have externally. It goes like this:
mysql IN CNAME nas.home
nzbget IN CNAME nas.home
sonarr IN CNAME nas.home (I can't seem to get code to work here, apologies)
But mysql, nzbget, sonarr already have the zone entries set on namecheap exactly this way. This seems redundant. Do I have to do this? Or can I make some vodoo entry somewhere on namecheap or in home.sakujo.tld and have it transfer/update/authority whatnot (I really don't understand things from here on out at all anymore, you probably noticed I tried to learn and understand everything that leads up to this point - from now on I am 5 years old).
The # and NS entries
First thing's quick: I don't know what to put into sakujo.tld # A record and just have it point to 127.0.0.1. Ideally I would just leave that entry out as I don't have anything that makes sense to map sakujo.tld to.
Next on, I am told / need to add these lines into the zones to make them "good"
$TTL 30
; home.sakujo.tld
# IN SOA ns01.home.sakujo.tld. postmaster.home.sakujo.tld. (
2015041917 ; Serial
28800 ; Refresh
1800 ; Retry
604800 ; Expire - 1 week
86400 ) ; Minimum
IN NS ns01
IN NS ns02
ns01 IN A 192.168.0.91
ns02 IN A 192.168.0.91
# IN A 192.168.0.1
I know what the TTL is, the comment is probably irrelevant. I am sure I can look up the things in the brackets and I already know the Serial setting. My questions on this one are of more practical nature. Do I need all those entries?
both NS entries and both A records referring them?
The # A record?
The # SOA entry? (I understand this is a very likely yes - heck I ask because chances are this is related to the first paragraph)
I also tried to replace the A record for # with a CNAME entry to no avail. It would not resolve.
Either way, I read a lot that I should have two name servers. I guess it makes sense to set up another external DNS on a VPS? Is that trivial/would be identical to how I set up the first one? I guess there is a relation between the two ns01 entries and the appearance of ns01 in the SOA entry as well.
Are there best practices I am missing?
Are domains even supposed to be set up that way? I currently use two distinct kinds of entries
Unique FQDNs for physical/virtual hosts like nas.home.sakujo.tld for my NAS or tv.home.sakujo.tld for the tv (home being the location, a subnet) - so that is why for instance vps.sakujo.tld is not under home.
Aliases that are semantically labeled. Like mysql.sakujo.tld. This will be my main MySQL server - I currently only use a single db in a MariaDB installation. Or sonarr.sakujo.tld - so that should map to whichever physical machine hosts my Sonarr installation. The advantage of this is that in a year I might use another machine for the MySQL database so the references in my configuration and data should be agnostic of the physical/virtual host .
Maybe there are things I don't see? Even if it is things like "It's more common to name your router portal/router instead of gateway".
For posterity, I pasted my complete /etc/named.conf and zone files. Now that I mention that I don't really know if I need the allow-update and notify settings but that part of the documentation I am able to follow myself (I just thought I'd mention this in case there are questions about why I have them in, I simply don't know)
named.conf
named.conf
zone config
Now that I think about things it would be best to have the following nameservers set up
ns01.sakujo.tld pointing to nas.home.sakujo.tld
ns02.sakujo.tld pointing to the namecheap DNS
Can I use CNAMEs here? Do I have to set up ns0#.home.sakujo.tld as well? If so can I use CNAMEs there?
Edit
Somebody in #bind on freenode wondered why I was using a separate subdomain for my home network to begin with. He advised me to use views instead.
Is it not arbitrary whether I put the hosts on my local network into their own subdomain? After all they are in their own subnet, too and semantically speaking it seems to make sense.
I read up a bit on views, but his advise does not seem to apply to me on a first quick and naive glance. I mean I don't intend to expose my local DNS to the internet so there is no point in having separate zone configuration for different clients. I want all the zone configuration to apply to all clients that use the DNS.
Maybe he was suggesting to use views on namecheap's DNS instead? Would that even work? Also, how would namecheap tell whether I make the DNS request from my home network or an external network to begin with? After all mapping my hosts on home.sakujo.tld to 192.168.0.0/24 would not help all that much when I am not in my local subnet.

DNS delivering ads?

Could it be that my DNS (which was set by my ISP) is making money when I go online?
I know that the 'web-page unavailable, but look at these amazing ads'-pages (when the user tries to reach the wrong address) bring them a little bit of money. But I am interested in another case.
Could it be that they serve me an ad (as pop-up or pop-down) when I go to a completely 'normal' page without consent of the web-page itself? It would be a kind of add-on, you ask for page example.com/foe, the example.com site serves the page foe, but the DNS sends you unrequested a pop-under ad.
Am I paranoid, or is it happening? Note: I know how to block ads, pop-ups/under and so on. I just want to investigate better how DNS services are trying to make a buck (or a cent) here and there.
Not exactly. The way DNS works is straight forward; say you host a web server which you have purchased a domain name of noads.com for. When you purchase that domain name you're going to be setting it to point to the IP address of your server. Now, from your servers you can host ads if you wish, or setup redirects so that when someone requests, "Noads.com/hi" they get an ad proclaiming the wonders of a cereal high in fiber. However, at this point you're past the point of DBS resolution. The request to noads.com was resolved to your IP address. The /hi folder was accessed after that resolution took place and your webserver may have presented the ad or redirected as the programmer of the website chose.
As for your ISP sneaking something in there... It would be very bad for their business, if not a suable offense, to add A records to their DNS server which direct you to an IP other than the one registered. To check that you could use www.checkdomain.com to find what the domain should be, and type in the name of the domain you want to reach. Then use a command line (press your windows key and R to bring up a run prompt, then type CMD and press enter) from there type nslookup . This will show you the IP you SHOULD be directed to and the IP you ARE being directed to.
One last parting thought, DNS is not a random function. Meaning you can't set an "If, then" on it. If you request a website it's always going to go to the same IP. The only reason it wouldn't is if there are multiple host records pointing to different IPs for a single name. I don't believe that is something to worry about, as the ISP servers will point to the official "internet" servers which will be carefully tended and kept free of error.
Hopefully this explains everything to your satisfaction. Please feel free to ask for clarification if something is not clear.
Thanks!

Staging area ptotection based on ip...what if my client has a dynamic IP?

I'm trying to put online a staging area for an upcoming website... I'd usually rather use an htaccess rule to enable only me and my client to see the website...i think is safer and you dont need to rememebr passwords and so...
but my client this time has an internet provider who doesnt give him a static ip, aparently everyday or so, his ip chamges...so i have to change my htaccess!
there is any solution for that?
First of all, dynamic IPs are very common, a lot of providers disconnect the client in intervals of 12 or 24 hours, which usually means they get a new IP assigned.
Second, just giving out a username / password combination not only seems safer, but also more hassle-free. You are about to invest time into a solution that's probably not worth it. I also don't see how you would obtain the valid IP address of the client to update your .htaccess file, apart from having the client install a service that updates a dynamic DNS entry mayb - more of a hassle than remembering a login, if you ask me.
You could have him use a dynamic DNS service like dyndns.com or no-ip.com. That way he can setup a domain name like someguy.dyndns.com which would always resolve to his ip (he'll probably need to install a small daemon/service/program to automatically update the IP though). Then you can add a rule into your .htaccess like allow from someguy.dyndns.com.

Subdomains and DNS

I currently have my own domain name and dedicated server and I offer different packages to my clients. What I want to be able to do is have them sign up with my website and create a package automatically that they can access via their username as a subdomain e.g.
http://yourusername.mywebsite.com
I currently have DNS entries set up for various subdomains with real information for my website e.g.
Name Type IP Address
# A 1.2.3.4
bugs A 1.2.3.4
support A 1.2.3.4
However, if a new customer signs up at the moment I have to go and manually create an entry for them with their username in it.
I'm sure I've seen websites that manage to do this automatically, does anyone have any ideas how, or any other methods that I should be using?
Thanks,
Mark
Since you apparently do not control the name servers, your choices are quite limited. One possibility is to use a wildcard DNS record:
* A 192.0.2.1
where the star will replace every name. Not ideal (inexisting domains will also appear).
The details depend on which DNS server you're using.
One approach is to have some code that opens the DNS zone file and adds the desired records. On Linux with Bind, you will then need to signal the server to get it re-read the zone file.
With Simple DNS Plus, you can easily add such a DNS record through the included HTTP API. For example:
http://127.0.0.1:8053/updatehost?host=yourusername.mywebsite.com&data=1.2.3.4
Since you apparently do not control the name servers, your choices are quite limited. Nevertheless, every serious DNS hoster provide you with a API (see for instance Slicehost's API). So, you may use this API and write a small program to update the DNS data.
(Foot note: handling paying customers when you do not even control the name servers seem... bad)

Dynamically add subdomains?

I was wondering if it's possible to dynamically add subdomains that point to dynamic IP addresses, and how I would go about doing that? In other words, "how is dyndns/no-ip implemented" :-)? (The part I don't get is adding/changing the DNS entries... I understand how the client sends a packet every few minutes -___-). I can tell all my users to just use DynDNS/No-IP, of course, but having it integrated with the application would be much cooler.
Thanks,
Robert
To be able to directly update/control where a domain/subdomain resolves to, you must have your own name server. When you register a domain under a TLD (for example, .com), that TLD has a nameserver. Anytime a client needs to look up the IP to something.com, they ask the .com nameserver where to find the nameserver for something. That nameserver in turn returns data about the domain or subdomain.
When you register a domain at a place like GoDaddy or Network Solutions, and you use their online tools to point your various subdomains to IP addresses, you are creating entries on their nameserver. When a client requests your domain, the root nameserver tells them to check with GoDaddy's nameserver. If you look through the configuration options of your registrar, you'll generally find a place to specify your own nameserver instead of entering domain IPs. Setting that will tell the chain of nameservers to defer resolution of your subdomains to that nameserver. Obviously at that point, having direct control over the mechanism of name-address resolution, you can do whatever you like.
Here's one list of open-source name servers. There are many others, ranging from free OSS to custom, proprietary and very expensive. Technically you could also write your own, as BIND is a public, standard format.
As you've partially said, the way DynDNS and other dynamic IP services work is that they update their server's DNS records based on a heartbeat from a client every few minutes.
The trick is that they use extremely short TTL times so that caches for the record expire very quickly and need to re-query the DynDNS server (which makes dynamic IP changes propagate quickly).
If you wanted to implement this, either find a DNS host that offers an API, or programatically update the DNS on your own server with a short TTL.

Resources