I am working with a company, developing and managing a web site for them.
I have control over the web servers, but the company is managing DNS for the domain.
Due to their security policy, the web servers are prohibited from issuing outbound email - they won't add the appropriate SPF/DKIM records to DNS to permit this. Instead, I've been told that they will "delegate" the authority of the domain to me by forwarding traffic to nameservers (of my choice), where I am responsible for creating new DNS records to handle that traffic. In these new DNS records, I would add in the appropriate SPF/DKIM records.
It is like I am managing the DNS, but the company still owns it.
The problem is very strange to me, and I am not familiar with the inner workings of nameservers. Is the relationship of a zone file to a domain name one-to-one? Would I need a second zone file registered somewhere to hold these new DNS records? Do I need direct control over the nameservers, or can I work with nameservers provided by a third-party hosting company?
Sorry for the lack of direction - this is new territory for me in a world that I'm already not that well-versed in.
Thanks in advance
The delegation is a DNS server owning a zone (ie. example.com) and announcing to everyone that a part of this zone (say deleg.example.com) is delegated to another DNS server which can define its own records as long as they are in the deleg.example.com zone.
In your case, it means that you will maintain a subdomain that will hold your NS and SPF/DKIM records. This subdomain behaves in a similar way as the main domain thus you will need a second DNS zone file (and another DNS server).
This is similar to what root servers do with top level domains (they own the com / net / whatever zones) and subdomains sold to companies / people (ie. google.com handles whatever lies in the google.com zone but does not affect the "com" zone).
Related
I am trying to add a DNS TXT record to my domain that i bought, yet the company I bought it from doesn't have an option to add DNS records in their user interface..
Is there a way I can add records using cmd or an external software?
My domain is found in the WhoIs system and the registrar information is the following:
registrar name: Peligon Ltd
registrar info: http://www.webline.co.il/
I need it to approve my domain from firebase
Your best bet is to point your domain nameservers to Cloudflare. Create a free account on Cloudflare and add your domain. You will be given two nameservers that will need to be configured by the registrar. Even if there's no UI, they should still be able to configure this on their end or at worst go to the parent registrar and get them to do it. This process can take time but it's worth it in the long run.
Once the whole process completed (can take up to 48hrs for any nameservers or DNS changes, sometimes longer for small registrars whi are not very active), you will have full access to manage all DNS aspect of your domain. All DNS records will be in your total control. You will only need to deal with the registrar for your domain renewal.
When using Cloudflare, you don't need to turn on the orange cloud - it's just good to have but if you only need to manage DNS, you can turn that off and start managing it right away.
Let's say I have a website example.com which I bought via a common domain registry nomcheap.com.
I want all traffic to a specific subdomain app.example.com to go to name server ns1.appserver.com so I can serve a specific user app.
I also want all other traffic (www.example.com, hello.example.com, *.example.com, etc.) to go to a different name server from a different provider ns1.squaresites.com so I can serve a general website (think something like a commerce Wordpress site).
None of the name servers are provided by the original domain registry nomcheap.com.
Is this possible? If so, any suggestions on how?
To point a subdomain to a name servers you need to create an NS record for the subdomain:
app.example.com NS ns1.appserver.com
This will make all queries go to ns1.appserver.com
*.example.com NS ns1.squaresites.com
The second record should catch all subdomains that don't have their own records (of any kind).
Delegating name server DNS responses can be done was the answer by #Lanexbg describes.
Realize that chaining your DNS lookups this way adds more time to DNS resolution and adds another potential point of failure in the resolution process. If the parent's name servers are down, they won't able to deliver the NS records to tell the client's resolver to continue the lookup process through a delegated name server.
Consider if using DNS "A" or "CNAME" records at the parent's DNS server would be acceptable alternative.
For more detail on how DNS resolution is delegated see this answer on serverfault.com:
How exactly should I set up DNS to delegate authority for subdomains?
Let's say I register the domain name mydomain.com using GoDaddy (or any other registrar). Then I immediately delegate the domain to Azure (i.e change the NS records for the domain to point to Azure's name servers). As far as I understand I would then use Azure's DNS admin tools exclusively to add/change/delete DNS records fot my domain.com.
But do I still need to have any type of relation with GoDaddy (or whichever registrar I used to register mydomain.com)? For example, if I would like to delegate my domain once more from Azure to some other nameserver would I do this through Azure or GoDaddy? Or when I need to renew my domain name, would I have to do this through GoDaddy? Or if my GoDaddy account is hacked, would mydomain.com be at risk somehow? Or would GoDaddy be involved with mydomain.com in some other way I haven't considered?
The registrar is still key in almost every situation.
They are the people you pay your subscription/fee for the domain name (normally every few yrs depending on the domain).
They are the 'tag' holder (in the case of .uk names some info here) which means they are the ones you have to approach if you wanted to move your actual name (and payment) to another registrar (e.g if you decided you didn't like GoDaddy any more you could move to Namesco, or someone else) .com domains have a similar setup
Renewals and any changes to the account or domain name would go via the registrar - this includes any further/new delegation you might do.
If your registrar account gets hacked then anything associated with that account is 'at risk' this includes the hijacking of the domain name to be pointed anywhere.
Your registrar is usually the controlling name server (Check the whois records) so any query would hit them first before any delegations you have in place.
You talked about further delegation of your domain; so presuming one day you decide to move from Azure to AWS (say) then you would go back to your registrar portal and update the NS records to point to your new IP(s) on your new host.
You can either you manage all your DNS via your registrar, or delegate the NS records (as you have already) and run your own DNS Server. In your setup you use the Azure (or whatever) tools to manage your actual records, but you would need to go back to the registrar to manage the NS records that controlled the delegation of the domain. You should note that not all registrar will allow the delegation of NS records and in effect 'force' you to use there own portal/DNS tools so check carefully.
The short of it is - you still have and must maintain any relationship
with the registrar.
Simply put:
I have a domain called erik.com, two azure websites (east and west), and one traffic manager that is setup to manage the two azure websites.
When I take east offline (by throwing a non-2** status code) erik.com goes offline. This should not be the case! Right?
However, when I add a sub domain to the two azure websites (www.erik.com) then it works! I take one or the other offline and the traffic manager resolves to the available website.
I'm hearing/reading things that tell me that Traffic manager doesn't work with root domains like that... Say what?! Why?
As explained in the FAQs at https://azure.microsoft.com/en-us/documentation/articles/traffic-manager-how-traffic-manager-works/#faq , Traffic Manager does not support 'naked' / apex domain names.
*Can I use Traffic Manager with a ‘naked’ (www-less) domain name?
Not currently.
The DNS CNAME record type is used to create a mapping from one DNS name to another name. As explained in the Traffic Manager example, Traffic Manager requires a DNS CNAME record to map the vanity DNS name (e.g. www.contoso.com) to the Traffic Manager profile DNS name (e.g. contoso.trafficmanager.net). In addition the Traffic Manager profile itself returns a second DNS CNAME to indicate which endpoint the client should connect to.
The DNS standards do not permit CNAMEs to co-exist with other DNS records of the same type. Since the apex (or root) of a DNS zone always contains two pre-existing DNS records (the SOA and the authoritative NS records), this means a CNAME record cannot be created at the zone apex without violating the DNS standards.
To work around this issue, we recommend that services using a naked (www-less) domain that want to use Traffic Manager should use an HTTP re-direct to direct traffic from the naked domain to a different URL, which can then use Traffic Manager. For example, the naked domain ‘contoso.com’ can re-direct users to ‘www.contoso.com’ which can then use Traffic Manager.
Full support for naked domains in Traffic Manager is tracked in our feature backlog. If you are interested in this feature please register your support by voting for it on our community feedback site.*
I'm new at DNS world, did some readings in the Internet and wanted to know if I came to the right conclusions. I want to build a system where users are able to create new sub-domains of existing registered domains automatically:
My system provides services to different companies, these services are hosted in my system or some cloud provider. Lets call my system "services" and some company "company1". I want to offer "company1" my services and have its users access these services through "company1" new sub-domain, when "company1" has an already registered domain company1.com. I want "company1" admin user be able to control and choose the sub-domain via my system when he registers his company in my system, and have the whole thing automatic. If i understand correctly:
if the admin would want to use a sub-domain like services.company1.com this will be a problem since I would need to update the authoritative name-servers of company1.com which I don't know who they are, and even if I have a way to know them (and from reading a bit I see that I do have a way), I don't know if every such name server will allow such updates from some external source, connectivity issues etc
if the admin would like to use a sub-domain like company1.services.com then I can achieve this by having my own dns server which I will register the services.com domain for and actually manage all these company sub-domains in my own dns server. This means though that all companies will have to have a sub-domain under my domain services.com
Please correct me if I have a wrong view on how DNS works.
thanks!
services.company1.com
To provide this kind of domain name to your customer, you will need their collaboration. A lot of companies provides this kind of feature by asking you to point an alias (CNAME Record) to a specific server.
Examples of concrete usage
blog.company1.com. 3600 IN CNAME domains.tumblr.com.
shop.company1.com. 3600 IN CNAME myapp.herokuapp.com.
git.company1.com. 3600 IN CNAME bitbucket.org.
Here's some links to the documentation of companies offering this feature:
BitBucket
Heroku
Tumblr
Sample client zone file
So in your case your customer DNS zone will contain something like that:
services.company1.com. 3600 IN CNAME domains.services.com.
where domains.services.com. will be the server that handles the subdomain authentication
company1.services.com
To provide to your customers company1.services.com, you don't have to manage your own DNS server, you just have to be able to add a wildcard record to point all the subdomains to your application. It will be the role of your application to filter your service per subdomains.
Sample service zone file
For example (where 0.0.0.0 is your service IP address):
*.services.com. 3600 IN A 0.0.0.0