Build BIND for DMZ Linux Server - linux

I have installed CentOS-6 server in our DMZ.
I have a public IP address which I will use for it.
Now, how should I set up its DNS in order to make it accessible from internet?
Is there any particular steps required for BIND in order to propagate the server to internet?
Thanks

to configure you can use
http://www.howtoforge.com/bind-installation-on-centos
You should refer this previous thread
https://serverfault.com/questions/153690/why-arent-our-dns-records-propagating-out-into-the-internet

There is no "propagation" so to speak; propagation is usually a term used to describe the delay in any updates made to the DNS when the old records have already been cached by some servers.
In this case, when you say that you want DNS on your server to be accessible to the Internet, you likely are planning to use BIND as an authoritative server, serving one or more zones. In that case, you will just have to ensure that TCP and UDP port 53 are open for incoming traffic from anywhere. You will set up BIND in a fairly standard manner. Just install BIND, add some zones to it.
On the zone that you're hosting, you will then refer to the hostname of the machine that you are running this BIND instance (and that hostname must be resolvable to an IP address), say ns1.myzns.com.

Related

Haproxy DNS Based backends based on wildcards

Now that we have a dynamic DNS resolving Backend with Haproxy 1.6, i've been wondering whether I can make resolving to endpoint to dynamic backends. Here's what I would be looking for:
resolvers docker
nameserver dnsmasq 127.0.0.1:53
defaults
mode http
log global
option httplog
frontend f_myapp
bind :443
default_backend b_myapp
backend b_myapp
server services *:443 check resolvers docker resolve-prefer ipv4
OR
server services [%Host]:443 check resolvers docker resolve-prefer ipv4
Having this would allow me not to have to touch haproxy's configuration but only use DNS to update the backend-routing.
Thanks
Alessandro
A server declared in HAProxy is a single destination IP address. Even if that IP address is dynamic and can change, as is now possible in 1.6, a server is only/always/ever a single destination, not a target that changes with each request. What you are contemplating is not consistent with the design of HAProxy.
Your back-end servers must be declared in advance. You can create dummies and modify them via the stats socket, and dynamic configuration can be accomplished by scripting the configuration-file-generating process (using external tools) and then reloading HAProxy but... it has no internal concept matching what you are contemplating.
Additionally, of course, even if it did, is a problem with your plan -- it represents a potential security hole: if HAProxy were to interpret %[Host] (which I assume refers to %[req.hdr(host)]) as an IP address, no resolution would be needed and you've just given internal access to anyone who passed an IP address in the Host header.

Does Kestrel support urls/hostnames, or it can only listen to a port?

I'm trying to start ASP.NET 5 web application so that it could be accessible via public internet address, like "http://hostname.dom".
I don't want it to be acessible via "http://www.hostname.dom", "http://test.hostname.dom", etc. And I have DNS records configured to point server's ip address by "*.hostname.dom" and "hostname.dom" names.
So I start Kestrel with the parameter:
server.urls=http://hostname.dom
I expect it to ignore any address that is not "http://hostname.dom", but application is available by every "http://justanything.hostname.dom" address and even just by IP address. So it is listening for all requests to 80 port rather than requests to a specific hostname.
For example, when configuring IIS site bindings, you can specify binding like "hostname.dom" and it will ignore any other possible prefixes until you specify them explicitly.
Does Kestrel support urls/hostnames, or it can only listen to a port?
Well yes, Kestrel doesn't support hostname listening. Only ip:port binding. To make it possible, you, my friend, either must use another hosting solution (like WebListener, if running on Windows) or configure forwarding with a webserver: http://druss.co/2015/06/asp-net-5-kestrel-nginx-web-server-on-linux/

Host website and server on same domain

I am trying to run a server on a different host to my website. How can I set it up so that if people connect to certain ports on my domain that they connect to my server, and so my website still works.
Ports exist on the level of TCP and UDP. There is nothing DNS can do to magically change what happens, at the client or your server, on that level.
For your web site, DNS provides translation of its name to a set of IP addresses. The client's browser will then try to talk to port 80 or 443 on one of those addresses. If you want the other server to use the same name as the web site, it must answer requests on other ports on the same set of IP addresses.
If your server is for a protocol that's new and smart enough to use SRV records, you can use that to actually run the server wherever is convenient but still tell the users to connect to the web server name. Check the documentation for details.
If you can't do that, another possibility is to run a small process on the web server machine that listens to the other server's port(s) and forwards all traffic to wherever the server is actually running. The feasibility and details of doing so depends a whole lot of what server it actually is, so I can't really say any more about that.
Or you could just tell the users to use www.tellusthesoddingname.com for the web site and server.tellusthesoddingname.com for the server and point those names at different IP addresses. Which is by far the simplest and most robust solution.

My EC2 instance receives traffic for unrelated hostnames. How does this happen?

I have a couple EC2 instances behind an Elastic Load Balancer. These instances serve HTTP requests for a single web site. I recently started looking at the HOST header of the traffic, because I am planning to split my app into virtual hosts.
With some regularity (dozens of times a day), I log a request for a host name that is totally unrelated to my servers. As a couple examples, today I saw requests with the host names ad.adserverplus.com and r1---sn-upfn-hp5e.c.youtube.com. I looked these up and the IP addresses are not the same as any of my servers, nor of the ELB, so I am trying to develop a theory as to how this happens.
I realize that someone could be spoofing the host header, but it happens often enough that I am pretty sure this is not what is going on. My other idea is that somehow there is stale DNS data that just happens to resolve one of those hosts to my IP address, but again this seems like it could happen once in a great while but not regularly. What are some other possibilities, and how might I verify / discredit them?
EDIT
I looked at some of the unexpected host names today, and it seems that they actually do resolve to an IP that is one of the possible IPs that my domain apex resolves to. I use Route 53 for DNS, and I have the zone apex pointed to the ELB, so when I query the IP address for my domain, I get different answers depending on when I ask. So this makes me very curious, how do these IP addresses get assigned to me and how does EC2 make sure they are not co-opting an IP address that someone else is already using.
There are any number of reasons for this. First you should understand that the public host name for your EC2 instances and load balancers have likely been used before. If you have an elastic IP associated with your load balancer, it has also probably been used before.
As such you can get traffic to your servers that is intended for a previous tenant of that hostname of IP address that you are currently using.
One thing you can do is to configure your web servers to reject traffic (respond with 403) to traffic that is not arriving with the proper hostname specified or that comes from a specific external host.
Your IP or your ELBs IP may have at one point in time been an open proxy. meaning that someone is hoping that you would forward the requests on to their intended destination.
but in general open port 80 to the internet and all kinds of bots and zombies will visit you with a pretty constant flow of dodgy requests. I would imagine though that the \ec2 IP ranges would be a particularly juicy range to search for poorly patched websites to exploit.

Discovering a machines default DNS

I'm writing a small DNS proxy. It listens for incoming UDP messages on a port and resolves them using a specified DNS (e.g. google's DNS 8.8.8.8) and sends the response back to the client.
I would like to be able to detect the default DNS a machines uses. Every OS has an option to obtain the DNS server address automatically. I was wondering how this is done. Is there a protocol on top of UDP or TCP, or something else entirely?
I'm using C#, but the language isn't important.
Finding which DNS the current computer uses as default is highly dependent on both which OS you use and which language you use. If you use Java or .NET, or another platform independent language you might not need to worry about the OS bit though.
Client computers usually "auto-discover" which DNS to use in the DHCP response from the DHCP server. That is when they receive their IP address they also get which DNS server to use. They might also get addresses to WINS servers and a multitude of custom options.
You can find the DNS server by typing ipconfig/all in coand prompt. This will gove you the address of your DNS server.

Resources