I have some clients whose IP changes every day and static IP is not an option for them.
If I have them install a Dynamic DNS client, and then in my application .htaccess file refer to that Dynamic DNS domain, does that pose any security issue for my application?
So to summarize does using Dynamic DNS domains in my .htaccess files pose any security related threats to my application?
As far as I understand this, you want to add your clients IP addresses to the whitelist of your application and you want to switch to DynDNS because the IP addresses change every day.
So you want to assign each client a different domain and whitelist each of those domains, is that correct?
The obvious attack vector here would be hijacking a domain and pointing it to a malicous machine other than the clients machine using the DynDNS service.
If you manage to register the DynDNS client on the clients machine without exposing any login information regarding the domain that could be stolen or lost then this should be safe. But I currently do not see how you would be able to register the client for your domains DynDNS without having the credentials stored somewhere on this machine.
Related
I am trying to get the big picture although my primary domain is not networking.
Some question's narrowed down for which I'm not getting enough/proper answers online
Is the IP that is resolved by the DNS server when I hit www.google.com is same as any of the Google router's Gateway IP?
Do bigger companies like Amazon do port forwarding?
If point 2 is true, I suppose they must be port forwarding with only 443 (https) port which means, to use multiple static IP across different data centers, they need to have that many routers. So, if they have N static IP address which resolves to a website, then they must be having N routers right? Is this a fair assumption?
A gateway IP refers to a device on a network which sends local
network traffic to other networks. it sits between you and internet,or other network . its like a watchman.
Question 1 : google.com has multiple ip addresses lets say then , Yes, that is possible, and will need to be two A records. This is called Round-Robin DNS. Clients will semi-randomly use one of the two addresses.
question2: yes port forwarding happens more often than we think. ALL VPC's (virtual private clouds like AWS , GCP , Azure etc) use this as they dont want to expose servers/internal resources to the internet.
depending on the port number , particular service is exposed to requesting client. lets say we want to make a website public , then we explicitly expose port 80(http) 443(https) so that web crawlers and users can see them.
Port forwarding, sometimes called port mapping, allows computers or
services in private networks to connect over the internet with other
public or private computers or services.
google https://www.google.com:444/ wont work because they did not expose port 444 on their cloud router
but https://www.google.com:443/ will work because the server corresponding to google.com has explicitly left it open.
How IP is resolved:
Step 1 - Send a Request to Resolve a Domain Name
When you type www.google.com into a browser, in order to load the webpage, your computer asks for the IP address. Computers do not know in advance where they can find the necessary information, so they try searching through the DNS cache and for available external source. proceed from lower level caches to root/main servers.
Step 2+3 - Try to resolve an IP Locally
Before going externally, your computer loads the local DNS cache database to see if you already requested the IP for that domain name. Every computer has a temporary cache with the most recent DNS requests and attempts to connect to online sources. if required record is present locally its called "CACHE HIT" and query stops.
However A computer’s local DNS cache database does not always contain the necessary data to resolve a domain name this is called a "CACHE MISS" . In that case, the request goes further to your Internet Service Provider (ISP) and its DNS server.
Step 4 - ISPs Ask Outside DNS Servers to Provide an IP Address iff Cache miss
ISP DNS resolvers are configured to ask other DNS servers for correct IP address mapping until they can provide data back to the requester. These are iterative DNS queries.
When a DNS client sends such a request, the first responding server does not provide the needed IP address. Instead, it directs the request to another server that is lower in the DNS hierarchy, and that one to another until the IP address is fully resolved. There are a few stops in this process.
hierarchy looks like this (just for reference):
Root domain nameservers. Root servers themselves do not map IP addresses to domain names. Instead, they hold the information about all top-level domain (TLD) nameservers and point to their location. TLD is the rightmost section of a domain name... Root servers are critical since they are the first stop for all DNS lookup requests.
TLD nameservers. These servers contain the data for second-level domains, such as ‘phoenixnap’ in phoenixnap.com. Previously, the root server pointed to the location of the TLD server. Then, the TLD server needs to direct the request toward the server that contains the necessary data for the website we are trying to reach.
Authoritative nameserver. Authoritative servers are the final destination for DNS lookup requests. They provide the website’s IP address back to the recursive DNS servers. If the site has subdomains, the local DNS server will keep sending requests to the authoritative server until it finally resolves the IP address.
Step 5 - Receive the IP Address
Once the ISP’s recursive DNS server obtains the IP address by sending multiple iterative DNS queries, it finally returns it to your computer. The record for this request now stays cached on the hard drive. The browser can then fetch this IP from the cache and connect it to the website’s server.
ALL this happens in less than 1 second, most of the times. if you just registered a new domain it might take few hours to propagate this DNS cache globally hence newly registered websites do not show up sometimes.
About companies owning multiple IPs
Big companies have pool of IPs reserved for example 123.234.xxx.xxx which means a company has reserved 255*255 ips. they are mapped on a VPC(virtual private cloud)
and accessible vis a subnet masking and CIDR feature, like your EC2 instances on AWS
Is the IP that is resolved by the DNS server when I hit www.google.com is same as any of the Google router's Gateway IP?
For sure it should, but it is mostly a Google management question that only they will be able to answer right. The thing is that we must understand how DNS query's work for this.
Let's take a look of it:
Device A requests the IP address through a DNS query of the device B.
To do this, it uses the network port 53 (Domain) on which it will ask, depending on which DNS server is being used at the time, which is usually the home router. Then the router will ask the ISP's DNS server, which will respond with a cached response, or the query with another server on top of it if it does not have one; All this process is followed until a reliable cache response is reached or until the authoritative response server is reached, that is, the name server that manages the domain in question.
Only the authoritative response server contains the reliable information of which IP of the domain which is going to be reached.
I suppose that within Google's servers and its network they use Google's own DNS servers, which are 8.8.8.8 and 8.8.4.4 where the DNS records are obtained and consulted by caching from many sites.
In general terms Google's IP will change depending on where you are, I made a DIG query to Google's authoritative servers, however, I received a result based on location to improve the route and loading time of the site which was 142.250.73.238.
Do bigger companies like Amazon do port forwarding?
Yes, they do. To handle queries with load balancers or similar and even for caching dns requests.
If point 2 is true, I suppose they must be port forwarding with only 443 (https) port which means, to use multiple static IP across different data centers, they need to have that many routers. So, if they have N static IP address which resolves to a website, then they must be having N routers right? Is this a fair assumption?
This has multiple answers. By the way, they actually can do a secure DNS query.
if they have N static IP address which resolves to a website, then they must be having N routers right?
They don't have to, but if they want to they can.
"Is this a fair assumption?"
No, the IP's doesn't depend on a router, the router only routes to a computer/server which can have multiple IP's. By the other hand, each thing (computer, server, etc... must have an IP which can be also a WAN IP).
I'm thinking to get Dedicated IP for my Shared Hosting (I'm running wordpress on shared hosting). Will it be beneficial for me? Above all, my shared hosting won't misbehave after i get it?
Certainly get it if you can afford it. No matter if it is shared or shared-reseller hosting (where you can assign your dedicated ip as your own shared ip for your websites).
It will make your websites more independent, especially if you use self hosted e-mail system on your shared hosting. Like Fahad said, there are IP blacklists, and when some bots hack weakly protected websites or flood their contact forms with spam the IP usually gets blacklisted soon after and all the websites which use that IP suffers from that.
You asked if it can break / misbehave something - yes it can, but its all solvable, if you know your stuff (changing DNS settings, etc) . You can always revert back to your shared IP, if you feel you are getting in too much trouble.
Yes as answered above, dedicated IP does help in a shared hosting environment where if the main shared IP gets blacklisted and the datacenter decides to null routes the IP address, all the sites sharing that IP will get offline.
In the past having a dedicated IP address was a requirement for installing SSL certificates, which had some SEO advantages as well. But, now you can install an SSL certificate without dedicated IP on any shared hosting. So I wouldn't say it's beneficial.
Do note that if you decide to get a dedicated IP for your site, having already a shared IP address, once IP is changed there is going to be some propagation period for the new IP. So you may get site loading issues for a few hours.
Dedicated IP is good for security due to the following reasons:
In case when the shared IP is blacklisted, all domains pointed to this IP will be involved. But if you are using the dedicated IP, you will not experience any issues as you have another IP.
It will be possible to reach the domain using the IP address. This option will allow you to avoid the DNS cache poisoning.
I'm currently configuring DNS in my network with Bind9.
This network is splitted in VLANs and it should have 2 DNS zones : an internal zone (internal servers, users VLAN...) and an external zone (DMZ).
Of course the DNS mustn't give internal records to an external request.
I have just configured my DNS master (storing external and internal records) in "internal servers" VLAN and I'm asking myself how to deal with this problem :
-> My DNS master will not reply to an external request since it is in the internal zone (though 802.11Q is enabled), even with external records. Is it right?
-> My DNS mustn't be in the DMZ.
-> If I configure a slave on the DMZ to manage the external zone, who will just store external records, then I have to configure another slave to replicate the master (so 3 servers...).
Initially I just planned to configure 2 servers, a master and a slave which would just be a full replicate.
Am I missing something? Is there any better solution?
The architecture that you will follow depends on what you want to serve and where (internal clients, external both)?
In general, yes you need internal DNS servers these will have at least all the necessary entries for you internal network.
As for the servers in DMZ who will have access to them and from which path? If you need access to them from the internal network directly through firewall, it makes sense to have entries for them also in your internal dns servers.
If you serve also from servers in DMZ to external users you have two solutions either you declare them in public DNS if the external users are from internet or you should have another DNS server on your DMZ.
The key point here is to think who will visit your server and from which path, then it will become kind of obvious how you will configure DNS for them.
We created a subdomain for a website hosted in our internal server. In GoDaddy we set up the subdomain to point to the public IP address, but when we try to access the link internally it doesn't load (because it needs the internal IP to access it) What can be done in this case?
You obviously need to provide different information to internal DNS clients than those publicly available to the world. For that you need to have internal DNS server or DNS proxy that will respond with internal IP address, and your internal clients need to be configured to use that internal DNS server. Specific steps to achieve all this depend on your environment.
The other option is to create another DNS record (for example subdomain-internal.example.com) that will point to private IP address, and use that from internal network (of course, you might need to configure your webserver to respond to that hostname also)
Im building out an Azure hosted website, but it needs to reach into our home office to connect to some internally hosted web services. Our firewall is setup to only allow traffic over certain IP's, so we're looking to determine what IP range we need to allow access to.
Currently I'm still using the MSDN "Free" Azure subscription, so I don't know what options may be limited, but is there a way I can determine what source IP, subnet, whatever my Azure hosted site will attempt to call my web services from?
Thanks!
Be careful opening your firewall to the entire Azure datacenter IP ranges. Anybody can host anything in Azure, including malicious software, so if you open your firewall to the entire Azure IP range you may as well just open to 0.0.0.0-255.255.255.255 because in effect you are getting the same security.
A better option is to deploy your service and just whitelist that one IP address. That IP address is guaranteed to remain the same until you delete your service. With the ability to do in-place upgrades and VIP swaps there should be no reason why you would need to delete your hosted service and lose your IP address. If you ever do run into a scenario where you need to delete/redeploy you can always update your firewall at that time.
It sounds like this is what you're looking for:
Windows Azure Datacenter IP Ranges