I'm serving an app that I want to be accessible from different devices in the same network. From what I've seen, I can do that by accessing the server's private IP. But the other devices have no way of knowing that. Is there a way to setup something like an internal domain?
For the purposes of this answer I'll refer to HTTP as the protocol, which is by far the widest and most frequently used. If it's something else, the principles are the same.
The first option to consider is 'just' using the IP address. https://192.168.0.3/ isn't so bad to remember; IPv6 is worse, being longer. You could email, chat, or otherwise link your users to the address so you wouldn't have to remember it. Most home networks use DHCP by default, but usually give the same address to the same MAC address unless there's so much device turnover that the ip pool is depleted, so the addresses rarely change in practice. Additionally, most routers leave IP space that is not part of the DHCP pool and you can statically configure that on your server to take any IP changes out of the equation.
The appeal of the IP address method is that it's low investment. It's ready to work now. The downside is that if your IP address does change, your clients now can't reach the service as currently configured. Enter DNS. DNS comes into the equation when the DHCP-provided DNS servers are used by clients to query for the record of names such as stackoverflow.com.
The DNS servers on a home network are usually ones provided by the ISP (or hopefully, because ISPs are typically bad at providing good DNS, you'd point at cloudflare (1.1.1.1) or Google (8.8.8.8, 8.8.4.4) or some other decent DNS provider for public DNS. Either way, the point is, your currently configured DNS servers are probably not able to be configured to serve records of your devising.
That leaves you with 4 options: public DNS, private DNS server, "borrowed" DNS domains, or /etc/hosts.
Public DNS can serve a private IP address, and this is probably the next easiest solution. You'll have to pay to register a domain and buy dns hosting (many dns registrars provide dns service for free). You can then own a name like myhouse.net and add an "A" (address) record for app.myhouse.net with a value of your local IP address. Any public query for the name will look up to your internal IP address, but that's not much of a disclosure (they knew you were on one of the RFC 1918 address spaces) and they could spearfish and xss you just as easily with a domain name, so for home use, I'd call publishing a private ipv4 address to public DNS can essentially be done with impunity. Note these address spaces are non routable - they can't be accessed from the internet and conflict with many other folks' home network IP space as well.
Private DNS. As we've discussed, you probably don't have a DNS server in your network, or you wouldn't be asking this question. You're using public DNS servers for resolution. So there's nowhere for you to define a domain and records like app.myhouse.local. The first step to private DNS would be to create or acquire a server which you can provide via DHCP to your local clients, and can be configured with your private domain records. This server would be configured to also do public queries recursively, so it could be used for all DNS traffic on the network. This way, you get to "invent" your own "private" domain that's not part of public knowledge. This is obviously heavy touch. You might be able to find some sort of service that would allow you to do a thing like this online, otherwise you'll need to install software like Bind or equivalent. On the plus side, it's free, and knowing more about DNS is always a good investment.
"Borowed" DNS - by this I refer to services like https://www.noip.com/ which will allow you to create a host record under one of their domains. They often also include software and an API by means of which you can update the record to point to your dynamic IP address. I do not know whether you could store a private IP address in these services. The domain name would be one of theirs, not one of your choosing (something like myhouse.noip.com) But they're often cheap or free, and they do solve the immediate problem of creating a DNS record. Again, the record would be a private address in public dns and could be queried from anywhere in the world.
/etc/hosts: this file (which also exists in windows, interestingly enough) provides a local system an alternative name resolution system to DNS. It typically takes precedence over DNS (ie it's checked first) and could be used to define a record on most of your hosts. I don't know how you'd do it on tablets or phones, and it's obviously something you'd have to set up in advance - not a great fit for your use case.
Looking at these options, I'd recommend you consider one of the borrowed dns domain providers first. IF that seems good, you're done. If you can't justify putting your private IP address into public DNS, that will force you to go that route. Maybe just using the IP address will work fine.
Related
I've got difficulties in understanding NAT, NAPT, and port forwarding.
I got what NAT does. But when I try to describe port forwarding, NAT's concept becomes too vague.
I found NAPT and there is only a vague assumption that port forwarding is related to this.
Is port forwarding related to NAPT? If not, what is the difference?
NAPT stands for Network Address Port Translation and it specifically is in reference to be able to have many private IP addresses (ie - inside your building) all able to share a single public IP address (that would be assigned to your router from your ISP).
Think of it like this ... your public IP Address which is visible to the entire Internet exists on the ethernet port that you have connected to your Internet service.
Then, the other ports on your router / firewall / WiFi are all on a different network entirely - that's called your PRIVATE network.
In order to get all of those IP addresses on the inside private network to be able to have autonomous access to the Internet, your router/firewall does what we traditionally call NATting - Network Address Translation. So lets say that you and three other people access the same web site from inside your house... your firewall will see those requests to access that web site on your three different private IP addresses and it will assign to that browsing session, a unique session ID to that datastream and it will then go out and contact that web server but that unique session id rides with that datastream so that when packets come back from the web site the router knows which private IP address to send them to ... it acts as a facilitator for the internet packets going to and from the private IP addresses inside your building.
And a private IP address can be assigned to computers, tablets, cell phones, printers etc. etc.
PORT ADDRESS TRANSLATION is the exact same thing, only in reverse.
You do NOT want anyone on the Internet to be able to access any of the devices on your private network, so by default, your router/fireall denys any requests coming from somewhere on the internet that might be trying to access your public IP address.
But there are times when you have something running on one of your private IP devices ... like a gaming console, or maybe a remote desktop session that you need someone to access from the Internet ... what we typically do, is go into the routers configuration settings, and we create a PAT rule that says, "Allow any attempts to access my public IP address ON this specific port number and send those requests back to this specific private IP address." - in a nut shell.
NATting is when traffic is generated from the inside of your private network and it is going out to the Internet where PATting is for traffic coming FROM the Internet into your private network.
Hope that help clarify things a little ...
Edit: I should point out, that these days, when a device or some software running on your computer needs to allow traffic from the Internet to reach it, there is a feature in most home routers called UPNP (Universal Plug And Play) that, when enabled, devices like XBOX and other software can create - on the fly and without you having to give it any thought at all - PAT rules inside your firewall. UPNP was created because most home users don't remotely understand how network traffic works so trying to teach the non-tech person how to create PAT rules was becoming an issue, so UPnP was invented... it has its issues, but for the most part it's fairly reliable and nothing to worry about.
I am trying to get the big picture although my primary domain is not networking.
Some question's narrowed down for which I'm not getting enough/proper answers online
Is the IP that is resolved by the DNS server when I hit www.google.com is same as any of the Google router's Gateway IP?
Do bigger companies like Amazon do port forwarding?
If point 2 is true, I suppose they must be port forwarding with only 443 (https) port which means, to use multiple static IP across different data centers, they need to have that many routers. So, if they have N static IP address which resolves to a website, then they must be having N routers right? Is this a fair assumption?
A gateway IP refers to a device on a network which sends local
network traffic to other networks. it sits between you and internet,or other network . its like a watchman.
Question 1 : google.com has multiple ip addresses lets say then , Yes, that is possible, and will need to be two A records. This is called Round-Robin DNS. Clients will semi-randomly use one of the two addresses.
question2: yes port forwarding happens more often than we think. ALL VPC's (virtual private clouds like AWS , GCP , Azure etc) use this as they dont want to expose servers/internal resources to the internet.
depending on the port number , particular service is exposed to requesting client. lets say we want to make a website public , then we explicitly expose port 80(http) 443(https) so that web crawlers and users can see them.
Port forwarding, sometimes called port mapping, allows computers or
services in private networks to connect over the internet with other
public or private computers or services.
google https://www.google.com:444/ wont work because they did not expose port 444 on their cloud router
but https://www.google.com:443/ will work because the server corresponding to google.com has explicitly left it open.
How IP is resolved:
Step 1 - Send a Request to Resolve a Domain Name
When you type www.google.com into a browser, in order to load the webpage, your computer asks for the IP address. Computers do not know in advance where they can find the necessary information, so they try searching through the DNS cache and for available external source. proceed from lower level caches to root/main servers.
Step 2+3 - Try to resolve an IP Locally
Before going externally, your computer loads the local DNS cache database to see if you already requested the IP for that domain name. Every computer has a temporary cache with the most recent DNS requests and attempts to connect to online sources. if required record is present locally its called "CACHE HIT" and query stops.
However A computer’s local DNS cache database does not always contain the necessary data to resolve a domain name this is called a "CACHE MISS" . In that case, the request goes further to your Internet Service Provider (ISP) and its DNS server.
Step 4 - ISPs Ask Outside DNS Servers to Provide an IP Address iff Cache miss
ISP DNS resolvers are configured to ask other DNS servers for correct IP address mapping until they can provide data back to the requester. These are iterative DNS queries.
When a DNS client sends such a request, the first responding server does not provide the needed IP address. Instead, it directs the request to another server that is lower in the DNS hierarchy, and that one to another until the IP address is fully resolved. There are a few stops in this process.
hierarchy looks like this (just for reference):
Root domain nameservers. Root servers themselves do not map IP addresses to domain names. Instead, they hold the information about all top-level domain (TLD) nameservers and point to their location. TLD is the rightmost section of a domain name... Root servers are critical since they are the first stop for all DNS lookup requests.
TLD nameservers. These servers contain the data for second-level domains, such as ‘phoenixnap’ in phoenixnap.com. Previously, the root server pointed to the location of the TLD server. Then, the TLD server needs to direct the request toward the server that contains the necessary data for the website we are trying to reach.
Authoritative nameserver. Authoritative servers are the final destination for DNS lookup requests. They provide the website’s IP address back to the recursive DNS servers. If the site has subdomains, the local DNS server will keep sending requests to the authoritative server until it finally resolves the IP address.
Step 5 - Receive the IP Address
Once the ISP’s recursive DNS server obtains the IP address by sending multiple iterative DNS queries, it finally returns it to your computer. The record for this request now stays cached on the hard drive. The browser can then fetch this IP from the cache and connect it to the website’s server.
ALL this happens in less than 1 second, most of the times. if you just registered a new domain it might take few hours to propagate this DNS cache globally hence newly registered websites do not show up sometimes.
About companies owning multiple IPs
Big companies have pool of IPs reserved for example 123.234.xxx.xxx which means a company has reserved 255*255 ips. they are mapped on a VPC(virtual private cloud)
and accessible vis a subnet masking and CIDR feature, like your EC2 instances on AWS
Is the IP that is resolved by the DNS server when I hit www.google.com is same as any of the Google router's Gateway IP?
For sure it should, but it is mostly a Google management question that only they will be able to answer right. The thing is that we must understand how DNS query's work for this.
Let's take a look of it:
Device A requests the IP address through a DNS query of the device B.
To do this, it uses the network port 53 (Domain) on which it will ask, depending on which DNS server is being used at the time, which is usually the home router. Then the router will ask the ISP's DNS server, which will respond with a cached response, or the query with another server on top of it if it does not have one; All this process is followed until a reliable cache response is reached or until the authoritative response server is reached, that is, the name server that manages the domain in question.
Only the authoritative response server contains the reliable information of which IP of the domain which is going to be reached.
I suppose that within Google's servers and its network they use Google's own DNS servers, which are 8.8.8.8 and 8.8.4.4 where the DNS records are obtained and consulted by caching from many sites.
In general terms Google's IP will change depending on where you are, I made a DIG query to Google's authoritative servers, however, I received a result based on location to improve the route and loading time of the site which was 142.250.73.238.
Do bigger companies like Amazon do port forwarding?
Yes, they do. To handle queries with load balancers or similar and even for caching dns requests.
If point 2 is true, I suppose they must be port forwarding with only 443 (https) port which means, to use multiple static IP across different data centers, they need to have that many routers. So, if they have N static IP address which resolves to a website, then they must be having N routers right? Is this a fair assumption?
This has multiple answers. By the way, they actually can do a secure DNS query.
if they have N static IP address which resolves to a website, then they must be having N routers right?
They don't have to, but if they want to they can.
"Is this a fair assumption?"
No, the IP's doesn't depend on a router, the router only routes to a computer/server which can have multiple IP's. By the other hand, each thing (computer, server, etc... must have an IP which can be also a WAN IP).
We created a subdomain for a website hosted in our internal server. In GoDaddy we set up the subdomain to point to the public IP address, but when we try to access the link internally it doesn't load (because it needs the internal IP to access it) What can be done in this case?
You obviously need to provide different information to internal DNS clients than those publicly available to the world. For that you need to have internal DNS server or DNS proxy that will respond with internal IP address, and your internal clients need to be configured to use that internal DNS server. Specific steps to achieve all this depend on your environment.
The other option is to create another DNS record (for example subdomain-internal.example.com) that will point to private IP address, and use that from internal network (of course, you might need to configure your webserver to respond to that hostname also)
I am logging every user's IP when they access the company's page.
There are two ways to access the page from inside the local network:
http://company/webpage
and
https://webpage.company.com
What bugs me is that even when the users use the https global IP, their accesses are still recorded on database with their IP as 10.50.1.12 or 10.50.1.100.
Does that means that the browser or something else is redirecting the https://webpage.company.com to company/webpage? Or does that mean that I'm using a flawed method to log the users IP?
Another way to ask my question (just to make sure I'm being clear): if I'm accessing my Internet web page from inside the LAN network, am I effectively going outside my network and then back? If not, where am I going wrong with my logging?
Code used to log user's IP:
user.LastIP = HttpContext.Current.Request.UserHostAddress;
I'm curious about this because I want to make sure the users inside the company will access the page using exclusively the LAN Network. The goal is to save bandwidth usage, which is scarce.
Edit:
Pinging the https://webpage.company.com from inside the LAN network will result in a reply from a global IP address like 194.xxx.xxx.xxx. So I'm clearly getting the user's IP wrongly. What would be the ideal way of retrieving the IP from the page accessing entity?
Access to http://company/webpage will result in a DNS lookup of the host name "company". To resolve this, DNS will need a fully qualified domain name (fqdn), so it will add a top level domain (according to the configured search list in the client). In this example, it seems fair to assume that the fqdn will be "company.com". This, in turn, may very well resolve to the same IP address as the "webpage.company.com". You can check this by using dns lookup utilities like 'nslookup' and 'dig', or simply by using 'ping company' and 'ping webpage.company.com'.
The users IP addresses you mention, 10.50.1.12 and 10.50.1.100, seems to be the local IP addresses of the client hosts. I base this assumption on the fact that these IP addresses come from the RFC-1918 address range which is used for internal addresses. My guess is that these are the correct IP addresses, and that your logging works fine.
The users IP address you will log from accessing 'http://company/webpage' and 'https://webpage.company.com' should in most cases be the same. You can see it this way: it doesn't matter what the target URL is, traffic is still coming from the same host, the same IP address.
In any case, you most probably don't need to worry about any traffic leaving your local network.
I am at a large University, with servers set up on the Univeristy network. The network has internal (10...) IP addresses, and external (129...) IP addresses. I have a ColdFusion-based business process which FTP's data from an external server.
The server on which the ColdFusion instance is based has several (about 10) IP addresses associated with it, both internal and external. It has one primary address, which has been, until recently, external.
Using Wireshark, we have been able see which IP is used, and it is never the primary, but other than that, does not seem to follow any logic.
We recently changed the primary IP for the server to an internal address, to comply with new University-wide security policies, and the FTP connection from Coldfusion stopped working. Using Wireshark, we've confirmed it is going out on one of the internal (10...*) IP addresses (not the primary).
Is there a way to control which IP ColdFusion uses for an FTP connection, either through system configuration, or programmatically?
Code for the FTP call:
var ftpService= new ftp(
username = partnerConfig.sftpLogin,
connection = "MyConnection",
password = partnerConfig.sftpPw,
fingerprint = partnerConfig.sftpFingerprint,
server = partnerConfig.sftpServer,
secure = "yes"
);
var result=ftpService.open();
var result2=ftpService.listdir(directory = partnerConfig.inFolder, name="dirlist");
var result3=result2.getResult();
EDIT: My server guy tells me that this University is fairly unique in how it configures the subnets. NO firewall exceptions are allowed from the 10.* subnet. The "Public" IP's are not public by default, simply the ones which are capable of having exceptions.
FURTHER EXPLANATION: It comes down to the Rules and IP addresses the main IT org at the university set up. the 10.x.x.x IPs are never allowed access outside the university ("internal"). 129.x.x.x IP, may have firewall exceptions ("external"). If I type ipconfig (it's Windows), I see about 10 static IP addresses, half of which are 10.x.x.x, and half of which are 129.x.x.x. When the "primary" IP for the machine was a 129.x.x.x address, Coldfusion chose one of the OTHER 129.x.x.x addresses for the outgoing IP for the connection. With the "primary" IP switched to a 10.x.x.x IP, ColdFusion is choosing one of the OTHER 10.x.x.x addresses for the outgoing connection. My choices, as far as I can tell are 1) Switch the primary back to a 129.x.x.x for the server; 2) Move the site to a different server with a primary of 129.x.x.x, and keep other sites on the server in compliance with the new policy; 3)See if I can figure out how to control which IP Coldfusion chooses from the 10 static IPs on the server.
Our admin figured it out. We needed to add a static route to the server, so that whenever ColdFusion (or any application) tries to connect to the specific destination we were FTPing to, it goes through a specific outgoing IP address.
This was not something I was familiar with, but a quick search gives the basics: http://technet.microsoft.com/en-us/library/dd469825.aspx
You have an internal IP address and you are not sure what the external is? This sound like a network bridge issue. What you are looking for is FTP proxy or some tool that associates an externally assigned IP to an internally assigned IP for port 22 (or whatever you set your port to). Look at: http://wiki.squid-cache.org/Features/FtpGateway
FTP reverse proxy
It sounds like your IPs (even internally may not be static)...or maybe it just feels that way. Make sure your internal IP is static.
Read about FTP port forwarding: Here are some port forwarding guides.
Other keywords FTP bridge, FTP one-to-one mapping, among others.
Good luck.
I had a similar question regarding the cfmail tag:
Force cfmail tag to send from a specfic server IP address
Unfortunately, I didn't get an answer that worked. ColdFusion seems to pick (seemingly at random) which source IP address is used.