I am trying to get the big picture although my primary domain is not networking.
Some question's narrowed down for which I'm not getting enough/proper answers online
Is the IP that is resolved by the DNS server when I hit www.google.com is same as any of the Google router's Gateway IP?
Do bigger companies like Amazon do port forwarding?
If point 2 is true, I suppose they must be port forwarding with only 443 (https) port which means, to use multiple static IP across different data centers, they need to have that many routers. So, if they have N static IP address which resolves to a website, then they must be having N routers right? Is this a fair assumption?
A gateway IP refers to a device on a network which sends local
network traffic to other networks. it sits between you and internet,or other network . its like a watchman.
Question 1 : google.com has multiple ip addresses lets say then , Yes, that is possible, and will need to be two A records. This is called Round-Robin DNS. Clients will semi-randomly use one of the two addresses.
question2: yes port forwarding happens more often than we think. ALL VPC's (virtual private clouds like AWS , GCP , Azure etc) use this as they dont want to expose servers/internal resources to the internet.
depending on the port number , particular service is exposed to requesting client. lets say we want to make a website public , then we explicitly expose port 80(http) 443(https) so that web crawlers and users can see them.
Port forwarding, sometimes called port mapping, allows computers or
services in private networks to connect over the internet with other
public or private computers or services.
google https://www.google.com:444/ wont work because they did not expose port 444 on their cloud router
but https://www.google.com:443/ will work because the server corresponding to google.com has explicitly left it open.
How IP is resolved:
Step 1 - Send a Request to Resolve a Domain Name
When you type www.google.com into a browser, in order to load the webpage, your computer asks for the IP address. Computers do not know in advance where they can find the necessary information, so they try searching through the DNS cache and for available external source. proceed from lower level caches to root/main servers.
Step 2+3 - Try to resolve an IP Locally
Before going externally, your computer loads the local DNS cache database to see if you already requested the IP for that domain name. Every computer has a temporary cache with the most recent DNS requests and attempts to connect to online sources. if required record is present locally its called "CACHE HIT" and query stops.
However A computer’s local DNS cache database does not always contain the necessary data to resolve a domain name this is called a "CACHE MISS" . In that case, the request goes further to your Internet Service Provider (ISP) and its DNS server.
Step 4 - ISPs Ask Outside DNS Servers to Provide an IP Address iff Cache miss
ISP DNS resolvers are configured to ask other DNS servers for correct IP address mapping until they can provide data back to the requester. These are iterative DNS queries.
When a DNS client sends such a request, the first responding server does not provide the needed IP address. Instead, it directs the request to another server that is lower in the DNS hierarchy, and that one to another until the IP address is fully resolved. There are a few stops in this process.
hierarchy looks like this (just for reference):
Root domain nameservers. Root servers themselves do not map IP addresses to domain names. Instead, they hold the information about all top-level domain (TLD) nameservers and point to their location. TLD is the rightmost section of a domain name... Root servers are critical since they are the first stop for all DNS lookup requests.
TLD nameservers. These servers contain the data for second-level domains, such as ‘phoenixnap’ in phoenixnap.com. Previously, the root server pointed to the location of the TLD server. Then, the TLD server needs to direct the request toward the server that contains the necessary data for the website we are trying to reach.
Authoritative nameserver. Authoritative servers are the final destination for DNS lookup requests. They provide the website’s IP address back to the recursive DNS servers. If the site has subdomains, the local DNS server will keep sending requests to the authoritative server until it finally resolves the IP address.
Step 5 - Receive the IP Address
Once the ISP’s recursive DNS server obtains the IP address by sending multiple iterative DNS queries, it finally returns it to your computer. The record for this request now stays cached on the hard drive. The browser can then fetch this IP from the cache and connect it to the website’s server.
ALL this happens in less than 1 second, most of the times. if you just registered a new domain it might take few hours to propagate this DNS cache globally hence newly registered websites do not show up sometimes.
About companies owning multiple IPs
Big companies have pool of IPs reserved for example 123.234.xxx.xxx which means a company has reserved 255*255 ips. they are mapped on a VPC(virtual private cloud)
and accessible vis a subnet masking and CIDR feature, like your EC2 instances on AWS
Is the IP that is resolved by the DNS server when I hit www.google.com is same as any of the Google router's Gateway IP?
For sure it should, but it is mostly a Google management question that only they will be able to answer right. The thing is that we must understand how DNS query's work for this.
Let's take a look of it:
Device A requests the IP address through a DNS query of the device B.
To do this, it uses the network port 53 (Domain) on which it will ask, depending on which DNS server is being used at the time, which is usually the home router. Then the router will ask the ISP's DNS server, which will respond with a cached response, or the query with another server on top of it if it does not have one; All this process is followed until a reliable cache response is reached or until the authoritative response server is reached, that is, the name server that manages the domain in question.
Only the authoritative response server contains the reliable information of which IP of the domain which is going to be reached.
I suppose that within Google's servers and its network they use Google's own DNS servers, which are 8.8.8.8 and 8.8.4.4 where the DNS records are obtained and consulted by caching from many sites.
In general terms Google's IP will change depending on where you are, I made a DIG query to Google's authoritative servers, however, I received a result based on location to improve the route and loading time of the site which was 142.250.73.238.
Do bigger companies like Amazon do port forwarding?
Yes, they do. To handle queries with load balancers or similar and even for caching dns requests.
If point 2 is true, I suppose they must be port forwarding with only 443 (https) port which means, to use multiple static IP across different data centers, they need to have that many routers. So, if they have N static IP address which resolves to a website, then they must be having N routers right? Is this a fair assumption?
This has multiple answers. By the way, they actually can do a secure DNS query.
if they have N static IP address which resolves to a website, then they must be having N routers right?
They don't have to, but if they want to they can.
"Is this a fair assumption?"
No, the IP's doesn't depend on a router, the router only routes to a computer/server which can have multiple IP's. By the other hand, each thing (computer, server, etc... must have an IP which can be also a WAN IP).
There have been many articles on various forums on how to setup mcrosoft active directory domain services. I am a bit new to the field, so please bear with my ignorance. I have a very basic query whose answer i am not able to find. I have an office of 20 people where i would like to deploy AD Domain services to have a better control. i want to know how should i set my network PHYSICALLY. I have a router supplied by my internet provider. Where exactly should i put my server? Can i plug my server anyhere in the network and connect the users through domain, or the main internet wire should plug into the server first and the users in turn be connected to the server. enter image description here I hope i am clear. Should internet ‘flow’ from the server which has AD to users, or i can put the serverver anywhere in the topology.
In a small size network like yours, 1 server should be enough. It should be somewhere behind the router. Plugging it into the switch is fine as it will have a internal address.
You will need DNS on your server which will install when you promote to a DC. All of your computers need to look at your server for DNS. Your Server's DNS should have a forwarder to your ISP DNS or to a public DNS. It doesn't matter if you server or your router does DHCP so long as it gives out the server Internal IP for DNS.
What would I do:
I would plug your ISP into the Router, Your Router into your Switch, and all computers + server into the Switch.
You can place your server anywhere in the topology. It is not necessary for all user traffic to the internet to be routed through the server.
With small-scale deployments (less than 25 Users) I typically just put the server on the same switch and subnet as the users.
could you please help me understand why am I getting Phoenix IP address when I ping my service? This site is fully behind Cloudflare CDN so I would expect it will serve me nearest datacenter which is Prague, Europe. Not Phoenix.
Ip I´m getting http://www.ip2location.com/104.31.80.242
thank you
This is an anycast address from CloudFlare, you can see it as CDN in the usage type in IP2Location. The exact server location depends to your own location. You could not use a geolocation database to detect the server location because there are many servers sharing the same IP address.
You can try to ping the IP address. If it is less than 50ms latency, then it should be very good.
Pretext: There is a ABC company providing Virtual Private Server for $xx, which includes features like blah1, blah2, blah3 and 1 dedicated IP address.
I have my home FiOS internet connection.
I have serverA, serverB, serverC running at my home.
Let's assume ServerA is a web server.
Scenario 1:
To access this web serve from outside my LAN, I would type "myDynamicIPAddress", we are assuming it still has the same lease token, and get access to my website successfully.
Scenario 2:
I am at my school/work(I work at a corporate office). I would type "myDynamicIPAddress" to access my web server. Since my IP address is dynamic/residential, it is blocked(All residential IP are blocked by default, to reduce the chance of them getting infected and sending out spams).
My question:
Is there any way to connect my home network to the VPS that I purchased(the one with dedicated IP, remember?), so that I can use that dedicated IP address to connect to my web server from my school/work where residential IP address are blocked(this also means no Dyndns.com/no-ip.com).
I hope I explained my question correctly and I posted it in the right section.
Thank You in advance.
EDIT1: I found this one question, but I want to do the exact opposite of what the user in this question is asking for.
https://superuser.com/questions/498529/is-it-possible-to-use-a-static-ip-assigned-by-my-isp-for-an-offsite-web-server-o
The answer is the same as the other question, for the same reasons. The IP address is routed to the owning network prefix so it can't be used at a different location without changing the Internet routing tables to point the overall prefix to route to a different place. Since you don't own the network prefix, you can't do that.
When I was in China my company's website was blocked for about 24 hours.
I assume it was the "Great Chinese Firewall" but I was wondering if there is any way that I can find out exactly where a packet or TCP/IP connection gets blocked.
I was able to verify that it wasn't being blocked at our end(I used the local host file to point to the backup server inside of China) or at the end of our server (Other people could still connect to both ISPs).
I tried tracert but only port 80 was being redirected. I could ssh into the server without any problems.
The other problem is that most of the routers in China just drop the packets and don't respond to ping etc so you can't find out their IP addresses.
In the future are there any tools that can track down where packets are being blocked?
tcptraceroute
I have lot's of problems with that firewall. Having my server into EEUU doesn't help. If you need tools to test your site hosted outside from china like you were in China, you can try that page:
http://www.websitepulse.com/help/tools.php
Good luck