Tag Archives: dns

Accessing Local Virtual Hosts

Posted on by

Last update : September 7, 2015

Local Networks

A local area network (LAN) is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, or office building. It is contrasted to a wide area network (WAN), which covers a larger geographic distance and may involve leased telecommunication circuits. Ethernet over twisted pair cabling and Wi-Fi (WLAN) are the two most common transmission technologies in use for local area networks.

Virtual Hosts

The term Virtual Host refers to the practice of running more than one website (such as dev.radiologic.fr and local.radiologic.fr) on a single machine. The fact that they are running on the same physical server is not apparent to the end user. Apache was one of the first servers to support virtual hosts right out of the box.

Computer Name, Address and Route

To find and access a computer in an network, we must know the following informations :

  1. Name : to indicate what we seek ( > Domain Name )
  2. Address : to indicate where it is ( > IP Address )
  3. Route : to indicate how to get there ( > Routing )

Domain Name

Domain names are used to identify one or more IP addresses. They are used in URLs to identify particular web pages. Domain names can be local or public. The latter must be registered with an ICANN accredited registrar.

A domain name consists of one or more parts, technically called labels, that are conventionally concatenated, and delimited by dots, such as example.com. The right-most label conveys the top-level domain (TLD), including the generic top-level domains (gTLDs), such as the prominent domains com, info, net, edu, and org, and the country code top-level domains (ccTLDs) such as lu, de, fr.

Below the top-level domains in the domain name hierarchy are the second-level domain (SLD) names. These are the names directly to the left of the top-level domains. Second-level domain names are usually created based on the name of a company, product or service. There can be additional sub-level domains with virtually no limitation. Below these levels, the most right domain name component is used to designate a particular host server, for example www for a world wide web server, ftp for an FTP server, or any other label. A domain name with TLD, SLD and hostname is called a fully qualified domain name (FQDN), for example dev.radiologic.fr.

Local domain names used in local networks can be freely chosen by the network administrator, but some TLD’s should be avoided. For example Apple uses the domain extension .local for it’s implementation of zero-configuration networking called Bonjour.

To map domain names to IP addresses, a Domain Name System (DNS) is used.

IP Address

An IP Address (Internet Protocol address) is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. The designers of the Internet Protocol defined an IP address as a 32-bit number (IPv4) which is still in use today. A new version of IP (IPv6), using 128 bits for the address was developed in 1995 to avoid a depletion of the available addresses. Its deployment has been ongoing since the mid-2000s.

IP addresses are usually written and displayed in human-readable notations, such as 172.16.254.1 (IPv4), and 2001:db8:0:1234:0:567:8:1 (IPv6).

An IP address is logically recognized as consisting of two parts: the network prefix and the host identifier, or interface identifier (IPv6). The routing prefix is expressed in CIDR (Classless Inter-Domain Routing) notation. It is written as the first address of a network, followed by a slash character (/), and ending with the bit-length of the prefix. For example, 192.168.1.0/24 is the IPV4 prefix starting at the given address, having 24 bits allocated for the network prefix, and the remaining 8 bits reserved for host addressing.

IPv4 reserves some addresses for special purposes such as private (local) networks or multicast addresses. The following ranges are reserved for private networks :

Prefix length Start End
/8 10.0.0.0 10.255.255.255
/12 172.16.0.0 162.31.255.255
/16 192.168.0.0 192.168.255.255

In IPV6, the reserved address blocks for private networks are referred to as unique local addresses (ULA) and they use the routing prefix fc00::/7.

IP addresses can be static (fix) or dynamic. Static IP addresses are manually assigned to a computer by the network administrator. Dynamic IP addresses are assigned either by a server (router) using Dynamic Host Configuration Protocol (DHCP) or by the computer itself, as in Zeroconf. In the last case of address autoconfiguration (link-local address) the address block 169.254.0.0/16 is reserved in IPv4 networks and the block fe80::/10 in IPV6 networks.

Subnets

In IPV4 a subnet mask is used to indicate how the IP address is divided into network and host parts. A subnet mask is made by setting network bits to all “1”s and setting host bits to all “0”s. For example, 255.255.255.0 is the network mask for the 192.168.1.0/24 prefix.

Routing

Routing is the process of selecting best paths in a network. Routing schemes differ in their delivery semantics:

  • unicast : destination is a single specific node in the network
  • broadcast : destinations are all nodes in the network
  • multicast : destinations are all interested nodes in the network
  • anycast : one to many routing topology
  • geocast : destinations are all nodes in a geographical area

Unicast is the dominant form of message delivery on the Internet.

DNS Resolver

The main job of a DNS server is to store DNS name data and serve it when it receives requests. The main job of a DNS resolver is to transform a DNS name into an IP address, but this is only one of several types of resolution services performed by DNS. The process to resolve an hostname to an ip address is normally called dns lookup.

Reverse DNS lookup or reverse DNS resolution (rDNS) is the determination of a domain name that is associated with a given IP address.

Accessing local virtual hosts

There are different ways that local websites can be viewed from other computers which are connected within the same LAN. These computers can be desktops or laptops running Windows, Mac OSX, Linux or be mobile devices like tablets (iPad, Samsung, …) or smart phones (iPhone, Android, …).

  • Use the LAN IP of the server : downside – only one website can be accessed
  • Use the LAN host name of the server : downside – only one website can be accessed
  • Use a LAN-wide hosts file : downside – this doesn’t work on iOS and most other mobile devices
  • Use own DNS server : downside – setup is complex ; DNS server must always be turned on
  • Use a Wi-Fi router with DNS Masquerading : downside – only a few routers support this option
  • Use registered domain names : downside – all website domain names must have a common base; works only with Internet access
  • Use a HTTP proxy server : downside – multiple

We are analyzing now what solution to adapt for a real network case, related to the specific RadioLogic project.

RadioLogic project requirements

RadioLogic is an university education tool for radiologists which uses three websites, working as virtual hosts :

  • www.radiologic.fr : hosted on Amazon AWS, this website provides the tools and data for public users
  • local.radiologic.fr : hosted on a local server, this website provides the tools and data for private users on a local network
  • dev.radiologic.fr : hosted on a local server, this website provides the beta versions of new tools and data for testing before deployment on the public and private hosts

If possible, the IT consumerization policy BYOD (Bring your own device) is promoted allowing the radiologists in residence to use their own devices. The local server is a MacBookAir laptop running OSX Yosemite 10.10.5 or later. The clients are iPads running iOS 8.1.4 or later. Both the server and the clients will be used for other purposes.

There exist four operational modes :

  1. The server is used as standalone client without Internet connection
  2. The server is used as standalone client with an Internet connection through a Wi-Fi router
  3. An iPad is used as client with an Internet connection through the same Wi-Fi router (same local network)
  4. An iPad is used as client with a local AdHoc Wi-Fi Connection (SSID = radiologic-open) established by the server

The following figure shows the four operational modes.

Four

RadioLogic : four operational modes

The project requirement is that the same host names are used in each operation mode to access the three websites. Let’s examine how to achieve this goal.

Server without Internet connection used as a client

Without Internet connection, it’s not possible to access the public website www.radiologic.fr. To access the local websites local.radiologic.fr and dev.radiologic.fr, the most simple solution is to use the internal hosts file available on every desktop computer (Windows, Linux, Mac OSX, …). This configuration file for the loopback interface is located at /private/etc/hosts on the Mac OSX, but it’s also accessible through the more traditional location /etc/hosts. This file is configured as follows :

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1	localhost
127.0.0.1       local.radiologic.fr
127.0.0.1       dev.radiologic.fr
255.255.255.255	broadcasthost
::1             localhost

The default values are the IP addresses for the localhost in IPV4 and IPV6 and the broadcasthost for IPV4. The radiologic hosts have been added.

Server with Internet connection used as a client

Accessing the public website www.radiologic.fr is now possible and the preceding loopback solution is also working.

iPad used as a client with Internet connection in local network

There is no problem to access the public website www.radiologic.fr, but the simple loopback solution to access the local hosts is not possible on mobile devices without jailbreaking.

The next possibility consists in using a local DNS server. Setting up a DNS server on the Mac laptop with primary zones for the local hosts needs a parameter change in the DNS configuration of the iPad Wi-Fi connection.

Wi-Fi

Wi-Fi settings in iPad

We must change the IP address of the DNS server, assigned by the Internet provider via the Wi-Fi router, by the local IP address of the Mac laptop, which leads to various problems :

  • The IP address of the Mac laptop changes when you use it in a different local network or when the DHCP server assigns a new address in the same network at booting
  • The DNS server of the Mac laptop must be continuously running to use the iPad for Internet surfing
  • Using an additional DNS server with forwarding to a public DNS server to set up an Internet connection may lead to delays or performance problems
  • Frequent changes of the DNS addresses on an iPad is an error-prone process for a normal user

I recommend to never change the network parameters assigned by the Internet provider on your router and local devices to avoid all sort of problems.

There exist a third solution to access the local hosts in our case, which some developers consider as a hack : using the public DNS server to point towards the internal private IP address of the Mac computer.

This solution is simple and feasible in our case because all hosts use the same domain name radiologic.fr which is registered and managed in a public DNS server. Instead of creating an A record for both dev.radiologic.fr and local.radiologic.fr we can use a wild-card (*) to catch all DNS records.

Some reasons to not use a public DNS server with local IP addresses, invoked by other developers, are the following :

  • leak of internal informations to third parties
  • it’s not considered best practice
  • external clients may inadvertently be redirected to a host on their own local network
  • it’s likely to cause confusion and human miscommunication
  • risk of mail delivery timeouts or mail bounces
  • risk of DNS rebinding attacks

I don’t agree with these arguments that I consider as minor problems or not applicable in specific cases. I think the solution is not a such bad idea in practice and I will use it in the RadioLogic project.

Some routers provide a security feature to protect against DNS rebinding attacks by suppressing DNS responses that refer to IP addresses in the home network. My router FRITZ!Box 7390 is such a device. It allows to enter domain names in a list of exceptions where this protection should be disabled. In our case these are dev.radiologic.fr and local.radiologic.fr.

fri

Exceptions to the DNS rebinding protection in the Fritz!Box router 7390

iPad used as a client connected to an AdHoc network

The only workable solution in this case is the use of a local private DNS server. You may ask what about the problems listed in the preceding chapter ? Well, these are no longer issues in the case of an AdHoc Wi-Fi network :

  • The self-assigned IP address of the AdHoc Wi-Fi interface in the range 169.254.0.0/16 can be defined as static
  • The DNS server is always running when the Mac laptop runs the AdHoc network
  • Without Internet connection there is no forwarding to a public DNS server
  • The DNS address is changed once in the configuration of the AdHoc Wi-Fi connection which is different from the configuration of the other Wi-Fi infrastructure connections

Search Domain

In iOS and OSX Wi-fi settings, each Wi-fi connection has a Search Domains section which is simply a convenience that allows the system to convert host names to Fully Qualified Domain Names (FQDN). Anyplace you might use a FQDN, such as in the location bar of Safari,  you can use a simple host name. If the system can’t resolve that host name to an IP address, then it will try appending the search domain to the host name and try again. If you specified more than one search domain, it will try them each in order.

If we set the search domain to radiologic.fr, we can use the host names dev and local to access the corresponding websites. I didn’t opt for this solution because it introduces more complexity and an additional delay in setting up connections.

Network Diagnose Tools

There are several tools available for iPads to diagnose access problems in local networks:

net

iPad Network Analyzer : ping statistics – LAN overview

Links

The following list provides links to websites with additional informations about accessing local virtual hosts :

DNS Diagnose Tools

Posted on by

There are a lot of online and desktop tools available to manage DNS and diagnose DNS problems.

My favorite online tool is network-tools.com, a website operated since 1998 by The Keyword Factory of Ocean City, NJ.

This site offers the following diagnose results for a given  url :

  • Ping
  • Lookup
  • Trace
  • Whois (IDN Conversion Tool)
  • DNS Records (Advanced Tool)
  • Network Lookup
  • Spam Blacklist Check
  • URL Decode
  • URL Encode
  • HTTP Headers  [SSL]
  • Email Verification

An express diagnose method to obtain all relevant informations with one test is also available.

An example of the results from retrieving DNS records for www.html5.lu is given hereafter :

DNS servers
ns1.dns-stock.com
ns2.dns-stock.com

Answer records
html5.lu MX
preference: 10
exchange: venus.vo.lu
3600s
html5.lu NS ns2.dns-stock.com 3600s
html5.lu NS ns1.dns-stock.com 3600s
html5.lu SOA
server: ns1.dns-stock.com
email: sysop@vo.lu
serial: 2010082701
refresh: 28000
retry: 2800
expire: 2419200
minimum ttl: 3600
3600s
html5.lu A 85.93.210.131 3600s

Authority records

Additional records
venus.vo.lu A 80.90.45.96 28800s
venus.vo.lu A 80.90.45.97 28800s

Domain name system (DNS) & management

Posted on by

Last Update : March 15, 2013

The Domain Name System (DNS) associates various information with domain names; it serves as the “phone book” for the Internet by translating human-readable computer hostnames into IP addresses. A DNS also stores other information such as the list of mail servers that accept email for a given domain. By providing a worldwide keyword-based redirection service, the Domain Name System is an essential component of the Internet.
The right to use a domain name is delegated by domain name registrars which are accredited by the Internet Corporation for Assigned Names and Numbers (ICANN), the organization charged with overseeing the name and number systems of the Internet. In addition to ICANN, each top-level domain (TLD) is maintained and serviced technically by a sponsoring organization, the TLD Registry.

DNS records or Zone files are used for mapping URLs to IPs. Located on servers called the DNS servers, these records are typically the connection of a website with the outside world. Requests for a website are forwarded to the DNS servers and then get pointed to the WebServers that serve the website or to Email servers that handle the incoming email.

DNS servers communicate with each other using private network protocols. All DNS servers are organized in a hierarchy. At the top level of the hierarchy, so-called root servers store the complete database of Internet domain names and their corresponding IP addresses. The Internet employs 13 root servers, named A, B, C and so on up to M, maintained by various independent agencies. When a DNS server receives a request not in its database it automatically passes that request to another DNS server or up to the next higher level in the DNS hierarchy as needed.

The mostly used DNS records in all DNS configurations are the following :

  • A record or adress record : An address record assigns an IP address to a domain or subdomain name. Example : saraproft.com. IN A 69.9.64.11
  • CNAME record : A CNAME record or canonical name record makes one domain name an alias of another. The aliased domain gets all the subdomains and DNS records of the original. Example : stuff.everybox.com CNAME www.everybox.com
  • MX record : An MX record or mail exchange record maps a domain name to a list of mail exchange servers for that domain. Example : mydomain.com. 14400 IN MX 0 mydomain.com.
  • NS record : An NS record or name server record maps a domain name to a list of DNS servers authoritative for that domain. Example : example.com. IN NS ns1.live.secure.com.
  • SOA record : An SOA record or start of authority record specifies the DNS server providing authoritative information about an Internet domain, the email of the domain administrator, the domain serial number, and several timers relating to refreshing the zone. It’s the most essential part of a zone file. It includes TTL, the duration in seconds that the record may be cached by client side programs.
  • TXTrecord : A TXT record allows an administrator to insert arbitrary text into a DNS record. For example, this record is used to implement the Sender Policy Framework specification.

RESTENA is the registration service for Internet domain names under the national top level domain LU in Luxembourg. P&T Luxembourg and Visual Online are also approved as official registrars in Luxembourg. My saraproft.xxx names have been registrated and managed in the past by SpiritDomains. The domain saraproft.lu has been registrated by RESTENA. All the domains have been transferred in the meantine to Visual Online.

DNSstuff.com provides a lot of free and paid tools to configure, monitor and fix problems with a domain or email. Google offers tools to check the MX records and the CNAME records of your own domain. Useful tutorials about setting up Google apps (and to verify ownership of domain) are available at N.E.R.D.logger.com.

Today I deployed with success Google Apps to my domain saraproft.com. Google Apps are smart applications for email, documents, sites and more. The different DNS records for my domain to set up Google Apps are configured as indicated herafter :

A record : the domain saraproft.com points to the IP address of the P&T server hosting my other domains in Luxembourg. This IP address is not relevant for Google Apps.

CNAME : The aliases for www.saraproft.com, mail.saraproft.com, sites.saraproft.com, docs.saraproft.com and calendar.saraproft.com points all to ghs.google.com. It’s important to add a dot at the end of each record parameter. To verify the ownership of the saraproft.com domain, a temporary CNAME record with a secret parameter provided by Google Apps was activated.

MX : The mail domain saraproft.com points to different prioritized mail servers indicated by Google:

  • ASPMX.L.GOOGLE.COM.
  • ALT1.ASPMX.L.GOOGLE.COM.
  • ALT2.ASPMX.L.GOOGLE.COM.
  • ASPMX2.GOOGLEMAIL.COM.
  • ASPMX3.GOOGLEMAIL.COM.
  • ASPMX4.GOOGLEMAIL.COM.
  • ASPMX5.GOOGLEMAIL.COM.

NS : The name server record points to the servers indicated by my registrar SpiritDomains:

  • dns1.spiritdomains.com.
  • dns2.spiritdomains.com.
  • dns3.spiritdomains.com.
  • dns4.spiritdomains.com.

SOA : The SOA record contains the standard data provided by the managed DNS service of SpiritDomains.

TXT : The text record includes the Sender Policy Framework (SPF) with the statement “v=spf1 include:aspmx.googlemail.com ~all” to prevent mails to be considered as spams.