If I use foo.my-company.com at work, then all works well, but if we fix any bug remotely, then the web server will respond with a forbidden.
I heard we can use dev1-foo.my-company.com at a remote location, and it is the same site, but if I access that, I found that all the AJAX are still done to foo.my-company.com and it won't work because it is still forbidden. It seems that "hosts file" can be used to overcome this, but how specifically?
All a hosts file can do is associate a hostname (like dev1-foo.my-company.com) to an IP address (like 10.1.1.5).
This can be enormously useful if:
Your DNS doesn't have an entry for the host you need (e.g. "dev1")
... or ..
You want to override DNS (substitute your own "dev1", e.g. for testing)
This is all TCP/IP - it has nothing directly to do with higher-level protocols like HTTP or AJAX.
'Hope that helps ..
Related
At work we have a series of aliases for websites like repositories etc. and they are used by typing something like open/repo in the browser.
I wanted to create something like this at my private PC and found out I could add a line to /etc/hosts file and it looks like this:
172.217.16.46 gl
Now what I would expect is to type gl in any browser and it would redirect me to google.com, but unfortunately I get 404 errors on every browser. The only answers I found were browser specific, like this one for Chrome, where other browsers actually work as expected.
What I tried:
I've run ipconfig /flushdns in cmd (on admin rights)
I put http:// before the alias in Chrome
Note:
I would like to keep all the changes locally on my machine (without changing router configuration etc.)
If you are getting a 404 error, the problem is probably not that DNS resolution is failing but that your address is wrong. It sounds like you have tried to point gl to Google's IP. That would cause your request to hit Google's server, but Google will probably reject it since it is labeled addressed to gl instead of google.com in the HTTP request.
This phenomenon happens because it is common for web servers to host different websites on the same IP only with different domain names. I believe the term for these is "virtual host".
At any rate, try pointing to an IP that takes any name to access the website, or otherwise you are probably looking for some kind of redirect instead of A record DNS.
Okay, so we implement Recaptcha in production. We get errors because it can't reach the IP address it needs to use the service. We open a port for the IP address to reach Google. No problem. We do that and configure that IP address explicitly to work. It works great. Then, the next day, we start getting errors again because Recaptcha is using a different IP address. I can allow requests from that IP address, too, but now I'm unsettled. Where are these addresses coming from? How do I configure this to work reliably?
Recatpcha from Google can use any Google IP address and there are lots of them.
Ran this from Windows:
_netblocks.google.com text =
nslookup -type=TXT _netblocks.google.com
"v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"
That's all the network Google uses currently. These can change so check them often.
Google suggest allowing port 80 to all IPs outbound, this highly insecure. They recommend going through a proxy server but again that is highly insecure if your web server is an DMZ. Proxy aware trojans do exist. All that need to be done is exploit a vulnerability to execute arbitrary code and you can create reverse connection on port 80 through a proxy server to download the payload. Then it is trivial to escalate privileges and own the box. I don't mean just Windows servers but Linux as well. I've done it in lab environment on security was on. It's really easy to do.
This is the Google website I got this from:
http://code.google.com/p/recaptcha/wiki/FirewallsAndRecaptcha
I wanted to append to this answer with more recent information. The documentation that Chris is pointing to does not include all of the TXT records necessary to dig (thanks Google):
_netblocks2.google.com (IPv6 subnets)
_netblocks3.google.com (Additional IPv4 subnets)
In my particular case, the _netblocks3 entry contained 2 large /19's that made my initial rule ineffective
(I found additional references here: https://support.google.com/a/answer/60764?hl=en)
Perhaps you should be using a hostname rather than IP
I'm working on an application that connects to URLs, and it responds differently depending on whether or not an address resolves in DNS. I need to find a way to simulate DNS Hijacking so that I can test that my application handles it correctly.
Anybody know a way to do that?
Set up a DNS Server on a second pc and use this as your referenced DNS. Then you can shutdown it for sometime or modify the answers to try your handling behavior. If you dont have a second machine you can also set it up in a virtual machine.
Just add the "hijacked" hosts into your hosts file. In Linux, this should be in /etc/hosts; in Windows, %SYSTEMDIR%\drivers\etc\hosts..
The entries are in the format ip.addr.ess.here hostname1 hostname2 (there should already be entries for localhost, so add others to match your taste)
When you're done, remove (or comment out) from the hosts file again.
I am looking for a proxy server that can do this.
If I set my firefox settings to that proxy, and go to google, then it should "proxy" to google normally. Just a normal proxy.
But I want there to be rules. I want to redirect anything that matches http://google.com/... to http://12.34.56.78/...
I was thinking about writing one but to be honest there has to be something to do this already built.
Fiddler should do what you want. If you type into the black box at the bottom "overridehost google.com 12.34.56.78" it should redirect any Google requests to the specified IP.
Not a proxy per se, but what about editing your local host file? If you are a Windows user just go to "C:\WINDOWS\system32\drivers\etc" and edit the "hosts" file accordingly. Eg. add a new line:
12.34.56.78 google.com
I know the use is limited, because you cannot make more complex redirects. However it might be sufficient for your problem. Good luck! (on linux/unix the file is often located in /etc/hosts).
If you want a better solution, it would be helpful to give us your OS.
For example, I have a development site on a different server but I'm trying to copy content over from the live site so it'd be handy to have the live site in IE and the dev site in FF.
I tried FoxyProxy but I can't seem to get it to work.
I use this to override system's DNS with localserver
in about:config
change this value:
network.dns.forceResolve
network.dns.ipv4OnlyDomains
network.dns.localDomains
with IP address of local DNS server (for exsample 192.168.1.88)
Sorry for my english
It's now possible, with the DNS over HTTPS function:
Open Options, General, scroll to very bottom and open Network Settings,
On the very bottom, you can find DNS over HTTPS:
You had to use about:config before to change this setting, here's for documentation:
Type about:config in firefox address bar.
search for:
network.trr.uri
You can use one of the DNS servers below:
Cloudflare: https://cloudflare-dns.com/dns-query
Google: https://dns.google/dns-query
Secure DNS EU: https://doh.securedns.eu/dns-query
Quad 9: https://dns.quad9.net/dns-query
And set network.trr.mode to 1
Hijacked from here:
https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/
It appears from your question that you already have a second set of DNS servers available that reference the development site instead of the live site.
I would suggest that you simply run a standard SOCKS proxy either on that DNS server system or on a low-end spare system and have that system configured to use the development DNS server. You can then tell Firefox to use that proxy instead of downloading pages directly.
Doing it this way, the actual DNS lookups will be done on the proxy machine and not on the machine that's running the web browser.
DNS resolving is usually done at the system level and not at the application level, so you can't normally have one program use one dns and another program use a different dns. I'm not aware of any firefox extensions that allow you to use a different dns.
What about having different names for your dev and prod servers? That should avoid any confusions and you'd not have to edit the hosts file every time.
I am using the SwitchHost extension exactly for this problem:
https://addons.mozilla.org/en-US/firefox/addon/14258
It is easy to configure, and even more easy to switch hosts.
I wonder if you could write a custom rule for Fiddler to do what you want? IE uses no proxy, Firefox points to Fiddler, Fiddler uses custom rule to direct requests to the dev server...
http://www.fiddlertool.com/fiddler/
Since http proxy protocol is similar to raw http protocol, you can redirect desired traffic to your development server by telling firefox it's a proxy server.
two limitations:
A. this won't let you use https connections.
B. some frameworks (e,g: wordpress) don't like this method and redirect the request the wrong way
just copy the following code into a .pac file (enter your site domain and IP address, of course), and switch development/production just by changing proxy configuration.
function FindProxyForURL(url, host) {
var prox4site = {
"mysite.com":"PROXY 10.0.1.100:80",
"www.mysite.com":"PROXY 10.0.1.100:80"
}
return prox4site[host] || "DIRECT";
}
Go to options->Advanced->Network->Settings->Automatic proxy configuration url and enter 8.8.8.8 All you Mozilla traffic uses Google dns now.