I've received a few messages from users of my site that they can not access it from home.
They can access the server from the IP, but not by the domain name.
I think it has something to do with the way my DNS is configured. I setup my own DNS server about 4 years ago on my server, which I probably should not have done, and I'm not sure if everything is configured correctly. There are plenty of people who can access the site without any problems, but some users get 'server can not be found'.
Server Details: Windows 2003 co-located server at a small local hosting company.
Are there good tools or sites that can test and provide configuration recommendations? How do I test this problem when it works fine for me and so many other users? What type of questions should I ask users that can't access the site?
Can I provide / point to another DNS server that can be used if the first server isn't working?
Thanks!
Nevertheless here some pointers:
Questions that you can ask the users:
Run the following command: nslookup test.company.com. The result should be the IP they could access by IP. If it's a wrong IP or no IP, then this hostname A / CNAME record isn't propagated correctly to the outside world.
It could be a ipv4/v6 problem. Maybe the DNS resolves to a ipv6 IP by AAAA record and your ISP (or any provider inbetween) doesn't support ipv6 correctly yet. Under windows, you can ping -6 or ping -4 to see if it resolves to anything at all.
Possible workaround:
Tell your users to hardcode the IP of your server into their HOSTS file...
DNS problems are usually lying at the companies infrastructure though (e.g. not propagating the DNS notifications correctly, wrong DNS servers at your registrar, wrong DNS configuration on your DNS server...)
There's an excellent on-line resource to verify your DNS settings: intoDNS.com
If you think the problem is in your DNS server and you don't need it this way anyway, you can just turn your DNS to any DNS hosting - see my biased list. Setup your DNS records from scratch with any DNS provider and tell your domain registrar to use that provider nameservers. Often registrars themselves provide DNS servers as well.
As for questions to ask users, Khoi explained everything.
Related
Since Mozilla and Google announced, that they intend to activate DNS over HTTPS in the default settings in the future and the IETF approved officially the draft (https://datatracker.ietf.org/wg/doh/about/), I tried to understand the impact on our corporate network. It is now possible for every application to bypass the internal DNS Server (assigned via DHCP) and directly connect to a public DNS service. There is no easy way for an administrator to prevent application and users doing this, since all traffic is routed through HTTPS.
In most corporations that I know, there is a split DNS setup in place, allowing internal (intranet) and external (internet) name and IP resolution for the same domain name (e.g. mail.mycorp.example) with different resolve values. It also allows to add additional, intranet only, services like wiki.intra.mycorp.example, that would not be resolvable/accessible from the internet. Same goes for infrastructure names like server01.eq.mycorp.example.
The problem I see is, that if the application itself is preferring DNS over HTTPS and is not correctly falling back to the system assigned DNS servers, internal only domains would not be accessible.
I made an experiment with Firefox 61.0.1 (64-Bit) on Windows 10. I have set:
network.trr.bootstrapAddress = 1.1.1.1
network.trr.uri = https://mozilla.cloudflare-dns.com/dns-query
network.trr.mode = 2
network.trr.mode = 2 should prefer DNS over HTTPS, but fallback to system DNS if no value received, mode = 1, which I also tried, should make a race and use the first valid result that Firefox gets back.
Unfortunately, after activating DNS over HTTPS in Firefox, all internal only websites did no longer work. All requests end in a timeout and fail therefor.
What do I miss?
Is there a better way to handle internal only DNS entries in future setups?
The exact configuration you described works in my corporate network. It first tries DoH for internal sites, then falls back to local DNS and internal sites resolve and load correctly.
I installed ws2016 server as a domain controller on virtualbox using internal network .
Everything was successfully installed about active directory and i created domain name as 'stark.local'
Also i created another ws2016 on virtualbox using internal network and I want to join new virtual machine to my domain controller.
Can ping dns server(which is my domain controller) and also Firewall off, no anti-virus installed.
However when i try to join dc it gives below error;
what i realized that i can not make nslookup to my dns server ip.
Even if on domain controller can not nslookup its self.
ipconfig of Domain Controller
ipconfig of node1;
I had no hair now and need your help.
Finally solved!
The problem was using internal network. I changed to host-only network and it worked.
AC DC
Using public IP addresses will always get you in trouble, try changing them to something like:
192.168.1.10 & 192.168.1.20
(Please read entire answer before modifying)
Also, i would recommend checking this link on the official microsoft forum. I know it's from windows 7, but i think the main problem you have is with the DNS configuration and it's very well explained there.
I'll summarise the link above here:
#Meinolf Weber's answer
If domain machines contain public DNS servers as 200.88.127.23 and 196.3.81.5 you will always have trouble.
Remove them on ALL domain machines and run ipconfig /flushdns and ipconfig /registerdns and reboot clients and domain member servers and restart the netlogon service on DCs instead reboot.
For internet access please configure the FORWARDERS in the DNS server properties in the DNS management console with the public DNS servers.
Explanation:
You can't join a machine to the domain using public IP because it is trying to locate your domain to the public IP which has not information of the private build domain.
Use only local IP in the clients NIC.
Hope it helps, if not please give more detailed information of the issue as well as the DNS configuration (screenshot or whatever you can).
EDIT 1: also check "time settings" on both machines, i know it might seem silly, but that sometimes gives DNS and DC issues. Check IPv6, could be another probable cause of the issues you're having (Go to the network and sharing center, modify the properties of the NIC and unselect TCP/IPv6).
I'd check first IPv6, that'll save you work if it's only that.
EDIT 2: again, i would recommend changing the IPs (if possible) to another network, as long as the 169.254.x.x is used (assigned) when there's no DHCP server, but as you say they can ping to each other, it may not be necessary the problem.
I can see there's no router in the network but, a Windows Server should be providing DHCP, otherwise things like DNS suffix don't work.
So check that:
- You have the DNS role installed and configured to support AD.
SOLVED on answer below
The explanation i would give for this is that "secure communication" is an often requirement, thing that internal network doesn't provide.
i have created new instance in amazon ec2, and assigned the elastic ip for instance. But i need to know how to get ip for name server (ns1.abc.com, ns2,abc.com).
I have installed whm in amazon instance. Only domain cannot point to the correct name server. That is because ip cannot load.
Now, my problem is that how i get new ip. Can i add another two elastic ip in amazon? But i configured two elastic ip for name server in dns zone within whm. The name server is not working. And i cannot open the elastic ip in browser. I am confuse for it. Please anyone help me.
There are lots of things that can go wrong here. I'll try to troubleshoot step by-step:
I'll assume the goal is "You want to type 'whm.foo.com' and see your WHM"
1) Go to your domain registrar and make an entry that points "whm.foo.com" to your EIP. (Depending on what you want, maybe you should setup a "*.foo.com" wildcard for that EIP.
2) Test that step #1 worked by typing "ping whm.foo.com" or "dig whm.foo.com" (one linux/mac, not sure about Windows). This should return your EIP. If not, go back to step 1.
3) Check that WMH is acually running. Read the docs to find what port it's running on. (Usually 2083, or 2082 for insecure access)
On your instance, run "curl -v localhost:2083" (or whatever port. It should return a login screen. If it says "couldn't connect to host", then you have the wrong port or it's not running.
4) run "netstat -na | grep :2083" (or whatever port). It should say "0.0.0.0:*". If it says "127.0.0.1:*", then you need to configure it to allow outside access.
5) Make sure your WHM port is enabled in the AWS firewall. Go to the AWS control panel and find the security group for your box. Make sure that port is allowed. Ideally, you'd only add your personal IP instead of opening it up to the world. (If there is a bug in WHM, people will scan all IPs trying to exploit it. They can't exploit your server if the AWS firewall denies them access.)
6) Now type "https://whm.foo.com:2083" (or whatever port) in your browser. (or http://whm.foo.com:2082 for insecure access). It should work!
i need to know how to get ip for name server (ns1.abc.com, ns2,abc.com).
As rdrey said, you need to go to your DNS provider (most registrars also do DNS) and tell them what boxes should point to your EIP.
That is because ip cannot load.
There is no such thing as "ip cannot load". Either "DNS is giving the wrong IP" or "some IP operations (TCP ports) were blocked by a firewall somewhere".
Now, my problem is that how i get new ip
I don't think that should be your goal. You can easily change EIPs, but it won't fix the problem. Nothing works unless everything in between is set up correctly. The goal should be understanding all the steps in the process and verifying that each step was done correctly.
OK, you have two options here:
Use the DNS servers provided by your Domain Registrar OR
Use AWS Route53 to let Amazon provide DNS services for you.
Option 1:
You bought your domain name from a registrar, like one of these: http://lifehacker.com/5683682/five-best-domain-name-registrars
Most, if not all, registrars run a free DNS service for their customers. You should be able to log into some kind of management console and set your domain's DNS zone entries to point at your AWS EIP. (I am using gandi.net and used to use godaddy. You simply leave the DNS Servers as they are and set your AWS EIP as the 'A' record.)
Option 2:
Go to https://console.aws.amazon.com/route53/home and follow instructions. I haven't read up on Route53's pricing, so this option might not be free.
---- EDIT:
Some more help:
The site you've linked to (http://www.intodns.com/xantec.com.sg) states that you've used your EIP (54.251.169.7) as the nameserver for the domain. You don't want that. You're running a cPanel installation, NOT a DNS nameserver.
Put 54.251.169.7 as your site's A record. (Sometimes called the www field.) Remove it from the NS fields and put ns3.thesimpledns.com & ns4.thesimpledns.com into those.
Hi I am having my own domain mydomain.ac.in and i am having my own server (windows 2008) and a Public static IP.
Now i want to host my site in my own server.
Please give me the step by step information to get it done.
Thanks.
You need to register your domain with some DNS hosting service (DNS provider), there is such an astronomic number of these on the web that I do not want to spam the site. Google.
Also, collocation center where you keep this server (and from where you have probably obtained that public IP) may also provide DNS services.
From the other side, any computer can be configured as the name server but this will probably not work Internet wide and can be used inside the local network only (combined with DHCP service). If there is an easy way to make this Internet wide, I would also be very interested in, but I doubt.
Your operating system is not much relevant to this question.
I registered my domain already in ernet by indian Government and I got my Public Static IP from BSNL India. I hosted my site already and i am able to access my site already using the ip. Now i want to map my domain with the server that i have so that i can access my domain using a domain name.
I tried the steps in http://www.hosting.com/support/dedicated/dns/setdns#additional.. But when i add the name server information it says cannot resolve hostname??? that s why i want to know where i am making mistake..
I once again tried the steps at http://www.hosting.com/support/dedicated/dns/setdns and got it right..Now i have updated the name server info at my domain registrar ernet and waiting for it to be updated. Thanks fo the people helped me
Okay, so we implement Recaptcha in production. We get errors because it can't reach the IP address it needs to use the service. We open a port for the IP address to reach Google. No problem. We do that and configure that IP address explicitly to work. It works great. Then, the next day, we start getting errors again because Recaptcha is using a different IP address. I can allow requests from that IP address, too, but now I'm unsettled. Where are these addresses coming from? How do I configure this to work reliably?
Recatpcha from Google can use any Google IP address and there are lots of them.
Ran this from Windows:
_netblocks.google.com text =
nslookup -type=TXT _netblocks.google.com
"v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ip4:173.194.0.0/16 ?all"
That's all the network Google uses currently. These can change so check them often.
Google suggest allowing port 80 to all IPs outbound, this highly insecure. They recommend going through a proxy server but again that is highly insecure if your web server is an DMZ. Proxy aware trojans do exist. All that need to be done is exploit a vulnerability to execute arbitrary code and you can create reverse connection on port 80 through a proxy server to download the payload. Then it is trivial to escalate privileges and own the box. I don't mean just Windows servers but Linux as well. I've done it in lab environment on security was on. It's really easy to do.
This is the Google website I got this from:
http://code.google.com/p/recaptcha/wiki/FirewallsAndRecaptcha
I wanted to append to this answer with more recent information. The documentation that Chris is pointing to does not include all of the TXT records necessary to dig (thanks Google):
_netblocks2.google.com (IPv6 subnets)
_netblocks3.google.com (Additional IPv4 subnets)
In my particular case, the _netblocks3 entry contained 2 large /19's that made my initial rule ineffective
(I found additional references here: https://support.google.com/a/answer/60764?hl=en)
Perhaps you should be using a hostname rather than IP