Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Resolve DNS Name to KVM Guest IP?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
dman777
l33t
l33t


Joined: 10 Jan 2007
Posts: 996

PostPosted: Sat Mar 03, 2012 5:59 am    Post subject: Resolve DNS Name to KVM Guest IP? Reply with quote

I use time warner ISP at my house. I have a router which my isp leases a IP address to. Behind my router I have my Gentoo system with a nated IP address from my router. On my Gentoo system I have a KVM Tap networking using a Linux bridge.

I want to have a KVM guest(gentoo) and run a small web site for the fun of it. I don't expect any heavy traffic. I registered a domain name for it. From outside on the web, how would I have this domain name resolve to the kvm guest on ipaddress?
Back to top
View user's profile Send private message
papahuhn
l33t
l33t


Joined: 06 Sep 2004
Posts: 623

PostPosted: Sat Mar 03, 2012 7:02 am    Post subject: Reply with quote

Well, that depends what you are allowed to do with the domain you registered. One suggestion:

Register a dyndns subdomain like dman777.dyndns.org.
Configure it as a CNAME for your official domain dman777.net, so that dman777.net points to dman777.dyndns.org.
Let your router or your webserver use a dyndns client to update dman777.dyndns.org with the correct IP.
Configure explicit port forwarding on your router for TCP/80 towards the web server's internal IP.
_________________
Death by snoo-snoo!
Back to top
View user's profile Send private message
dman777
l33t
l33t


Joined: 10 Jan 2007
Posts: 996

PostPosted: Sat Mar 03, 2012 9:41 am    Post subject: Reply with quote

I already paid for a dns name on namecheap.com.

With the router being leased with just one ipaddress from my cable company, I'm not sure how to point it to the kvm guest. For instance, if my routers ip address is 98.233.34.11 and my Gentoo host is 192.168.0.1, and the kvm guest is 192.168.0.2....How would I get get the dns name point to 192.168.0.2? Could I just sign a custom port and use port forwarding on my router? like dnsname.com = 98.233.34.11:4045 and have my router forward it to 192.168.0.2:80?
Back to top
View user's profile Send private message
papahuhn
l33t
l33t


Joined: 06 Sep 2004
Posts: 623

PostPosted: Sat Mar 03, 2012 2:13 pm    Post subject: Reply with quote

No, DNS does not know anything about ports. You will have to configure 98.233.34.11 for yourdomain.com. Whenever you browse the web, your router uses 98.233.34.11 as the packets' source addresses, no matter what the internal IPs are. Likewise, internet servers always respond to 98.233.34.11, they don't use the 192.168.x.y addresses. They can't because you're not the only one using them. So your web server has also to be reachable via 98.233.34.11. When packets arrive at your router, it has to know what to do with them. You can tell your router with an explicit rule that says:
"I have a packet here destined for 98.233.34.11 on tcp port 80. That packet is probably meant to reach the web server, so lets forward it to 192.168.0.2 port 80".
_________________
Death by snoo-snoo!
Back to top
View user's profile Send private message
dman777
l33t
l33t


Joined: 10 Jan 2007
Posts: 996

PostPosted: Sun Mar 04, 2012 4:00 am    Post subject: Reply with quote

Ok....I see... I can set up a special rule for packets destined for port 80 to be forwarded to the KVM guest 192.168.1.02. What if I am surfing the internet on my Gentoo host and reply packets come back and get redirected to the KVM guest?
Back to top
View user's profile Send private message
papahuhn
l33t
l33t


Joined: 06 Sep 2004
Posts: 623

PostPosted: Sun Mar 04, 2012 10:30 am    Post subject: Reply with quote

Applications don't use ports below 1024 but higher random port numbers as source ports when they communicate with other servers. So when you surf the internet, it will possibly look like this:

Gentoo Box (src 192.168.0.1:34662, dst 209.85.148.138:80) ==> Router LAN side (src 192.168.0.1:34662, dst 209.85.148.138:80) ==> Router WAN side (src 98.233.34.11:34662, dst 209.85.148.138:80) ==> Google reply (src 209.85.148.138:80, dst 98.233.34.11:34662) ==> Router WAN side (src 209.85.148.138:80, dst 98.233.34.11:34662) ==> Router LAN side (src 209.85.148.138:80, dst 192.168.0.1:34662) ==> Gentoo Box

The router maintains the information that it has translated 192.168.0.1:34662 to 98.233.34.11:34662, so when reply packets come back with 34662 as destination port, they are meant for 192.168.0.1.
_________________
Death by snoo-snoo!
Back to top
View user's profile Send private message
dman777
l33t
l33t


Joined: 10 Jan 2007
Posts: 996

PostPosted: Mon Mar 05, 2012 2:30 am    Post subject: Reply with quote

Ok, great. Thanks.

I have another delima. I bought 2 dns names because I intended to have two different web sites run on 2 separate kvm guests. Since I only have one outside IP address, is there anything I can do about this?
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Mon Mar 05, 2012 3:02 am    Post subject: Reply with quote

dman777 wrote:
Ok, great. Thanks.

I have another delima. I bought 2 dns names because I intended to have two different web sites run on 2 separate kvm guests. Since I only have one outside IP address, is there anything I can do about this?


yep. name-based virtual hosting allows you to house multiple hostnames on a single IP address
if using apache, have a gander at /etc/apache2/vhosts.d/*

your situation is not too unique so should be good to go. Do port forwarding of port 80 on the router to your internal IP, and set up vhosts on apache/nginx/whatever.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
dman777
l33t
l33t


Joined: 10 Jan 2007
Posts: 996

PostPosted: Mon Mar 05, 2012 6:32 am    Post subject: Reply with quote

With apache name based virtual hosting would it work like this?

Outside DNS names: www.webserver1.com = 98.233.34.11
www.webserver2.com = 98.233.34.11

My router = requests for port 80 forward to KVM guest 192.168.1.2

On the KVM guest:

NameVirtualHost 192.168.1.2:80

<VirtualHost 192.168.1.2:80>
ServerName www.webserver1.com
DocumentRoot /www/webserver1
</VirtualHost>

<VirtualHost 192.168.1.2:80>
ServerName www.webserver2.com
DocumentRoot /www/webserver2
</VirtualHost>
Back to top
View user's profile Send private message
papahuhn
l33t
l33t


Joined: 06 Sep 2004
Posts: 623

PostPosted: Mon Mar 05, 2012 8:33 am    Post subject: Reply with quote

Yes.
_________________
Death by snoo-snoo!
Back to top
View user's profile Send private message
dman777
l33t
l33t


Joined: 10 Jan 2007
Posts: 996

PostPosted: Mon Mar 05, 2012 8:35 am    Post subject: Reply with quote

That is pretty cool. Since there are 2 dns names for one ipaddress, how does apache identify the packet which webserver the packet belongs to? Is the DNS name incapsulated somewhere in the TCP/IP stack of the packet?
Back to top
View user's profile Send private message
papahuhn
l33t
l33t


Joined: 06 Sep 2004
Posts: 623

PostPosted: Mon Mar 05, 2012 8:54 am    Post subject: Reply with quote

The hostname is encoded in a HTTP 1.1 header, which is set by the browser. It will be like this

GET /index.html HTTP/1.1
Host: dnsname1.com
... more headers ...
_________________
Death by snoo-snoo!
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15977

PostPosted: Tue Mar 06, 2012 12:07 am    Post subject: Reply with quote

As an unfortunate side effect of passing the hostname via the HTTP headers, in conjunction with early design decisions for HTTPS, it is not possible to use named virtual hosts for HTTPS with host-specific certificates. This limitation is because Apache must pick and send a certificate before it can read the HTTP headers, so it cannot know which name the client contacted.
Back to top
View user's profile Send private message
dman777
l33t
l33t


Joined: 10 Jan 2007
Posts: 996

PostPosted: Tue Mar 06, 2012 12:23 am    Post subject: Reply with quote

Wow. So it would be easy for my website to get the DNS name spoofed and redirected to a different website? I don't plan on using passwords or any logins, so I don't see a need for HTTPS over HTTP. Is there a way to keep this from happening other than using certificates?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15977

PostPosted: Tue Mar 06, 2012 3:58 am    Post subject: Reply with quote

Easy is relative. Yes, it is easy for an attacker who can manipulate DNS to interpose his HTTP site in a way that your users will not obviously detect. However, the vast majority of attackers on the Internet are not in a position to manipulate DNS in that way. Generally, DNS manipulation is either an isolated attack against users that are logically near the attacker (such as on the same WiFi access point) or is an attack on your registrar to rewrite the authoritative A/AAAA records.

If you are not serving sensitive content, then it is likely not worth the effort to encrypt it.
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 438

PostPosted: Tue Mar 06, 2012 7:33 am    Post subject: Reply with quote

Hu wrote:
As an unfortunate side effect of passing the hostname via the HTTP headers, in conjunction with early design decisions for HTTPS, it is not possible to use named virtual hosts for HTTPS with host-specific certificates. This limitation is because Apache must pick and send a certificate before it can read the HTTP headers, so it cannot know which name the client contacted.


There is, however, an extension to SSL called Server Name Indication to solve this exact problem. Client support is good - main problem is its not supported by any version of Internet Explorer in Windows XP, Android 2.x, and to a lesser extent, Blackberries and Safari before 10.5.6 (mac)/Vista (windows). All supported versions of Firefox, Chromium and Opera support it; all supported versions IE and Safari for Vista and above, and MobileSafari for iOS 4.0 and above support it was well.
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Thu Mar 08, 2012 8:47 pm    Post subject: Reply with quote

salahx wrote:

There is, however, an extension to SSL called Server Name Indication to solve this exact problem. Client support is good - main problem is its not supported by any version of Internet Explorer in Windows XP, Android 2.x, and to a lesser extent, Blackberries and Safari before 10.5.6 (mac)/Vista (windows). All supported versions of Firefox, Chromium and Opera support it; all supported versions IE and Safari for Vista and above, and MobileSafari for iOS 4.0 and above support it was well.


For whatever it's worth, I know for certain it works with Android 4.0, as we have a setup at work that requires SNI.

The big pain for me - and why I finally convinced the boss to move to gentoo for this - was that CentOS 5 has no build of openssl available that actually supports SNI. Can you get one on there? Yes, but with much, much, much pain.

I have not had any issues with SNI in our setup. Nor have I for some years now with other non-work things that require it.

Not particularly painful to set up on the Apache side of things either.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum