Hello,

I'm a new RAQ user at 4WebSpace (Tera-Byte), and have found lots of useful tips on this forum, and hope to be able to help others as I learn more. I posted this message on the 4webspace forum, but thought I'd be able to get more feedback by reposting here, as there are a lot of Tera-Byte RAQ users here, it seems.

I've been trying to create a "Perfect Template DNS" for all my virtual domains on a RAQ (I'm just getting started with a dedicated server). After some experimentation, I've setup the DNS as follows, using Tera-Byte's DNS Control Panel, and would appreciate comments on any disadvantages to what I've done:

I've replaced the real domain name with "mydomain.com" throughout, and the IP with 10.0.0.2, so that it is generic:

On the Tera-bye DNS Admin, I now have the following:

mydomain.com has an IP of 10.0.0.2
mail for mydomain.com is delivered to mydomain.com with a preference of 5

www has an IP of 10.0.0.2
mail for www is delivered to mydomain.com with a preference of 5

ftp is an alias for mydomain.com
mail is an alias for mydomain.com
pop is an alias for mydomain.com
smtp is an alias for mydomain.com
Non-matching DNS requests are not forwarded

In other words, mydomain.com and www.mydomain.com have A records pointing to the IP used for the www.mydomain.com virtual site in the RAQ. BOTH their MX records are set to deliver to mydomain.com. ftp, mail, pop and smtp hostnames are all set to be CNAME records, aliasing mydomain.com.

Using Sam Spade's tools (www.samspade.org), I also did a Zone Transfer of the domain, and the record is:

-------------- start zone -----------------------
Zone transfer mydomain.com@ns1.tera-byte.com (216.234.161.11) ...
Query for mydomain.com type=252 class=1
mydomain.com SOA (Zone of Authority)
Primary NS: ns1.tera-byte.com
Responsible person: hostmaster@tera-byte.com
serial:2001020804
refresh:3600s (60 minutes)
retry:900s (15 minutes)
expire:3600000s (410 days)
minimum-ttl:3600s (60 minutes)
mydomain.com NS (Nameserver) ns1.tera-byte.com
mydomain.com NS (Nameserver) ns2.tera-byte.com
mydomain.com NS (Nameserver) ns3.tera-byte.com
mydomain.com A (Address) 10.0.0.2
mydomain.com MX (Mail Exchanger) Priority: 5 mydomain.com
ftp.mydomain.com CNAME (Canonical Name) mydomain.com
mail.mydomain.com CNAME (Canonical Name) mydomain.com
pop.mydomain.com CNAME (Canonical Name) mydomain.com
smtp.mydomain.com CNAME (Canonical Name) mydomain.com
www.mydomain.com A (Address) 10.0.0.2
www.mydomain.com MX (Mail Exchanger) Priority: 5 mydomain.com
mydomain.com SOA (Zone of Authority)
Primary NS: ns1.tera-byte.com
Responsible person: hostmaster@tera-byte.com
serial:2001020804
refresh:3600s (60 minutes)
retry:900s (15 minutes)
expire:3600000s (410 days)
minimum-ttl:3600s (60 minutes)
-------------- end zone -----------------------

I then created 2 users for this domain, named user1 and user2. user1 has an alias of me@mydomain.com. user2 is the catchall account, and has an alias of @www.mydomain.com (it seems the www is required).

Then, I sent emails to user1@, me@, user2@ and junk@, with the following after the @:

1) mydomain.com
2) www.mydomain.com
3) smtp.mydomain.com
4) junk.mydomain.com
5) super.junk.mydomain.com
6) super.www.mydomain.com

Thus, there are 24 different combinations for the 4 usernames, and 6 hosts (i.e. I sent 24 emails). I sent from 3 different accounts (Yahoo, Hotmail, and my own ISP), and all received the same results:

Host Type 1: everything worked correctly -- user1 received the email sent to user1@ and me@, and user2 received the email sent to user2@ and junk@.

Host Type 2: very similar to Host Type 1, except that the "To" line stayed at "www.mydomain.com" after being sent and received.

Host Type 3: in contrast to Host Type 2, the "smtp" CNAME was deleted entirely, and the "To" line just showed user1@mydomain.com, user2@mydomain.com, me@mydomain.com and junk@mydomain.com after being correctly received.

Host Type 4,5,6: all emails (12 of them) bounced back to the sender, as those hosts didn't exist. Importantly, no emails showed up in the admin account (which happens when the wildcard DNS was turned on).

Using CNAMES, and turning off wildcard DNS meant that at no time did the admin account receive any error messages for improper subdomains. If, instead, I had simply created A records, for instance, for FTP or SMTP, there'd be strange error messages if someone sent email to random@smtp.mydomain.com. The same kinds of error messages would show up if I kept on wildcard DNS. (Error messages refer to "local configuration error".

As folks often mangle their email addresses, to prevent spam (e.g. usernameNOSPAM@DONTSPAM.mydomain.com), I believe the above setup has its advantages.

Any comments as to whether there are any downsides to what I've done?

Sincerely,

George Kirikos
http://www.kirikos.com/

P.S. If you have wildcard DNS on, you can see the error messages in your admin email account by sending a message to usernameNOSPAM@DONTSPAM.mydomain.com. If you use an A record for a subdomain, try usernameNOSPAM@ftp.mydomain.com (replace "ftp" with the subdomain name for which there's an A record).

I have to admit that I lost you there a bit, but I don't set all that up. Just:

domain.com to IP address
www A record to IP address
(and most of the time) wildcard to server IP address.

setting up an a record for smtp ....

Doing that would it mean they are required to send mail through that or it would bounce?

Hi,

I assume you had to add MX records though, Chicken? What happens when you try to send an email to one of your domains (which have the wildcard DNS turned on) as mynameNOSPAM@DONTSPAM.yourdomain.com ?

I was getting configuration error messages in the mailbox of the admin account when these emails were sent (and the messages would also bounce back to the sender). I had wanted to set things up so that I wouldn't see those errors at all (bouncing back to the sender is fine, though).

DO you think there's any downside/problems the way I've set things up now, using CNAMEs etc? I wanted to make it easier for endusers to be able to use pop.mydomain.com, smtp.mydomain and ftp.mydomain.com, but avoid the issue of the mail errors when wildcard DNS was turned on. However, even though things seem to work now, I want to be sure I've not done anything incorrectly that I might not have tested for, due to idiosyncrasies with the RAQ.

Sincerely,

George Kirikos
http://www.kirikos.com/

Say I have a dedicated IP virtaul site dom1.com.

I can add A record for dom1.com and www.dom1.com
But where can I add a PTR record for dom1.com ?
Or it is not necessary to add a PTR record.
If so, then what's the difference between name-based
virtural site and ip-based virtual site ?

Thanks for your reply.




[Edited by raylin on 02-14-2001 at 03:56 AM]

If you're using Tera-Byte, email noc@tera-byte.com and they'll add the reverse DNS/PTR record. It needs to be done by the owner of the IP block, which is them.

Sincerely,

George Kirikos
http://www.kirikos.com/

Originally posted by GeorgeK I assume you had to add MX records though, Chicken?
No, that's it (what I posted).

What happens when you try to send an email to one of your domains (which have the wildcard DNS turned on) as mynameNOSPAM@DONTSPAM.yourdomain.com ?
Yeah, it gets bounced and it gets sent to the admin box. You are getting errors because the server doesn't know what to do with it. If you took the wildcard out it might just bounce back without delivering a copy to you, but I just delete these when I get them and ignore it for the most part. Sometimes it's a spammer getting the copy though, so good to check it out :)

I'm not sure there are any downsides to how you set it all up, just that it is extra work and isn't needed. You can FTP/POP/SMTP to http://www.domain.com without having to enter all the DNS entries so...

If it works and you like it, then that's what it is all about (self gratification :)) -enjoy!

I'm not understaning this would this mean you would send an email or something to tera-byte requesting the dns add job to be complete or do they allow you access to a server where you can run this or any other script to add your dns? I am wondering because I just got a email that's saying that they are going to discontinue allowing thier customers to run their own dns servers which sucks.

I'd rather use their DNS servers, as it provides another level of redundancy. And for $10 more, one gets the customized nameserver names, which isn't bad (given one can host many domains with those nameservers).

Conceivably, you can always run DNS through a third party, and not Tera-Byte, but if you play with their nameserver control panel, it is very easy to use.

Sincerely,

George Kirikos
http://www.kirikos.com/

Originally posted by tymonhall
I just got a email that's saying that they are going to discontinue allowing thier customers to run their own dns servers which sucks.

Yes it does :(.

just pay the extra $10 and get personalized ones. i think its great!

We'll I was getting my own pesonalized ones for free, now I have to pay another $10.

true. i wished it was free. $10 is hard to swallow when you're not making any money. i might just keep the tera-byte dns for now.

Folks , it's not that easy.

In case you are using your own nameserver,have you ever k how long does it takes to change nameservers 's IP address at NSI Registry ?
Maybe 2 days theoretically or 2 months practically. (read DNS problem from other
WHT forums )

Or in case you are providing hosting service , do you know how hard it is to change your customer domain's dns.

Last few months I changed ns.mydomain 's IP through realtime
OpenSRS's API.But NSI appear no change so far.

out of the 4 times i had to change dns servers/ips, all my changes were completed in 2 days.

I changed twice... And no problems with the timing as well.
2 days...

Same here, done within 2 days.

Yea, I get it to change within two days as well. The bigest problem is going to be change the cusomers expecailly any new ones that I have no control over the name servers.

you dont have to do a thing to any customers dns.
step one request customized dns solution
step two recieve new ips for your nameservers
step three change your hostname records to reflect new ips
step 4 add domains to tera-bytes dns control panel
step 5 sit back and wait for seamless switchover
when everything is said and done click off the dns button on your raq.
as far as the cost goes your already paying at least 5.00 for the ips needed to run your own dns servers on the raq you no longer would need to pay that amount.

Steve

oh ok, so basically if you already have spare ips, it's just $5 more. great deal!

It was nice running my own dns till it crashed.

Now my site is 2 days offline, and why ?
Because Cobalt isnt able to come up with a decent version of BIND !

The one that caused all the trouble is still on their patchlist.
I spoke to a tera-byte dude, and he told me that version of BIND was notorius and i should have known it.
Hell, if even Cobalt didn't know this !

I'm still very curious what happend to my BIND, and would very much like to know how many people are running this version without any problems.

i only counted 2 crashes on this forum right ? how many of you run BIND version 8.2.2_P5 on a RAQ3 from 4webspace?

I came to 4ws because I dont' want to pay 10$/mo for my nameservers at Alabanza while I can hardly control them. I setup bind9 and run dns on my own raq3 as I can easily automate dns setup process . Blocking incoming dns on my raq server will just piss me off. Guess while people have second server somewhere else then using 4ws as one nameserver and other machine as another nameserver . Does it worth for them to pay additional 5-10$/mo ?

I don't like it either. It's much more of a hassle to set things up through them rather than doing everything from the RaQ. Any the extra money, this should be a free service since were forced to use it.

right now, 4ws are losing from user's dns exploit and high technical loads.
But after new rules applied, 4ws will retrieve security and technical availability back while some users are going to lost since thier own dns turn into a cost and are losing versatility as tera-byte's dns must be manually configured .

why not adjust the rule like , people who are able to setup their own bind daemon can continue running dns on their raq (this will unload technical support since users must be responsible to their own daemon setup) or if security reason come into concern , 4ws should provide user's dns at no cost so that no parties lost since using ns.tera-byte.com seems silly among people providing services to outside world.

Then think of this ...

Someone comes along saying they know what they are doing. Tera-byte allow them to run the dns right from there machine. A hacker finds a way in through bind because the user ignored the fact and didnt upgrade there bind. They run to tera-byte for help saying my servers been hacked via bind. More time spent fixing things by the technical support team.

With this in place they save this ever happening.

Just think about what your getting for $99..

how many other companies do you know who will give you 100 true gigabytes of bandwidth for that price?

how many companies will provide the level of support they provide for that price?

I don't think its a lot to ask for an extra $10 ... I've looked at other providers of RAQ's and what they supply for $99 .... they give you 50gb maybe 60 if your lucky. and most dont even provide it as true bandwidth. They also have slow networks ... I find 4webspace a little slow right now at times but still faster than all the others for this price. There even looking into sorting out issues.

Find me another company who give you the service they do at the same price.... nearest your likely to get is $200 maybe $300 to get it.

Originally posted by Technics
Someone comes along saying they know what they are doing. Tera-byte allow them to run the dns right from there machine. A hacker finds a way in through bind because the user ignored the fact and didnt upgrade there bind. They run to tera-byte for help saying my servers been hacked via bind. More time spent fixing things by the technical support team.



Can upgrading bind really prevent crackerz ? new attack were rapidly updated when new version released.

Tera-byte can append the price below to 4ws website like what they did with mysql , php etc.?

"To add BIND is $xxxxUS"

Since blocking incoming DNS to raq is unacceptable .

[Edited by jakis on 02-15-2001 at 05:06 PM]

well if your prepared to pay so much for this access why not just settle for them handling your dns off your server? Geesh all you gotta do is open another window and edit the information through there easy to use dns system.

About setting up nameservers outside , I did never find a server providing my own nameserver unless I have a dedicated server.

Tera-byte dns is not versatile enough. I wrote scripts that allow users to edit their dns online. I can't tell my users to go to http://tera-byte.com/somewhere and login using my username and password or maybe let them fill the form and send mail to me so I will manually change dns for them(that's pitiful, i agree).

oh well i didnt know that but im sure you could work something out with them should u contact them.

Since folks are now all going to be using the Control Panel, can folks review the first message in this thread. Is that a good setup for the DNS?

In addition, I went for the "co-branded" nameservers, so I have ns1.mydomain.com and ns2.mydomain.com with IP addresses of 10.1.2.3 and 10.4.5.6 (continuing with the fictitious example from before). Should I add "A records" for these 2 new hostnames?

I.e. to have:

ns1.mydomain.com A (Address) 10.1.2.3
ns2.mydomain.com A (Address) 10.4.5.6

Cobalt seems to have "A" records for their nameservers (I did a zone transfer of cobalt.com using Sam Spade, www.samspade.org, windows version), so I figure that is the "proper" way, but would like some confirmation (DNS isn't my strong point!).

Sincerely,

George Kirikos
http://www.kirikos.com/

just a thought...

if TB blocks DNS to all costumer raqs but not nsX.tera-byte.com, costumer raqs still can run bind.
the costumer raq is an "unpublished primary nameserver", while the TB nameserver are the published ones.

+ costumers still have full control over their zones
+ tb has only their dns public avaible so keeping things secure

drawback: what happens if costumer A publishs a zone from costumer B?

technically, if costumers do some kind of registration of their domains, the ns catch exactly those zones from the costumer raq, and everything is fine!?


[Edited by iplexx on 02-16-2001 at 11:50 AM]

first off the way we would do it is deny all port 53 packets so unauthorised dns calls wouldnt work, we are however making exceptions for those people that demonstrate an ability to run their own dns. remember what 4webspace was designed for, people who want their business online and want the security of their own server, instead of shared servers. if your on 4webspace and know how to upgrade things like bind your not the target customer and we are willing to make an exception for you. but our target customers need their services up and running if someone exploits your box you will be shut down. since the exploit was discovered, 4 servers are down and 15 others have non-functioning dns, what would be a better way? im listening.

Steve

Whats wrong with paying $10 extra for more security?

Not going to kill you to create an account in your control panel then goto another screen to put the dns in. Me and my partner are 100% behind tera-byte with this new rule.

I personally don't care if TB run dns or me all I care about is being able to do the following.

a) make sure I can have my own name servers ns1.domain.com and ns2.domain.com which I am told I can and
b) some sort of way to automate the dns additions. I have spent two weeks getting everything automated for a customer signup then I'm told that I can do that any more.

Good point ,Steve
Technics, 5-10$ can protect TB from dns problems. While dns blocking can not absolutely prevent attackers since most raqs still running original vulnerable daemons like sendmail, qpop etc

Good point tymonhall. Someone mentioned they have an automtic signup script now. Will this not allow me to use it?

There are two scripts you will be able to use the first script which is creating the user account but the second script which is creating the dns information you can't use anymore.

I'll be updating my sendmail shortly. I've got qpop 3.0 that make mine ok?

Update rpm might void the raq's warranty. So I tried shutdown old daemon and brought up new daemons manually from those tar archives. While we update daemon quarterly , those guys from http://packetstorm.securify.com and http://www.securityfocus.com (including bugtraq mailing list)update new holes daily.

What are the correct DNS settings for a typical Raq3 server domain on a tera-byte dns cp. Can anyone post some examples?

Does this look ok?
DNS Administrator
You are logged in as "xxxx"
domain.com has an IP of 216.234.xxx.xxx
mail for domain.com is delivered to domain.com with a preference of 5
www has an IP of 216.234.xxx.xxx
mail for www is delivered to domain.com with a preference of 5
ftp is an alias for domain.com
imap is an alias for domain.com
mail is an alias for domain.com
pop is an alias for domain.com
smtp is an alias for domain.com
Non-matching DNS requests are not forwarded

Thanks

I use the following:

indywebdesign.com has an IP of 66.51.108.10
mail for indywebdesign.com is delivered to indywebdesign.com with a preference of 5
secure has an IP of 66.51.108.7
mail for secure is delivered to indywebdesign.com with a preference of 5
www has an IP of 66.51.108.10
mail for www is delivered to indywebdesign.com with a preference of 5
Non-matching DNS requests forwarded to 66.51.108.10


I don't see any need for all those alias if you add your IP to Non-matching DNS requests. Although your best answer might come from Tera-byte themselves...