Basic VPS/DNS Questions

[Serpent]

I'm fairly knowledgeable about networking, Linux admin, and DNS, but I'm new to VPS and virtualization in environments like this.

I have a new VPS and I'm trying to understand just how DNS is supposed to work. I got the bare-bones setup (no managed add-ons because I didn't want to spend the extra $7 a month and I know my way around for the most part).

The intro email had me confused on a few things.

First, the email said "DNS has been set on your VPS the above Nameservers corresponding to your Primary Domain." What does that mean?

Second, the email says I should set up ns1.mydomain.com and ns2.mydomain.com with my registrar to point to my second and third VPS ip addresses. If I do this, do I need to also set up my own DNS server on the machine? Or do the DNS queries somehow get routed to something in Jag's control?

If I need to set up my own DNS servers, that's fine with me - I'm familiar with bind (and others) and I know what records to set. I'm curious though - the template that was installed for Ubuntu for my VPS seems to have bind already installed, although it doesn't seem to be running. If I run "dig myhost.com @my_second_ip_address" it seems to be talking to a server at that IP on port 53... which is why I'm confused as to who is answering on the other side.

Can someone give me a clue as to how this is supposed to work? Should I set up bind and manage my own namserver? Is Jag somehow managing one that's behind the scenes but responds to requests at my IP?

Thanks!

[JPC-NickO]

Hi,

Second, the email says I should set up ns1.mydomain.com and ns2.mydomain.com with my registrar to point to my second and third VPS ip addresses. If I do this, do I need to also set up my own DNS server on the machine?

Yes, you need bind running on your VPS.

If I need to set up my own DNS servers, that's fine with me - I'm familiar with bind (and others) and I know what records to set. I'm curious though - the template that was installed for Ubuntu for my VPS seems to have bind already installed, although it doesn't seem to be running.

I'm not familiar with the Ubuntu template but I believe most of our VPS templates have bind configured as a recursive name-server by default.

If I run "dig myhost.com @my_second_ip_address" it seems to be talking to a server at that IP on port 53... which is why I'm confused as to who is answering on the other side

Your server should be the one that is answering the requests.

With bind all you really need to do is create your zone file for each domain in /var/named and then add that zone to your /etc/named.conf (paths may vary between distributions)

You can easily determine if bind is running by checking the process list via
ps aux | grep named
ps aux | grep bind

You may also have nsd configured by default which would explain what is resolving requests if bind isn't running.

If you need some more detailed instructions please open a ticket and someone should be able to look at your configuration an explain what you need to do.

[Serpent]

Thanks for the help so far.

Your answers are exactly what I expected to be the case; the only reason I'm confused is this:

I don't seem to be running any name server on my machine, yet I can talk to a nameserver at my ip:

$ nslookup
> server 69.73.x.y
Default server: 69.73.x.y
Address: 69.73.x.y#53
> google.com
Server: 69.73.x.y
Address: 69.73.x.y#53

Non-authoritative answer:
Name: google.com
Address: 74.125.45.100
>

Here's the full process listing:

$ sudo ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 10372 788 ? Ss Dec24 0:02 init [2]
root 5523 0.0 0.0 50908 1160 ? Ss Dec24 0:00 /usr/sbin/sshd
www-data 19520 0.0 0.0 111572 2584 ? S 01:50 0:00 /usr/sbin/apache2 -k start
root 19612 0.0 0.0 67964 2900 ? Ss 08:41 0:00 sshd: serpent [priv]
root 19692 0.0 0.0 19320 896 ? Ss Dec25 0:00 /usr/sbin/xinetd -pidfile /var/run/xinetd.pid -stayalive -inetd_compat
serpent 19812 0.0 0.0 67964 1724 ? S 08:41 0:00 sshd: serpent@pts/0
root 19827 0.0 0.0 36676 2152 ? Ss Dec25 0:00 /usr/lib/postfix/master
serpent 19847 0.0 0.0 18060 2056 pts/0 Ss 08:41 0:00 -bash
postfix 19914 0.0 0.0 38728 2052 ? S 08:41 0:00 pickup -l -t fifo -u -c
root 21874 0.0 0.0 14772 992 pts/0 R+ 08:42 0:00 ps aux
syslog 24185 0.0 0.0 12288 736 ? Ss Dec24 0:00 /sbin/syslogd -u syslog
root 25676 0.0 0.0 18604 972 ? Ss Dec24 0:00 /usr/sbin/cron
root 25706 0.0 0.0 111440 2672 ? Ss Dec24 0:00 /usr/sbin/apache2 -k start
www-data 25708 0.0 0.0 111572 2608 ? S Dec24 0:00 /usr/sbin/apache2 -k start
postfix 32551 0.0 0.0 38776 2088 ? S Dec25 0:00 qmgr -l -t fifo -u
postfix 32719 0.0 0.0 41236 2960 ? S Dec25 0:00 tlsmgr -l -t unix -u -c

and here are the only open ports:

$ sudo netstat -lpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 19520/apache2
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 19827/master
tcp 0 0 0.0.0.0:2525 0.0.0.0:* LISTEN 19827/master
tcp6 0 0 :::22 :::* LISTEN 5523/sshd

You can see where my confusion started. How are my test queries being answered? Or, what am I doing wrong?

[Serpent]

Ugh, looks like nslookup is my problem. After setting a "server", nslookup still seems to be getting data from elsewhere.

$ nslookup
> server 1.1.1.1
Default server: 1.1.1.1
Address: 1.1.1.1#53
> google.com
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
Name: google.com
Address: 74.125.45.100


Sorry for the noise. I'll figure out how to make nslookup bend to my will.

[Serpent]

I found the problem - and boy was I surprised. No wonder I was confused.

The ISP where I'm currently at for the holidays apparently hijacks all outgoing DNS queries and redirects them to the ISP's DNS server. So a query from my machine to my ip (or any ip outside this house) is getting valid DNS data because of this hijacking.

Who would have guessed.

Thanks for your help.

[Vin DSL]

The ISP where I'm currently at for the holidays apparently hijacks all outgoing DNS queries and redirects them to the ISP's DNS server. So a query from my machine to my ip (or any ip outside this house) is getting valid DNS data because of this hijacking.

Who would have guessed?

Whoa, indeed!

DNS hijacking is very popular these days, but 'black hats' usually do it to steal your CC info, et cetera!

Um...

Are you SURE the ISP did the spoofing - and not some hacker(s)???

[Serpent]

I think it's very unlikely - without having a machine between me and the internet, how would a black hat be intercepting all traffic and redirecting some?

[Vin DSL]

I think it's very unlikely - without having a machine between me and the internet, how would a black hat be intercepting all traffic and redirecting some?

Hrm...

Most ppl let the ISP choose the DNS server for them - dittos for the IPs of your local machine(s). I never have understood this - laziness, I guess - or ignorance.

I digress...

Microsoft 'discovered' an IE bug last week, that was being exploited and went undetected for at least 9 years (according to MS). This vuln affected all versions of Internet Explorer and all versions of Windows from Win95 to Server 2008, and was being exploited the whole time!

Who knows what these characters are up to?!?!?

Is it so far fetched to think hackers would invade the sanctity of an ISP and redirect the ISP's DNS servers to their own for phishing?

I have 3 routers in this house, and a gateway, and they're all setup to use specific addies at my ISP. I've also used open servers such as OpenDNS is the past:

http://www.opendns.com/smb/solutions

You might want to use them when you're on the road - that's what I do.

NOTE: This service was started by hackers (gone legit), so caveat emptor.

Sometimes I use Level3 servers (4.2.2.1 - 4.2.2.8) and/or even JagPC servers when I'm away from the house...

I certainly wouldn't allow some hotel, airport, or my semi-computer illiterate relatives to pick my DNS server, you know? War driving is always risky, but what are you gonna do?

Anyway, I'm glad you figured out the problem. I read your OP last night and was at a loss.

Makes perfect sense now. Good work, detective!

[Serpent]

This is a bit different from taking over the ISP's DNS server - no matter what IP I send a request to, someone is responding.

I wonder how easy it would be for someone between me and the 'net to sniff the network for UDP DNS traffic and inject a response. That's more like what's going on here. I guess it depends just how close they are (to beat the response time of my dest) and how much of my traffic they can see.

[Vin DSL]

I guess it depends just how close they are (to beat the response time of my dest)...

I like the way your mind works!

[JPC-NickO]

I found the problem - and boy was I surprised. No wonder I was confused.

The ISP where I'm currently at for the holidays apparently hijacks all outgoing DNS queries and redirects them to the ISP's DNS server. So a query from my machine to my ip (or any ip outside this house) is getting valid DNS data because of this hijacking.

Who would have guessed.

Thanks for your help.

Many hotels setup what is known as a walled garden so they can require you to pay before being able to access the Internet.

I would guess that the first time you connected you were presented with a login page when you first fired up your browser to provide some authentication details.

This is an extremely common practice and although the providential for evil is there it is usually harmless. That said, always use SSL/TLS for transmitting any sensitive information.

[Serpent]

Yeah I'm well aware of walled gardens (and I've used tcp-over-dns to get around them). I've just never heard of an ISP doing that to all DNS queries. I learned something new