Certs and shadow-dns

[Slim]

In adding a new domain as an IRM, for my brother, he used google as a registrar, and is using their DNS service.

Following the instructions on

https://service.futurequest.net/inde...my-domains-dns

I had him set up his domain CNAMES to reference .../hisdomain.com.fqdns.net

After he had that in place, I tried going to his site in my browser, and got the "Your Connection is not Private" message from Chrome.

Of course. I have a cert, and I have a rewrite rule to send everything to https:
And his domain was not on the cert yet.

So I went to the CNC and added it.

But, having done the Shadow DNS trick, the domain was really that .fqdns.net domain, which is not included under the cert.

I'm guessing that he will have to ignore the shadow DNS idea, and just use the IP address in his CNAME records, and will just have to change those any time the IP address has to change?

Or does someone have experience and know another way?

[Bob]

Hello Slim,

It doesn't appear that the domain in question is setup with a CNAME, more likely you have redirected it?

If you add a CNAME for the domain (and the www.domain) then it should point to the correct IP and resolve to the domain name without the fqdns.net part...

ie... domain.com CNAME domain.com.fqdns.net

When configured correctly and you dig the name server for the domain it would show the CNAME, currently it shows the Google IP address

;; QUESTION SECTION:
;domain.com. IN A

;; ANSWER SECTION:
domain.com. 1278 IN A 216.239.32.21
domain.com. 1278 IN A 216.239.34.21
domain.com. 1278 IN A 216.239.36.21
domain.com. 1278 IN A 216.239.38.21

-Bob

[Slim]

Quote:

Originally Posted by Bob

Hello Slim,
It doesn't appear that the domain in question is setup with a CNAME, more likely you have redirected it?

It's a little hard for me to tell, I don't have the google interface, since it is on my brother's account.
Perhaps google doesn't provide the ability to set up a CNAME and he redirected instead?


Is this how dig results would look with a CNAME set up correctly?

domain.com CNAME domain.com.fqdns.net

If we cannot set up a CNAME in Google, the only fix would be to move the DNS servers to FQuest DNS?

[Bob]

It would look something like this:

;; QUESTION SECTION:
;. domain.com IN A

;; ANSWER SECTION:
domain.com. 600 IN CNAME domain.com.fqdns.net
domain.com.fqdns.net 600 IN A 69.5.XX.XXX

And if you cannot set a CNAME or A record then you would have set the domain to use the FutureQuest Name Servers and manage the DNS from here.

-Bob

[Slim]

Bob,
We've had some success(www.domain.com) and some failure (domain.com).

The www. subdomain was no problem doing a CNAME record. But google domains said that it doesn't allow a CNAME on the base name.

So, we've switched over to putting in an A record (which it seemed not to allow the first time, from what my brother said) but did allow after we had done the CNAME.

Now we have to wait for propagation because we used up all our browsers and machines experimenting.

IF the A record works, we will go with that. If not, we'll move to the FQUEST DNS servers.

Thanks for all the help.

[Bob]

As far as I can tell it looks good now

"Under Construction
This site is currently under construction and testing"

-Bob

[Slim]

The A record seems to have worked just fine.
But it's good to know that google as a DNS provider doesn't allow a CNAME record on the base domain name.

The dig record still shows the CNAME for the www.domain.com entry.
I'm not sure if we should try to change that or not. It works find.

[Slim]

Doing a bit of searching, I read a claim that setting the CNAME for the naked domain, RFC1034 section 3.6.2, says you if you have a CNAME, you can't have any other data for the record, and you'll have an NS record.

I have now seen a claim
https://www.tachyonstemplates.com/20...-forward-root/
that it is possible to get the effect by doing the CNAME for the www subdomain, and then creating a synthetic record for a permanent redirect, with an @ for the subdomain field.
Seems to get pretty twisted.