FAQs
DNS
This tutorial is operating under the assumption that you are using SSH.
Step 1. Check the official nameservers for the domain with:
Step 2. Check that the DNS records are @ the official nameservers:
Step 3. Verify when there may have been a recent change to this domain.
Step 4. Check on DNS propagation to see if this appears to be the issue:
Other Very Helpful Tools:
Step 1. Check the official nameservers for the domain with:
whois domain.com
Step 2. Check that the DNS records are @ the official nameservers:
dig +short @[nameserver] domain.com type
ex. dig +short @ns1.west-datacenter.net ifurniss.whsites.net
Step 3. Verify when there may have been a recent change to this domain.
Step 4. Check on DNS propagation to see if this appears to be the issue:
http://whatsmydns.net/#A/domain.com
ex. http://whatsmydns.net/#A/ifurniss.whsites.net/
**Free Proxy servers**
http://zend2.com/
http://freeproxyserver.net/
**Sites to check website**
http://meormyhost.com/
http://downforeveryoneorjustme.com/
Other Helpful Tools:
dig +short @nameserver domain type
nslookup domain.com
host domain.com
host -t mx domain.com
host ip_address → reverse DNS whois domain.com http://whatsmydns.com/#A/domain.com
Step 1. Check the official nameservers for the domain with:
Step 2. Check that the DNS records are @ the official nameservers:
Step 3. Verify when there may have been a recent change to this domain.
Step 4. Check on DNS propagation to see if this appears to be the issue:
Other Very Helpful Tools:
Step 1. Check the official nameservers for the domain with:
whois domain.com
Step 2. Check that the DNS records are @ the official nameservers:
dig +short @[nameserver] domain.com type
ex. dig +short @ns1.west-datacenter.net ifurniss.whsites.net
Step 3. Verify when there may have been a recent change to this domain.
Step 4. Check on DNS propagation to see if this appears to be the issue:
http://whatsmydns.net/#A/domain.com
ex. http://whatsmydns.net/#A/ifurniss.whsites.net/
**Free Proxy servers**
http://zend2.com/
http://freeproxyserver.net/
**Sites to check website**
http://meormyhost.com/
http://downforeveryoneorjustme.com/
Other Helpful Tools:
dig +short @nameserver domain type
nslookup domain.com
host domain.com
host -t mx domain.com
host ip_address → reverse DNS whois domain.com http://whatsmydns.com/#A/domain.com
DNS stands for Domain Name System. Think of the DNS as the phonebook of the Internet. You and your clients/visitors know websites by their URL or Domain Name. The Internet only knows websites by their numerical address or IP. When you type a domain name in your browser and submit it, your computer automatically uses DNS to look up its numerical IP address and directs you to the site you are trying to visit.
For instance, using DNS, the domain name westhost.com might translate to 206.130.96.50.
Let's go into some detail to help better understand how this works. First, we need to define some terms.
IP Address: Internet Protocol Addresses are unique numbers that allow devices to locate information on a network. Every network device has an IP address, and sometimes more than one.
Domain Names: These are easy to remember names like URLs and e-mail addresses that are associated with one or more IP addresses. Since a web page is defined by its URL, the page can move to a different IP address without affecting visitors [if the move is performed correctly].
The Internet simply wouldn't work without DNS. For most of us, remembering a long numerical address for every website we want to visit would be very difficult. Because of DNS, you don't ever have to remember the numerical addresses of websites.
Most Internet Service Providers (ISPs) have their own DNS servers that store a list of all the IP addresses and matching domains that have propagated to their network, plus a cache of IP addresses and matching domains for recently accessed servers outside the network. Each computer on each network needs to know the location of only one name server.
DNS is also used to find out where to deliver email for a particular domain.
Let’s continue by breaking down each section of a Domain Name.
TOP-LEVEL DOMAINS or TLDs are the last part of a domain name. These are the letters or short abbreviations after the last period. Some examples of common TLDs are: .com .net .org .biz .edu .co.uk
SECOND-LEVEL DOMAINS are the primary customizable part of a domain name as registered by a client. Some examples are: westhost or google, or wikipedia.
Combine the TLD and Second-level and you get westhost.com, google.com, and wikipedia.com.
THIRD-LEVEL DOMAINS are also known as subdomains and CNAMEs. In a full URL path, the subdomain is written before the domain name. Some common examples are: www , mail , or cpanel.
Add the TLD and Second-Level to the Third-Level and you get: www.wikipedia.com , mail.google.com , and cpanel.yourdomain.com.
Let examine the domain https://next.php-fusion.co.uk
php-fusion.co.uk is the domain name.
.co.uk is the Top Level Domain or TLD
For instance, using DNS, the domain name westhost.com might translate to 206.130.96.50.
Let's go into some detail to help better understand how this works. First, we need to define some terms.
IP Address: Internet Protocol Addresses are unique numbers that allow devices to locate information on a network. Every network device has an IP address, and sometimes more than one.
Domain Names: These are easy to remember names like URLs and e-mail addresses that are associated with one or more IP addresses. Since a web page is defined by its URL, the page can move to a different IP address without affecting visitors [if the move is performed correctly].
The Internet simply wouldn't work without DNS. For most of us, remembering a long numerical address for every website we want to visit would be very difficult. Because of DNS, you don't ever have to remember the numerical addresses of websites.
Most Internet Service Providers (ISPs) have their own DNS servers that store a list of all the IP addresses and matching domains that have propagated to their network, plus a cache of IP addresses and matching domains for recently accessed servers outside the network. Each computer on each network needs to know the location of only one name server.
DNS is also used to find out where to deliver email for a particular domain.
Let’s continue by breaking down each section of a Domain Name.
TOP-LEVEL DOMAINS or TLDs are the last part of a domain name. These are the letters or short abbreviations after the last period. Some examples of common TLDs are: .com .net .org .biz .edu .co.uk
SECOND-LEVEL DOMAINS are the primary customizable part of a domain name as registered by a client. Some examples are: westhost or google, or wikipedia.
Combine the TLD and Second-level and you get westhost.com, google.com, and wikipedia.com.
THIRD-LEVEL DOMAINS are also known as subdomains and CNAMEs. In a full URL path, the subdomain is written before the domain name. Some common examples are: www , mail , or cpanel.
Add the TLD and Second-Level to the Third-Level and you get: www.wikipedia.com , mail.google.com , and cpanel.yourdomain.com.
Let examine the domain https://next.php-fusion.co.uk
php-fusion.co.uk is the domain name.
.co.uk is the Top Level Domain or TLD
Using php-fusion.co.uk or 'domain' as the example, we'll review how DNS works.
At the top of the DNS chain is the Domain Registrar.
Registrars provide registrations for custom Internet domain names like php-fusion.co.uk or yourdomain.com.
At the registrar level you can configure Domain Name Servers which will communicate the necessary resolution information for a domain name.
Usually there will be at least two domain name server addresses for this purpose, which will be provided by your Web host.
If you are with PHP-Fusion there are different domain name servers depending on your account, and you can always contact Tech Support with further questions about how to configure those for your domain.
DNS changes can take time to propagate throughout the Internet in order to work correctly. This can take 3-24 hours to complete.
Allow up to 72 hours for complete worldwide propagation.
Once the DNS are set to a web host, then they will resolve to servers with that company, where the Domain Host information is stored.
This points traffic through to the correct DNS Record for your domain. A DNS record includes all the parts which point your domain to the correct IP address of your server(s) which host the site content and e-mail for your domain.
A breakdown of record types is below.
The A Record [or Host Record] is the central record for DNS. This record links a domain or sub-domain to an IP address.
MX Records [Mail Exchanger] direct e-mail to server for a domain name, and are listed in order of priority with 0 being the highest.
MX records point to a host/domain name for a mailserver.
CNAME Records [Canonical Name] are aliases for A Records. For each CNAME record you can choose an alias and an A record or host/domain name.
At the top of the DNS chain is the Domain Registrar.
Registrars provide registrations for custom Internet domain names like php-fusion.co.uk or yourdomain.com.
At the registrar level you can configure Domain Name Servers which will communicate the necessary resolution information for a domain name.
Usually there will be at least two domain name server addresses for this purpose, which will be provided by your Web host.
If you are with PHP-Fusion there are different domain name servers depending on your account, and you can always contact Tech Support with further questions about how to configure those for your domain.
DNS changes can take time to propagate throughout the Internet in order to work correctly. This can take 3-24 hours to complete.
Allow up to 72 hours for complete worldwide propagation.
Once the DNS are set to a web host, then they will resolve to servers with that company, where the Domain Host information is stored.
This points traffic through to the correct DNS Record for your domain. A DNS record includes all the parts which point your domain to the correct IP address of your server(s) which host the site content and e-mail for your domain.
A breakdown of record types is below.
The A Record [or Host Record] is the central record for DNS. This record links a domain or sub-domain to an IP address.
MX Records [Mail Exchanger] direct e-mail to server for a domain name, and are listed in order of priority with 0 being the highest.
MX records point to a host/domain name for a mailserver.
CNAME Records [Canonical Name] are aliases for A Records. For each CNAME record you can choose an alias and an A record or host/domain name.
DDNS stands for dynamic DNS, or more specifically dynamic Domain Name System. It's a service that maps internet domain names to IP addresses.
Unlike DNS which only works with static IP addresses, DDNS is designed to also support dynamic (changing) IP addresses, such as those assigned by a DHCP server.
Dynamic DNS Means Anytime, Anywhere Network Access. Because ISPs don't assign static IP addresses, accessing devices your network remotely is tricky.
One way around changing IP addresses is to use PHP-Fusions Dynamic DNS service, which automatically tracks the changes to your network's public IP address and relay this information to our DNS Servers.
Unlike DNS which only works with static IP addresses, DDNS is designed to also support dynamic (changing) IP addresses, such as those assigned by a DHCP server.
Dynamic DNS Means Anytime, Anywhere Network Access. Because ISPs don't assign static IP addresses, accessing devices your network remotely is tricky.
One way around changing IP addresses is to use PHP-Fusions Dynamic DNS service, which automatically tracks the changes to your network's public IP address and relay this information to our DNS Servers.
Understanding DNSSEC first requires basic knowledge of how the DNS system works.
The DNS is used to translate domain names (like example.com) into numeric Internet addresses (like 198.161.0.1).
Although this address system is very efficient for computers to read and process the data, it is extremely difficult for people to remember. Let’s say that every time when you need to check a website, you should remember the IP address of the machine where it is located. People often call the DNS system the "phone book of the Internet".
To solve this problem, a numeric IP address was attached to every domain name. The website addresses we know are actually domain names.
Domain name information is stored and accessed on special servers, known as domain name servers, that convert domain names into IP addresses and vice versa.
The top level of the DNS resides in the root zone where all IP addresses and domain names are kept in databases and sorted by top-level domain name, such as .com, .net, .org, etc.
When the DNS was first implemented, it was not secured, and soon after being put into use, several vulnerabilities were discovered. As a result, a security system was developed in the form of extensions that could be added to the existing DNS protocols.
Domain name system security extensions (DNSSEC) are a set of protocols that add a layer of security to the domain name system (DNS) lookup and exchange processes, which have become integral in accessing websites through the Internet.
Advantages of DNSSEC
DNSSEC is aimed at strengthening trust in the Internet by helping to protect users from redirection to fraudulent websites and unintended addresses. In such a way, malicious activities like cache poisoning, pharming, and man-in-the-middle attacks can be prevented.
DNSSEC authenticates the resolution of IP addresses with a cryptographic signature, to make sure that answers provided by the DNS server are valid and authentic. In case DNSSEC is properly enabled for your domain name, the visitors can be ensured that they are connecting to the actual website corresponding to a particular domain name.
How DNSSEC Works
The original purpose of DNSSEC was to protect Internet clients from counterfeit DNS data by verifying digital signatures embedded in the data.
When a visitor enters the domain name in a browser, the resolver verifies the digital signature.
If the digital signatures in the data match those that are stored in the master DNS servers, then the data is allowed to access the client computer making the request.
The DNSSEC digital signature ensures that you're communicating with the site or Internet location you intended to visit.
DNSSEC uses a system of public keys and digital signatures to verify data. It simply adds new records to DNS alongside existing records. These new record types, such as RRSIG and DNSKEY, can be retrieved in the same way as common records such as A, CNAME and MX.
These new records are used to digitally "sign" a domain, using a method known as public key cryptography.
A signed nameserver has a public and private key for each zone. When someone makes a request, it sends information signed with its private key; the recipient then unlocks it with the public key. If a third party tries to send untrustworthy information, it won’t unlock properly with the public key, so the recipient will know the information is bogus.
Note that DNSSEC does not provide data confidentiality because it does not include encryption algorithms. It only carries the keys required to authenticate DNS data as genuine or genuinely not available.
Also, DNSSEC does not protect against DDoS Attacks.
Keys used by DNSSEC
There are two types of keys that are used by DNSSEC:
· The zone signing key (ZSK) - is used to sign and validate the individual record sets within the zone.
· The key signing key (KSK) - is used to sign the DNSKEY records in the zone.
Both of these keys are stored as "DNSKEY" records in the zone file.
Viewing the DS record
The DS record stands for Delegation Signer, and it contains a unique string of your public key as well as metadata about the key, such as what algorithm it uses.
Each DS record consists of four fields: KeyTag, Algorithm, DigestType and Digest and it looks like the following:
We can break up different components of the DS record to see what information each part holds:
Example.com. - domain name that the DS is for.
3600 - TTL, the time that the record may remain in cache.
IN stands for internet.
2371 - Key Tag, ID of the key.
13 - algorithm type. Each allowed algorithm in DNSSEC has a specified number. Algorithm 13 is ECDSA with a P-256 curve using SHA-256.
2 - Digest Type, or the hash function that was used to generate the digest from the public key.
The long string at the end is the Digest, or the hash of the public key.
All DS records must comply with RFC 3658.
The DNS is used to translate domain names (like example.com) into numeric Internet addresses (like 198.161.0.1).
Although this address system is very efficient for computers to read and process the data, it is extremely difficult for people to remember. Let’s say that every time when you need to check a website, you should remember the IP address of the machine where it is located. People often call the DNS system the "phone book of the Internet".
To solve this problem, a numeric IP address was attached to every domain name. The website addresses we know are actually domain names.
Domain name information is stored and accessed on special servers, known as domain name servers, that convert domain names into IP addresses and vice versa.
The top level of the DNS resides in the root zone where all IP addresses and domain names are kept in databases and sorted by top-level domain name, such as .com, .net, .org, etc.
When the DNS was first implemented, it was not secured, and soon after being put into use, several vulnerabilities were discovered. As a result, a security system was developed in the form of extensions that could be added to the existing DNS protocols.
Domain name system security extensions (DNSSEC) are a set of protocols that add a layer of security to the domain name system (DNS) lookup and exchange processes, which have become integral in accessing websites through the Internet.
Advantages of DNSSEC
DNSSEC is aimed at strengthening trust in the Internet by helping to protect users from redirection to fraudulent websites and unintended addresses. In such a way, malicious activities like cache poisoning, pharming, and man-in-the-middle attacks can be prevented.
DNSSEC authenticates the resolution of IP addresses with a cryptographic signature, to make sure that answers provided by the DNS server are valid and authentic. In case DNSSEC is properly enabled for your domain name, the visitors can be ensured that they are connecting to the actual website corresponding to a particular domain name.
How DNSSEC Works
The original purpose of DNSSEC was to protect Internet clients from counterfeit DNS data by verifying digital signatures embedded in the data.
When a visitor enters the domain name in a browser, the resolver verifies the digital signature.
If the digital signatures in the data match those that are stored in the master DNS servers, then the data is allowed to access the client computer making the request.
The DNSSEC digital signature ensures that you're communicating with the site or Internet location you intended to visit.
DNSSEC uses a system of public keys and digital signatures to verify data. It simply adds new records to DNS alongside existing records. These new record types, such as RRSIG and DNSKEY, can be retrieved in the same way as common records such as A, CNAME and MX.
These new records are used to digitally "sign" a domain, using a method known as public key cryptography.
A signed nameserver has a public and private key for each zone. When someone makes a request, it sends information signed with its private key; the recipient then unlocks it with the public key. If a third party tries to send untrustworthy information, it won’t unlock properly with the public key, so the recipient will know the information is bogus.
Note that DNSSEC does not provide data confidentiality because it does not include encryption algorithms. It only carries the keys required to authenticate DNS data as genuine or genuinely not available.
Also, DNSSEC does not protect against DDoS Attacks.
Keys used by DNSSEC
There are two types of keys that are used by DNSSEC:
· The zone signing key (ZSK) - is used to sign and validate the individual record sets within the zone.
· The key signing key (KSK) - is used to sign the DNSKEY records in the zone.
Both of these keys are stored as "DNSKEY" records in the zone file.
Viewing the DS record
The DS record stands for Delegation Signer, and it contains a unique string of your public key as well as metadata about the key, such as what algorithm it uses.
Each DS record consists of four fields: KeyTag, Algorithm, DigestType and Digest and it looks like the following:
We can break up different components of the DS record to see what information each part holds:
Example.com. - domain name that the DS is for.
3600 - TTL, the time that the record may remain in cache.
IN stands for internet.
2371 - Key Tag, ID of the key.
13 - algorithm type. Each allowed algorithm in DNSSEC has a specified number. Algorithm 13 is ECDSA with a P-256 curve using SHA-256.
2 - Digest Type, or the hash function that was used to generate the digest from the public key.
The long string at the end is the Digest, or the hash of the public key.
All DS records must comply with RFC 3658.