# Resolve DNS Name to KVM Guest IP?

## dman777

I use time warner ISP at my house. I have a router which my isp leases a IP address to. Behind my router I have my Gentoo system with a nated IP address from my router. On my Gentoo system I have a KVM Tap networking using a Linux bridge. 

I want to have a KVM guest(gentoo) and run a small web site for the fun of it. I don't expect any heavy traffic. I registered a domain name for it.  From outside on the web, how would I have this domain name resolve to the kvm guest on ipaddress?

----------

## papahuhn

Well, that depends what you are allowed to do with the domain you registered. One suggestion:

Register a dyndns subdomain like dman777.dyndns.org.

Configure it as a CNAME for your official domain dman777.net, so that dman777.net points to dman777.dyndns.org.

Let your router or your webserver use a dyndns client to update dman777.dyndns.org with the correct IP.

Configure explicit port forwarding on your router for TCP/80 towards the web server's internal IP.

----------

## dman777

I already paid for a dns name on namecheap.com. 

With the router being leased with just one ipaddress from my cable company, I'm not sure how to point it to the kvm guest. For instance, if my routers ip address is 98.233.34.11 and my Gentoo host is 192.168.0.1, and the kvm guest is 192.168.0.2....How would I get get the dns name point to 192.168.0.2? Could I just sign a custom port and use port forwarding on my router? like dnsname.com = 98.233.34.11:4045 and have my router forward it to 192.168.0.2:80?

----------

## papahuhn

No, DNS does not know anything about ports. You will have to configure 98.233.34.11 for yourdomain.com. Whenever you browse the web, your router uses 98.233.34.11 as the packets' source addresses, no matter what the internal IPs are. Likewise, internet servers always respond to 98.233.34.11, they don't use the 192.168.x.y addresses. They can't because you're not the only one using them. So your web server has also to be reachable via 98.233.34.11. When packets arrive at your router, it has to know what to do with them. You can tell your router with an explicit rule that says:

"I have a packet here destined for 98.233.34.11 on tcp port 80. That packet is probably meant to reach the web server, so lets forward it to 192.168.0.2 port 80".

----------

## dman777

Ok....I see... I can set up a special rule for packets destined for port 80 to be forwarded to the KVM guest 192.168.1.02. What if I am surfing the internet on my Gentoo host and reply packets come back and get redirected to the KVM guest?

----------

## papahuhn

Applications don't use ports below 1024 but higher random port numbers as source ports when they communicate with other servers. So when you surf the internet, it will possibly look like this:

Gentoo Box (src 192.168.0.1:34662, dst 209.85.148.138:80) ==> Router LAN side (src 192.168.0.1:34662, dst 209.85.148.138:80) ==> Router WAN side (src 98.233.34.11:34662, dst 209.85.148.138:80) ==> Google reply (src 209.85.148.138:80, dst 98.233.34.11:34662) ==> Router WAN side (src 209.85.148.138:80, dst 98.233.34.11:34662) ==> Router LAN side  (src 209.85.148.138:80, dst 192.168.0.1:34662) ==> Gentoo Box

The router maintains the information that it has translated 192.168.0.1:34662 to 98.233.34.11:34662, so when reply packets come back with 34662 as destination port, they are meant for 192.168.0.1.

----------

## dman777

Ok, great. Thanks.

I have another delima. I bought 2 dns names because I intended to have two different web sites run on 2 separate kvm guests. Since I only have one outside IP address, is there anything I can do about this?

----------

## cach0rr0

 *dman777 wrote:*   

> Ok, great. Thanks.
> 
> I have another delima. I bought 2 dns names because I intended to have two different web sites run on 2 separate kvm guests. Since I only have one outside IP address, is there anything I can do about this?

 

yep. name-based virtual hosting allows you to house multiple hostnames on a single IP address

if using apache, have a gander at /etc/apache2/vhosts.d/*

your situation is not too unique so should be good to go. Do port forwarding of port 80 on the router to your internal IP, and set up vhosts on apache/nginx/whatever.

----------

## dman777

With apache name based virtual hosting would it work like this?

Outside DNS names: www.webserver1.com  = 98.233.34.11

www.webserver2.com =  98.233.34.11

My router = requests for port 80 forward to KVM guest 192.168.1.2

On the KVM guest: 

NameVirtualHost 192.168.1.2:80

<VirtualHost 192.168.1.2:80>

ServerName www.webserver1.com

DocumentRoot /www/webserver1

</VirtualHost>

<VirtualHost 192.168.1.2:80>

ServerName www.webserver2.com

DocumentRoot /www/webserver2

</VirtualHost>

----------

## papahuhn

Yes.

----------

## dman777

That is pretty cool. Since there are 2 dns names for one ipaddress, how does apache identify the packet which webserver the packet belongs to? Is the DNS name incapsulated somewhere in the TCP/IP stack of the packet?

----------

## papahuhn

The hostname is encoded in a HTTP 1.1 header, which is set by the browser. It will be like this

GET /index.html HTTP/1.1

Host: dnsname1.com

... more headers ...

----------

## Hu

As an unfortunate side effect of passing the hostname via the HTTP headers, in conjunction with early design decisions for HTTPS, it is not possible to use named virtual hosts for HTTPS with host-specific certificates.  This limitation is because Apache must pick and send a certificate before it can read the HTTP headers, so it cannot know which name the client contacted.

----------

## dman777

Wow. So it would be easy for my website to get the DNS name spoofed and redirected to a different website? I don't plan on using passwords or any logins, so I don't see a need for HTTPS over HTTP. Is there a way to keep this from happening other than using certificates?

----------

## Hu

Easy is relative.  Yes, it is easy for an attacker who can manipulate DNS to interpose his HTTP site in a way that your users will not obviously detect.  However, the vast majority of attackers on the Internet are not in a position to manipulate DNS in that way.  Generally, DNS manipulation is either an isolated attack against users that are logically near the attacker (such as on the same WiFi access point) or is an attack on your registrar to rewrite the authoritative A/AAAA records.

If you are not serving sensitive content, then it is likely not worth the effort to encrypt it.

----------

## salahx

 *Hu wrote:*   

> As an unfortunate side effect of passing the hostname via the HTTP headers, in conjunction with early design decisions for HTTPS, it is not possible to use named virtual hosts for HTTPS with host-specific certificates.  This limitation is because Apache must pick and send a certificate before it can read the HTTP headers, so it cannot know which name the client contacted.

 

There is, however, an extension to SSL called Server Name Indication to solve this exact problem. Client support is good - main problem is its not supported by any version of Internet Explorer in Windows XP, Android 2.x, and to a lesser extent, Blackberries and Safari before 10.5.6 (mac)/Vista (windows). All supported versions of Firefox, Chromium and Opera support it; all supported versions IE and Safari for Vista and above, and MobileSafari for iOS 4.0 and above support it was well.

----------

## cach0rr0

 *salahx wrote:*   

> 
> 
> There is, however, an extension to SSL called Server Name Indication to solve this exact problem. Client support is good - main problem is its not supported by any version of Internet Explorer in Windows XP, Android 2.x, and to a lesser extent, Blackberries and Safari before 10.5.6 (mac)/Vista (windows). All supported versions of Firefox, Chromium and Opera support it; all supported versions IE and Safari for Vista and above, and MobileSafari for iOS 4.0 and above support it was well.

 

For whatever it's worth, I know for certain it works with Android 4.0, as we have a setup at work that requires SNI. 

The big pain for me - and why I finally convinced the boss to move to gentoo for this - was that CentOS 5 has no build of openssl available that actually supports SNI. Can you get one on there? Yes, but with much, much, much pain. 

I have not had any issues with SNI in our setup. Nor have I for some years now with other non-work things that require it. 

Not particularly painful to set up on the Apache side of things either.

----------

