Forward all TLD requests to another server

Question

So, an emergency has been landed in my lap, and unfortunately I'm ill-equipped to deal with it. An IT tech for a client's company changed the A record for a domain, then went on holiday. He is the only one who has access, and there's no way to change it back until he reappears from the jungle.

He was supposed to point just the www. A record to a new IP, pointing to our server which is hosting mysite.com - however, he changed the * A record to the new IP - meaning all subdomains are now effectively dead (mail., exchange., secure., etc). Originally the * A record pointed to another server that handled all of the subdomain requests separately.

Although I can't access the DNS controls, I do have complete access to the DigitalOcean server and control panel for where the *A record is now pointing.

Is there anything I can do from my end on the DigitalOcean server, either via the DNS control panel (although it doesn't appear so at a glance) or via the virtual.conf file (see below) to properly forward any requests (i.e. mail.mysite.com) to the correct IP that should then handle the request correctly?

For reference, the server is CentOS 6.5 x64 running nginx. The server block that's currently handling the incoming request is as follows:

server {
    listen       80;
    server_name  mysite.com www.mysite.com;
    root   /var/www/html/mysite.com/;
    error_page 403 404 500 502 503 504 = /server_error.php;
    index  index.php index.html index.htm;

    location / {
         try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }
}

Thanks for your help. Apologies for the TL;DR.

I think you'll ultimately be be better off with a NAT-all-the-things 1:1 NAT via iptables. — user9517, Apr 19 '14 at 19:11

Shane Madden · Accepted Answer · 2014-04-19T18:42:40.647

4

For HTTP that might work, but for HTTPS the server might not have the right certificates, and for other protocols (such as for email) the HTTP service won't do the job.

Maybe stand up HAProxy in tcp mode, listening on the ports that connections come in on and proxying to the correct ports on the "real" server? This might not work quite right for some services, as the apparent source of the connection will be the HAProxy box.

A better approach might be to get access to the DNS. There must be some mechanism you can use to gain access to the account; is nobody else at the client's company set up as a contact with the DNS provider? Or can you just reset the guy's email password and then fire a password reset email?

Edit:

To get HAProxy working for this case, you'll want to install HAProxy - this requires EPEL to be enabled, if it's not already. Then yum install haproxy.

Edit /etc/haproxy/haproxy.cfg; not sure what exactly the default config looks like in there, but you'll want to clear out any listen sections first, while leaving the global and defaults sections.

Then, for each listening port that you need to send to the other server, you will want a section like this (note that if you add port 80, you'll need to stop the nginx service first):

listen port-443
    bind :443
    mode tcp
    balance roundrobin
    server realserver 192.0.2.1:443

(where 192.0.2.1 is the IP of the server that should be handling the connection).

edited Apr 19 '14 at 18:42

answered Apr 19 '14 at 18:24

Shane Madden

114,520
13
181
251

Thanks for the quick response. I had realised almost immediately that non-port-80 requests would fall down. There had been a suggestion of getting a password reset on the DNS control panel, then intercepting that email via the email server (different domain), but that has been shunned due to questionable ethics. My house currently sits between the rock and the hard place. – indextwo Apr 19 '14 at 18:28
@indextwo Heh, fair enough. HAProxy in tcp mode is probably worth a shot then, and will likely work for most of the services. Need some help with an example config for that? – Shane Madden Apr 19 '14 at 18:30
That would genuinely be amazing. I've never even heard of HAProxy before. In case it's not all that obvious, servers are not entirely my bag, however literally everybody is on holiday. Would I need to know the incoming subdomains in the first instance (as I may have to grab that list from someone else)? – indextwo Apr 19 '14 at 18:33
@ShaneMadden: "email" is not a protocol :) :) – MichelZ Apr 19 '14 at 18:42
@indextwo Those connections just need to go directly to the correct server and it should hopefully function correctly - the new server will just act as a dumb pipe to send the connections to the right place. – Shane Madden Apr 19 '14 at 18:44
1

@MichelZ Haha, yeah.. I was going for shorthand for "SMTP/IMAP/POP/MAPI/RPC-over-HTTPS-which-isn't-compliant-HTTP" :) – Shane Madden Apr 19 '14 at 18:45
@ShaneMadden That's what I was hoping for - dumb pipe! I'm currently looking to install HAProxy now and then get a list of the appropriate subdomains and connections from someone in the U.S.. Genuinely brilliant answer. Have a tick, an upvote, and my last two MySpace kudos. – indextwo Apr 19 '14 at 18:47
2

`There had been a suggestion of getting a password reset on the DNS control panel, then intercepting that email via the email server (different domain), but that has been shunned due to questionable ethics` - That makes no sense. It's not questionable from an ethics standpoint for the company that "owns" the domain name to request a password reset in order to access the DNS zone. Furthermore, a phone call to the Registrar or DNS host could probably quickly resolve this. – joeqwerty Apr 19 '14 at 19:26
The 'ethical' position was taken by someone at the company after I passed on the suggestion. Worth noting that this would have been done by an external IT company that looks after their network. Someone at the client company need to give this approval; he refused. Nothing we could do beyond that point. Re: registrar - see comment below in response to @MichelZ. – indextwo Apr 19 '14 at 19:32
@joeqwerty: In parts of Europe it is illegal to read employees emails - yeah I know ... – user9517 Apr 19 '14 at 19:38

score 3 · Answer 2 · answered Apr 19 '14 at 18:54

3

Another approach would be to just call the DNS Service provider, and explain them what happened. I guess after some "proof" that you're the owner of the domain / delegate or something, they might give you access or change it for you...

answered Apr 19 '14 at 18:54

MichelZ

11,068
4
32
59

Unfortunately this has already been attempted by myself and someone else at the company. For whatever reason, the owner of the domain is this one person, and no other party has any kind of access or recourse. Interestingly, person from the company called them up in a fluster and got nowhere; I called them up (third party, no connection) and managed to get DNS details that explained the root of the issue. +1 for politeness! – indextwo Apr 19 '14 at 19:28
You've got a load of problems then there... hope you can get them all fixed! – MichelZ Apr 19 '14 at 19:31
I ran out of fingers to count my problems on. Thanks though! – indextwo Apr 19 '14 at 19:33

Forward all TLD requests to another server

2 Answers2

Linked