-1

At the data center of the university I work, we have a DNS system, that we use for registering the names of our servers and the addresses of the services that are meant for internal use only.

Usually, we use the following pattern:

server     A        xxx.xxx.xxx.xxx
service    CNAME    server

Now we have a service that we want to resolv to the CNAME record only, when accessing via HTTP, and not to the A record.

Is that possible, using the DNS configuration only?

hiagop
  • 66
  • 1
  • 9
  • 1
    How do you mean... you want to resolve to the CNAME only? Can you give an example of what you're trying to achieve? – Tommiie Sep 04 '18 at 13:26
  • What is the purpose of this? If you don't want to publish the IP to the Internet use different DNS servers for public access and for internal use. – Daniele Santi Sep 04 '18 at 13:27
  • I want that if I try to access the service by the server name (A record), nothing happens. And it respond to the service name only (CNAME record). – hiagop Sep 04 '18 at 13:28
  • @MrShunz, we do this. The DNS I'm talking about is for internal use only, as said in the post. – hiagop Sep 04 '18 at 13:29
  • I just figured out that it is achievable by configuring a virtualhost on the server host the service. But I'm just curious if it is also possible to achieve using DNS configs alone. – hiagop Sep 04 '18 at 13:31
  • 1
    Why do you have a DNS record if you don't want it? Just get rid of it. – Michael Hampton Sep 04 '18 at 13:32
  • 1
    @hiagop well, if a client doesn't know the IP it cannot connect to the server by "name" only. That's why a CNAME query recursively resolves the IP pointed by the CNAME. – Daniele Santi Sep 04 '18 at 13:34
  • @MichaelHampton, thats now the point. We use the server names when accessing the server via SSH. – hiagop Sep 04 '18 at 13:57
  • OK, so you do want the server name, but you don't want the server name? This doesn't really make any sense! – Michael Hampton Sep 04 '18 at 13:58
  • @MichaelHampton, I just want to know if, when accessing _service_ via HTTP, it will respond just by the service name, and not by the server name. – hiagop Sep 04 '18 at 14:01
  • 3
    Oh, OK, that makes sense. Your question never mentioned HTTP though, so it was impossible for anyone to know or even guess that. You should edit your question to make it clear. – Michael Hampton Sep 04 '18 at 14:05
  • But after the edit this would probably be closed as a duplicate... – Esa Jokinen Sep 04 '18 at 15:16
  • @EsaJokinen Possibly. But there's no reason to wait. If you know of a duplicate, please suggest it. I didn't have time to go looking for one. – Michael Hampton Sep 04 '18 at 22:18
  • " we want to resolv to the CNAME" so your service does not need an IP address at all to connect somewhere? Just a name? That is strange... "We use the server names when accessing the server via SSH" you do not thing the SSH client resolves the name to some IP to connecto to? – Patrick Mevzek Sep 05 '18 at 03:30

2 Answers2

1

For some protocols (such as http) you can configure the service to only respond if the client specifies the correct name; in this scenario, you would configure the web server to only respond to http requests containing the CNAME. Based on the comments, you already know how to do this.

There are also protocols in which the server remains ignorant of the name the client is using, in which case there is no way to prevent the user from using the name in the A record.

I do not believe you can do this at the DNS layer. That is, there is no reliable way to make a CNAME that is visible to your clients, and that resolves to the desired IP address, without there being a corresponding A record that is also visible to your clients.

What you can do (depending on what DNS software you're using, I guess) is to have two A records, both pointing to the same IP address, i.e., 

server     A        xxx.xxx.xxx.xxx
service    A        xxx.xxx.xxx.xxx

and then make the server record visible only to the admin staff that need access to it. You don't have to use a CNAME for service names. The only catch is that it is then your responsibility to ensure that the IP addresses for the two names always match.

Harry Johnston
  • 6,005
  • 4
  • 35
  • 52
-2

Yes, it's possible. In fact, that's the first step in resolving it all the way anyway.

To actually do this though, you will (usually) need to bypass your operating system's local DNS resolution methods, as they (again, usually) can't be made to stop at the CNAME record and not resolve any further. I'm not aware of any DNS resolver libraries that allow you to do this, but I do know of a standard tool that does, BIND's dig command will not follow CNAME records if you explicitly ask for a CNAME query type (or an ANY query type, though that may return A or AAAA records too depending on the DNS server).

Austin Hemmelgarn
  • 2,295
  • 9
  • 15
  • 1
    Are you sure `dig` does not follow records? Try `dig www.nic.fr` and see the results and the `CNAME`. If you ask explicitely for a CNAME of course you get it but if you do a default query or an explicit `A` or `AAAA` then CNAME are certainly followed and resolved. – Patrick Mevzek Sep 05 '18 at 03:32
  • I guess I'm a bit too used to sending `ANY` queries, which, for most DNS servers, will not follow CNAME records – Austin Hemmelgarn Sep 05 '18 at 11:43
  • @PatrickMevzek Updated my answer to reflect reality. It's still possible to get `dig` to not resolve them, I'm just _way_ too used to asking for `ANY` queries. – Austin Hemmelgarn Sep 05 '18 at 11:46
  • ANY is a bad idea and will become completely deprecated "soon". It does not do what most people think it does (it just gives back the content of the cache of the recursive nameserver you query, which is not necessarily ALL the records, and most often people think that ANY = ALL), and creates load problems. – Patrick Mevzek Sep 05 '18 at 13:22