I am not a programmer but I have an idea that I would like to see developed. I want to have a cross platform web app that is programmed to, for any DNS look-up request from any app on the device (even native apps), first look in our DNS server that will check to see if the service provider is a member of our system, and if so, a different experience will be delivered to the user, and if not, then the user's device should be forwarded to the normal DNS that is specified in system settings. Is this feasible? Are there any risks to the users or me? Can the code be safe from being tampered with?
Many thanks.
What you are doing is not easily feasible for a web application. In effect what you are doing is running your own DNS server which the users connect to and if the website provider is a member you already have their DNS records loaded and it providers one set of records and if the website is not a member then it performs a forward lookup to an upstream provider to get the global DNS records for the DNS query made. I have implemented this for a number of small and medium businesses on their local networks so that queries to certain domains from the LAN resolve to internal addresses, both for the purpose of blocking domains from being accessed from work as well as for connecting the users to local servers where the domain in question is hosted locally, however to do this for client devices not on a single network would mean you would have to either install software to change the DNS settings on the device or to have the user change their DNS settings themselves which would not give you a unified experience as some would and some wouldn't, especially if you are talking about members of the public and their own devices. If memory serves there are also restrictions in place on mobile devices including Android and iOS devices which prevent an app from altering network settings such as DNS as a security precaution as such an app would present a huge risk to user online security. The best bet would be to simply provide DNS hosting for service providers and they host their DNS records with you and so you can present the enhanced experience to the end user.
Related
Can we let Encrypt distribute multiple certificates for a single domain name? I mean all of them are valid at the same time.
Yes. Check out the rate limit documentation:
https://letsencrypt.org/docs/rate-limits/
If you need to do so for testing, the staging API rate limit is much higher.
In fact, I’m working on a home cloud system and we’re building a kind of “inside out” cloud where the devices use Greenlock and Telebit so that they each have their own certificate and connection rather than being behind a load balancer - exactly the kind of thing we couldn’t reasonably do without Let’s Encrypt.
Also, if you've got an application where you're sharing a domain among many hosts be sure to get your shared domains listed in the Public Suffix List both for security and so you don't hit rate limits.
We have a large number of small devices deployed in the wild that communicate with a central server via a REST API. It will send a status update on a regular basis with some sensor data and will also ask the server if there are any software updates that need to be applied. If there are, it will download it etc.
I'd like some way to prevent my server API from being used by unauthorised clients. Here are the solutions that I have and the issues which I anticipate. This question is somewhat open ended but it is mostly a question of best practices for, what I think is, a common situation.
Keep a single username/password on the server and then use basic auth over https. This is simple but if I change it, I'd have to somehow change the credentials on all of my devices (which number in the low thousands). This is hard to do reliably. There's also a problem with how the devices are going to get the update without first changing their creds.
The second is to create a username/password for every device. Then I can update individual ones and manage them but there's a lot of state on the server and I'm worried about having this much data on the server.
Some kind of automatic key based system whereby the devices can ask for an expirable key and then use that for all transactions. If the key expires or is invalidated, that device can't connect anymore. This would necessitate some kind of id for the device which I'm not sure how to handle.
So, how would I do this?
Update
In our setup, we have assigned hostnames for each of the devices we're going to deploy created beforehand. Once the devices switch on, they will contact the server with their hostnames and thereby register themselves. The MAC address and other information is passed as part of the initial registration handshake.
So, the "unique identifer" which was mentioned in the answer (and comment) by Noksi is the hostname. This can be easily spoofed (since the hostnames have a pattern). However, when the devices first come online, we can get the mac and, after that, only refresh the token if the request comes from the same mac. This opens up the possibility of a fake registration happening the first time though.
If there is some way to uniquely identify each device (similar to a MAC address) then that would be the key. Keep a registry of the devices and each device would register with the server. the server would provide the device with a token and associate it (the token) with the registered device. the device uses that token to make requests. tokens can be made to expire and renewed as needed or can be black listed if needed. This seems to be similar to option 3 in the proposed options.
I am trying to understand the openGraph API by downloading the SocialCafe example (based on a similar tutorial here). I am able to follow most of the steps in theory, but am unable to understand a few aspects:
The tutorial mentions that a link to the application is needed - a link such that facebook can issue an http GET request. If I do not have a web server, can I still run the application? I have seen some tutorials that specify localhost here on SO. Is that the route I must take to be able to have the sample source code reside locally on my machine and still be able to run the app on fb? If so, how do I set it up?
If I need a web server, is there a way I can turn my own machine into one? If so, how do I go about it?
I am coming from a DSP/C/C++ background and have very little web programming experience. Please do let me know in case some more details are needed.
You will need a publicly accessible web server for your development efforts. You can turn your localhost into one if you can get a static IP address from your ISP (pretty rare now-a-days to get one), then buy a domain name and set DNS up to point to your IP. On your computer you will need to install and configure a web server to use that IP and domainname combination. It takes about 48 hours for DNS to propagate the interwebs.
Your best bet it to purchase some web hosting along with a domain name (you're going to need one eventually once your app is out of development). Then you can run your app under a "sub domain" on your main domain (or in a sub folder on your production domain).
I am aware of how many times this has been asked based on searching StackOverflow, but I am still hoping someone could tell me whether I am wrong...
I am creating a peer-to-peer chat app for the iPhone. My initial idea was to avoid using a server, so Bonjour came to mind. I was happy coding for quite a while and implemented a lot of fancy features, but two days ago I started testing with two clients from different subnets and found that the clients couldn't connect to each other! I suddenly realized that Bonjour is meant for local networks and that a DNS server is necessary for wide area service broadcasting. Do I really need a server for Internet peer-to-peer chat? Are there any other options that do not involve using a server on the iOS platform?
I am wondering how you can do a chat app without using a server. There are many cheap solutions out there, Amazon has its own service, Google does as well. You can try first without even having to pay a cent.
I found the following from apple developer guide. This should answer your question -
Does Bonjour work between multiple subnets?
Yes. The first release of DNS Service Discovery (DNS-SD) for Mac OS X concentrated on Multicast DNS (mDNS) for single-link networks because this was the environment worst served by IP software. Starting in Mac OS X 10.4, Bonjour now uses Dynamic DNS Update (RFC 2316) and unicast DNS queries to enable wide-area service discovery.
To answer the question, the only way is for you to carry a list of all possible participants, and their current IP address, and for each possible participant to report to all others each time their IP Address changes. So, if you have 100 possible participants, then you must tell 99 others when your IP Address changes, and those 99 must tell you when their IP Address changes.
Bonjour may work on a LAN, a WAN or even a WAN, but it will never work on the internet.
The role of the server is so that each end point only need to tell one end point (the server) when it changes. My advice is get a cheap internet host, with a basic PHP / MySQL capabilities, and write yourself a very simple script to post and get user identities.
I don't know how else to say it so I'm just going to explain my ideal scenario and hopefully you can explain to me how to implement it...
I'm creating an application with the Zend Framework that will be hosted with DreamHost. The application will be hosted on its own domain (i.e. example-app.com). Basically, a user should be able to sign up, get their own domain sampleuser.example-app.com or example-app.com/sampleuser which points to, what looks like their own instance of the app, which is really a single instance serving up different content based on the url.
Eventually, I want my users to be able to create their own domain (like foobar.com) that points to sampleuser.example-app.com, such that visitors to foobar.com don't notice that the site is really being served up from example-app.com.
I don't know how to do most of that stuff. How does this process work? Do I need to do some funky stuff with Apache or can this be done with a third party host, like DreamHost?
Update: Thanks for the advice! I've decided to bite the bullet and upgrade my hosting plan to utilize wildcard subdomains. It's cheaper than I was expecting! I also found out about domain reseller programs, like opensrs.com, that have their own API. I think using one of these APIs will be the solution to my domain registration issue.
Subdomains are easy. In hosting environements, in most cases, apache is configured to catch all subdomain calls below the main domain. You just need to have a wildcard DNS defined, so *.example-app.com are pointed to IP of your server. Then your website should catch all calls to those subdomain names.
Other domains are hard. They need to be configured as virtual hosts in Apache - see http://httpd.apache.org/docs/1.3/vhosts/name-based.html - that means it will be difficult to automate that, especially in hosting environement - unless your host gives you some API to do just that (easy and more feasible scenario would be to have a distinctive IP assigned to your website, then you can catch all with your Apache - it's probably possible to configure using your hosting control panel or works out of the box - and then just point DNS servers to your IP).
Then, after you have configured your Apache to point all necessary calls to your website, you can differnetiate application partitions per subdomain in this way:
get the host header from HTTP request
have a database table containing all subdomain names you're serving
make a lookup to that database table to determine instance, or user, id and use it later for filtering data / or selecting a database, if you'll go with a "database per application instance" schema.
Good luck :)