One place for hosting & domains

      September 2022

      Advanced Troubleshooting DNS Problems


      The most common DNS error is a simple typo, whether it’s from the client or the server. Typos and other incorrect DNS data cause many problems. Even when data is correct, DNS can still be a difficult protocol to troubleshoot.

      The DNS process starts at the client, which queries a specified upstream DNS server. The upstream DNS server could already have the answer in its cache. In which case, an IP address is answered and the query is resolved. If not, it queries further upstream until a successive answer is given, which is authoritative for the query. The Top Level Domain (TLD), such as a .com, .net, or org, may be the root authority for a query. Authoritative servers on a local network may also be the correct resolver.

      Possible causes of unsatisfied queries include:

      • No network circuit path from the client to the specified DNS server.
      • The specified DNS server might not have the query credentials needed.
      • The cached information on the specified DNS server could be out of date.
      • The specified DNS server may have no upstream path to a TLD server.

      Fortunately, there are a variety of tools available for Windows, macOS, and Linux used to troubleshoot DNS problems. Most DNS troubleshooting tools focus on tracing the circuits to a DNS resolver or querying DNS servers for a correct response.

      Tracing the Resolver Network Circuit

      Clients must be able to reach the DNS server with a query. The most common failure is an interruption in the network circuit between the client app and the desired DNS server.

      Each client declares a default DNS server for DNS queries. If the address of the default DNS server is incorrect, or points to an unavailable resource, there can be no resolution to the request. In this case, the requesting application receives an error, or simply hangs. The IP address of the default DNS server must be known to troubleshoot further.

      The IP address of the default DNS server is found in the properties of the network adapter in use. To find yours, follow the instructions below for your operating system:

      Windows

      1. Right-click the network icon in the Notification Area of the Taskbar.

      2. Choose Network and Internet Settings.

      3. Select your network adapter.

      4. Scroll down to reveal the settings for that network adapter.

      macOS

      1. Click the network icon in the Menu Bar.

      2. Click Network Preferences.

      3. Select your network adapter.

      4. Click Advanced.

      5. Click DNS to reveal the settings for that adapter.

      Linux

      In Linux, the location of the desired DNS server depends on the values set in the resolver configuration file located at /etc/resolve.conf.

      To find these values via the command line, enter:

      cat /etc/resolve.conf
      

      To find these values via the GUI in Ubuntu 22.04 LTS:

      1. Click network icon in the GNOME Panel.

      2. Select your network adapter.

      3. Click <adapter/connection/device> Settings.

      4. Click the gear icon next to your chosen adapter/connection/device

      Knowing the desired address helps trace the circuit to determine if the desired DNS server can be reached.

      Circuit Testing with Ping

      Troubleshooting the network communications circuit uses common tools like ping. Many queries fail because there is no network circuit to the desired DNS server. The ping command line tool is universal to all operating systems and does not require administrative rights.

      Open a command line and use ping to determine if the IP address responds. In this case, the public DNS server for Cloudflare (1.1.1.1) is cited:

      ping 1.1.1.1
      

      Or:

      ping cloudflare.com
      

      When a reply is returned, queries can be made to the server, in which case, skip to the next section.

      If there is no reply using ping, then the circuit is unusable and the requested resolver is not responding. This can be because it’s under attack, dead, or offline. Specify another resolver/DNS server and repeat the attempt.

      An unusable circuit, or route to a DNS server, means that an Internet connection is down for the host making queries. If the circuit is up, another DNS server can be used, and must be placed in the host’s settings. Reset the host to restart the network stack and read the new DNS server entry. Such alternate DNS Internet servers are 1.1.1.1 for Cloudflare, and 8.8.8.8 for Google.

      Note

      The traceroute command line tool is also handy in network circuit analysis. It uses either an IP address or a Fully Qualified Domain Name (FQDN) to show latencies between the host and the desired IP address/FQDN.

      Tracing Resolvers with NSLookup

      Windows, macOS, and Linux contain the command line tool, nslookup (Name Server Lookup). It performs a query on a known address, using the default DNS resolver, unless another resolver is specified.

      nslookup google.com
      

      Renders:

      nslookup google.com
          Server:  one.one.one.one
          Address:  1.1.1.1
      
          Non-authoritative answer:
          Name:	google.com
          Addresses:  2607:f8b0:4004:c19::8a
                    2607:f8b0:4004:c19::71
                    2607:f8b0:4004:c19::8b
                    2607:f8b0:4004:c19::64
                    64.233.177.138
                    64.233.177.139
                    64.233.177.102
                    64.233.177.101
                    64.233.177.100
                    64.233.177.113

      Here, the default nameserver is Cloudflare.com’s public DNS server (one.one.one.one), with an IP address of 1.1.1.1. It uses a cached (non-authoritative) answer for the queried server (google.com). It then renders three lines of IPv6 addresses and six lines of IPv4 addresses.

      When there’s a working network circuit available, nslookup permits changing the nameserver so that entries among differing nameservers can be compared. When a TLD FQDN entry is changed, it can take as long as 48 hours to be uniform among nameservers/resolvers. This is because non-authoritative servers cache entries using a Time-To-Live (TTL) variable for speedier response. The answer is delivered from cache, without looking up the answer on the next higher-level server. When the cache expires on DNS servers/resolvers/nameservers, a request from a higher authority renews the cached and delivered answer.

      Start of Authority (SOA)

      Every domain used publicly in DNS has a registrar. The registrar keeps a record of ownership, which may not be visible to the public. The entry in this record that must be made public is the IP address(es) of its nameservers. The nameservers/resolvers, in turn, are the guardians of the DNS for TLDs.

      An organization that hosts a domain generally also contains its nameserver, and is the SOA for the domain and any subdomains underneath it. TLD resolvers such as .com, .net, and .org, are highly controlled. They are only accessible through other servers using the DNS Security Extensions (DNSSEC) authentication and security protocol.

      Hosting organizations like Linode may also use other Content Distribution Networks (CDNs) who provide a presence where heavily-used sites manage IP and DNS access. CDNs are not covered by this guide, because their troubleshooting often requires tools that only the CDNs can provide. Nonetheless, these sites must respond appropriately when a host makes a query.

      Dig

      The most popular client-side DNS query tool beyond nslookup is dig (Domain Information Groper). The dig app must be downloaded to Windows as part of the
      bind package, which also includes an optional DNS server. The dig command is included with most versions of macOS and Linux.

      The dig tool allows specific DNS records to be queried. This includes MX (mail), A records (domain), TXT records (specifically recorded details), and other host records included in the SOA nameserver.

      An example of the dig output shows its command line configuration:

      dig linode.com
      

      The output looks similar to:

      ; <<>> DiG 9.16.30 <<>> linode.com
          ;; global options: +cmd
          ;; Got answer:
          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54592
          ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
      
          ;; OPT PSEUDOSECTION:
          ; EDNS: version: 0, flags:; udp: 1232
          ;; QUESTION SECTION:
          ;linode.com.                	IN  	A
      
          ;; ANSWER SECTION:
          linode.com.         	300 	IN  	A   	69.164.200.202
          linode.com.         	300 	IN  	A   	72.14.191.202
          linode.com.         	300 	IN  	A   	72.14.180.202
      
          ;; Query time: 62 msec
          ;; SERVER: 1.1.1.1#53(1.1.1.1)
          ;; WHEN: Thu Jul 14 17:11:03 Eastern Daylight Time 2022
          ;; MSG SIZE  rcvd: 87

      Options for the dig command include:

      • +trace, which queries DNS servers to the SOA.
      • ANY, which finds ALL records, not just the default A record.
      • +f <filename> which calls the hosts listed in the specified file.

      The SOA can be found, and the path to it queried, to see if records match. This allows DNS resolvers along the path to the SOA to be adjusted for longer/shorter TTL caching. This accommodates records that change frequently, such as DynamicDNS records in Active Directory environments.

      Domain Transfers

      When a domain transfer occurs between nameserver registrations, it takes time to propagate to the hundreds of thousands of resolvers that might be contacted. The dig command is the handiest tool to find outdated cache or incorrect entries.

      The Hosts File

      Windows, macOS, and Linux look to a hosts file before trying to resolve a DNS address. The hosts file pre-dates DNS in many ways, and takes precedence over DNS or attempts to use a resolver.

      When present and filled in, the hosts file is the first resolver in any host. In Windows, this file is located in the \system32\hosts entry. On macOS and Linux, it’s located in the /etc/host file.

      The hosts file is canonical, meaning that it overrides any resolver and cannot be violated. When tracing odd DNS access problems, look for the presence of this file, and use a text editor to examine its contents. Entries may be administratively placed to prevent access to specific sites. It is sometimes used as a “private DNS” to control system behavior and prevent typos from permitting access to typo-based malware sites. The hosts file must be altered to allow subsequent access through a resolver to such sites.

      Walled Gardens and Captive Portals

      Walled Gardens and Captive Ports are terms for the same environment. Essentially, barriers presented by network access providers, such as “Free WiFi” services deployed in public spaces, shops, schools, and government facilities. These offerings are controlled through an access control host/router to a network, whether wired or wireless. All DNS or IP address calls are intercepted, and focused to an authorization device.

      After supplying sufficient credentials, a user is provided either confined or open access. Within the Captive Portal or Walled Garden, DNS calls are often intercepted and routed through local or cloud-based DNS servers/resolvers. They resolve requests using their own entries, which may not be the public DNS entry for a user.

      The “wall” in the Walled Garden provides confined access, typically limiting access to social media, adult websites, or other sites chosen by the provider. Although browser DNS-over-HTTPS protocols can sometimes “leap” over, or bypass, these walls, some browsers do not support this protocol.

      To regain access, re-load the network stack and use a public resolver like Cloudflare’s 1.1.1.1 or Google’s 8.8.8.8.

      DNS Poisoning

      The answers provided by DNS servers are listed in the DNS server/resolver’s tables. Access to these tables is usually highly limited. When DNS is correctly configured for host security, it limits how DNS entries can be changed.

      It’s possible to poison DNS servers intentionally with spurious entries in an attempt to hijack browser activity. When performed by bad actors, these entries can focus browser requests to malware, crypto routines, or competitors.

      Administrators regularly use dig and a file of test hosts to compare changes in entries. The value of the test is to show when the list of hosts has changed, and for what reason. A changed address in a popular site may mean its entry has been hijacked upstream, locally, or even at a TLD server. It may also mean the IP address has simply been changed administratively. Poisoned entries must be deleted where possible.

      Hosting Provider Problems

      A hosting provider, or the domain registrar, can flush DNS cache, including informing upstream/downstream providers where they’re connected. Administrators making changes in DNS entries face a problem with the cache TTL/life in both up and downstream servers. Changes can be quick to propagate where CDN and other services, such as Akamai and Cloudflare, are the stored address for downstream servers.

      Records

      Each host provides a mandatory A record that points to the IP of the receiver of domain targets. The CNAME record provides an alias for queries, allowing aliases for “www” or other common domain prefixes.

      DNS MX records point to mail. Most hosting providers run mail through an application, such as cpanel. Email entries for a domain are rejected because of missing mail-focused domain keys used in:

      • Transport Layer Security (TLS)
      • DomainKeys Identified Mail (DKIM)
      • Sender Policy Framework (SPF)
      • Domain Message Authentication Reporting and Conformance (DMARC)

      These entries must be valid, and the mail engine used must comply with the DNS records for the domain.

      Host provider email records are entered in the provider’s DNS record for a domain, or maintained separately by a domain administrator.

      Alterations

      Some host providers and registrars lock DNS records so that they cannot be changed by fraudulent or unauthorized access. To prevent hijacking and fraud, the locks placed on records require obtaining a key, providing credentials, or other verification obstacles.

      The authentication credentials needed to change DNS records should be stored carefully. A re-authentication attempt usually requires time and multiple methods of authentication to obtain. Domain hijacks occur when credentials are guessed, spoofed, or heavily attacked.

      Conclusion

      Simple typos are a huge problem. So are network outages that initially appear to be DNS problems. Verifying accuracy and the network path fixes many DNS outages. User/host configuration problems, especially an incorrect default DNS/resolver, can also be quickly checked.

      When resolvers must be checked, the toolkit can be simple. Much information can be revealed about the listings inside resolvers using nslookup and dig. Data can be compared from period to period.

      Complying with a hosting provider’s documentation allows you to keep complete records that cooperate with the provider, their services, and email.

      DNS servers are not invulnerable. They can be poisoned. It’s good practice to check important records on a periodic basis to test listing integrity, especially before users fill the support email box.



      Source link

      Register Custom DNS Name Servers


      DNS name servers (also referenced as the single word nameservers) are the backbone of the Domain Name System. They are the servers that host a domain’s DNS records, which map human-readable domain names to IP addresses.

      When registering a new domain or configuring an existing domain, you must set the FQDN (fully qualified domain name) of each name server you intend to use. This is done through your domain’s registrar. You can typically chose to use your registrar’s name servers, a third party name server, or a self-hosted name server. If you decide to use your registrar’s DNS service or a third party DNS service, that service provides you with the FQDNs for its name servers. For example, the name servers for Linode’s
      DNS Manager are ns1.linode.com through ns5.linode.com.

      If you instead decide to use your own custom name servers, you first need to create glue records on your registrar for the FQDN you wish to use with each name server. In tandem with glue records, you must also set corresponding A records with your domain’s DNS records. The last step is to configure your domain to use your new custom name servers.

      1. Configure Glue Records
      2. Create A Records
      3. Change the Name Servers for Your Domains

      This guide covers how to register a custom name server and assumes you have already configured a self-hosted DNS software on each system you intend to use.

      Before You Begin

      • You must have at least one registered domain name and be able to access the domain’s registrar. Within this domain name, determine the FQDNs you’d like to use for your custom name servers. Many applications and registrars require at least two name servers and they are typically formatted as ns1.example.com, ns2.example.com, and so on, replacing example.com with the domain you’d like to use.

      • For each name server you wish to configure, deploy your preferred DNS software on a Compute Instance or any publicly accessible server. If you are using cPanel, Plesk, or other software that automatically configures your DNS software, make sure it is properly installed.

      Why Use Custom Name Servers?

      Third-party DNS services, like Linode’s DNS Manager, are very reliable, feature-rich, highly available, and protected against attacks. For most applications, these services are preferable to self-hosting custom name servers. As with many custom self-hosted solutions, the effort to build and maintain a custom DNS name server might not be worthwhile. That said, there are some compelling reasons to chose self-hosting your own custom name servers over utilizing an existing DNS service.

      • Software integration: Many popular self-hosted software solutions, including cPanel and Plesk, can deploy their own custom name servers to automatically manage DNS records. When a user makes a change in the software, the associated DNS records are automatically created or updated without a user needing to manually configure them.

      • Greater control: A primary reason for using any self-hosted solution is to gain more granular control over a system. In the case of name servers, you can use any
        name server software supported by your system and take advantage of all of its features.

      • Vanity/Branded domain: Some third-party DNS services allow you to use your own domain instead of their standard name server domains for branding purposes, but not all have this feature. When self-hosting your own name servers, you can use whichever domain name you wish.

      Configure Glue Records

      When a domain name is resolved, your system’s DNS resolvers first query the root name server. The root then provides the name servers for the domain’s top-level domain (TLD), such as .com or .net. Then, a query is sent to the TLD name servers, which returns the authoritative name servers for the domains. The DNS resolver can then finally query an authoritative name server for the DNS record it needs. This works fine for most domain queries, such as when the DNS records for example.com are hosted on the name server ns1.linode.com. But this breaks down for name server domain resolution, where the record for ns1.example.com is hosted on the ns1.example.com authoritative name server.

      To overcome this circular resolution, glue records are needed. Glue records are set within the domain’s registrar and can map the custom domain of a name server to the IP address of that name server. To configure glue records, follow the instructions below.

      1. Obtain the public IPv4 addresses for each of your custom name servers. If they are hosted on a Linode Compute Instance, see
        Managing IP Addresses on a Compute Instance.

      2. Log in to your domain’s registrar.

      3. Configure a glue record for each custom name server. This maps the full domain of a name server to the IPv4 address for that server. The name of this feature and the instructions for setting a glue record depend on the registrar you are using. Here are the instructions for a few popular registrars, though any registrar that supports glue records can be used:

        Some registrars may require you enter the entire FQDN of the custom name server (such as ns1.example.com), while others only need the subdomain (such as ns1). Additionally, registrars like Namecheap pre-populate a dropdown list with common name server hostnames. In this case, you can likely select from the predefined list or type your own.

      After this is complete, your registrar sends the glue records to the TLD name servers associated with your domain. This process can take up to 24 hours to complete, though it is generally finished within a few minutes to an hour. See
      Verify DNS Changes.

      Create A Records

      In tandem with setting up glue records at the registrar-level, you should also create A records within your custom name servers itself. Many self-hosted software applications that manage DNS records, such as cPanel and Plesk, do this automatically – provided they are configured to use a self-managed DNS service. If this is the case, you can skip this section – even if you have yet to install the software.

      1. Log in to the administration panel or terminal for your DNS software on your custom name server.

      2. Within the domain zone file, add an A record for each custom name server. This record should point the hostname of the custom name server (such as ns1.example.com) to the IPv4 address of the name server.

      Since these steps vary greatly depending on your DNS software, please reference the official documentation for that software. For instance, for users of BIND9 (the most popular DNS software), see
      Configurations and Zone Files.

      DNS records can take up to 24 hours to fully propagate, depending on several factors – including the TTL setting, the DNS service you are using, and the caching system on the DNS resolver. In general, you can expect to see the updates within 5 minutes to an hour. See
      Verify DNS Changes.

      Change the Name Servers for Your Domains

      Once the custom name servers have been successfully registered, you can begin using them to host DNS records for your domains. To do this, add the domain inside your custom name server and then update the domain’s registrar to reflect the new authoritative name servers.

      1. Log in to your domain’s registrar.

      2. Update the domain’s name servers to use your new custom name servers (such as ns1.example.com and ns2.example.com). The name for this setting various among registrars, but it is commonly called external or custom name servers.

      After configuring the new authoritative name servers for a domain, they are sent to the TLD name servers associated with that domain. This process can take up to 24 hours to complete, though it is generally finished within a few minutes to an hour. See
      Verify DNS Changes.

      Verify DNS Changes

      Once you’ve made the changes that are needed, you can verify that the records are correct and have propagated to the appropriate servers by following the instructions below.

      1. Obtain the TLD name servers by running the following dig command, replacing com with the TLD for your domain.

        dig +short com NS
        

        This returns a list of TLD name servers.

      2. View the DNS records a particular TLD name server has for your domain by using the command below. Be sure to replace a.gtld-servers.net. with whichever TLD name server you wish to query (leaving the @ and trailing .) and example.com with your domain.

        dig +norec @a.gtld-servers.net. example.com
        
      3. To verify the glue records, examine the output’s ADDITIONAL section. There should be an A record for each of the glue records you’ve configured, pointing your custom name server domain to your IP address.

        ;; ADDITIONAL SECTION:
        ns2.example.com.	3600	IN	A	192.0.2.36
        ns1.example.com.	3600	IN	A	192.0.2.37

        If you do not see a similar output, you can query other TLD name servers. It may be that the changes have not yet propagated to all of them.

      4. To verify your domain is using your new name servers, examine the AUTHORITY section of the output. This should be a list of all NS (name server) records, which map your domain to one or more name servers. All of the name servers configured for your domain should appear here, though they are typically displayed in a somewhat random order.

        ;; AUTHORITY SECTION:
        example.com.		3600	IN	NS	ns2.example.com.
        example.com.		3600	IN	NS	ns1.example.com.
      5. Both the glue records and name servers can also be verified by running a dig +trace command, as shown below. Replace example.com with your domain and ns1.example.com with your custom name server. Repeat this command as needed for each name server.

        dig example.com +trace +additional | grep ns1.example.com
        

        Within the output, you should see at least one NS record that defines your custom name sever and an A record for your name server that points to the correct IP address of your server.

      6. The A records for your custom name server’s domain can be verified by running the following dig command, which confirms the changes have propagated to the DNS resolver used by your system. Replace ns1.example.com with the domain of your name server.

        dig ns1.example.com A +short
        

        This should output the IP address configured within the A record for that domain.



      Source link

      A Beginner’s Guide to WordPress Pages


      As one of the building blocks of any website, pages are an integral part of WordPress. The platform enables you to quickly add static pages that can act as part of the site’s overall architecture. If you’re new to WordPress, however, you may be unsure how pages work.

      A WordPress page differs from a post in many ways. For instance, it can display any content you want, not just articles. Additionally, pages are designed for more permanent content, while posts are typically organized by dates and categories.

      An Introduction to WordPress Pages

      Every website requires at least one page to be visible to the public, but WordPress enables you to create as many pages as you need. Pages are distinct from posts in three main ways:

      • Pages are designed for static content. This means they’re for content that rarely changes over time, like About Us and Contact Us sections.
      • By default, pages do not allow comments. Pages are a place to share information rather than encourage social engagement.
      • You can use a page to hold and display posts. While you can display posts on a page, you can’t do the opposite.

      Understanding the difference between pages and posts in WordPress is just the beginning, of course. Let’s dive a little deeper and discuss how to manage pages.

      Get Content Delivered Straight to Your Inbox

      Subscribe to our blog and receive great content just like this delivered straight to your inbox.

      How to Manage WordPress Pages

      WordPress makes it easy to manage your web pages. Out of the box, the platform comes with all the tools you need to create, edit, organize, and remove any pages on your site. Let’s address these tasks one by one.

      Adding and Editing Pages in WordPress

      Your first step is learning how to create pages and edit them. To get started, go to your WordPress admin dashboard. From the left menu, select Pages and then click on Add New:

      add a new WordPress page

      From here, you can start creating your page. Just add whatever content you’d like by inserting blocks. For instance, you can type text into a paragraph block or add photos with an image block:

      create a new WordPress page

      You can even use the pre-designed Block Patterns to automatically create a new layout. Once you’ve made your changes, you can publish the page or save it as a draft to continue working on it later.

      Organizing Your WordPress Pages

      When you add a new page to WordPress, it becomes a part of your navigation. Depending on your default installation settings, WordPress will either arrange your pages by date published or in alphabetical order. If you want to change this, you will need to use a hierarchy to organize them.

      First, click on Pages within WordPress:

      view all WordPress pages

      Here, you will see a list of all of the pages you’ve created so far. Hover over any page you want and click on Quick Edit:

      quick edit a WordPress page

      Then, find the drop-down menu for Parent. If you want to make this page a subpage or child of one of your other pages, you can do that here.

      Otherwise, you can simply use the Order box to determine how your pages will appear in your website menu. If you leave the number at 0, for example, the selected page will be the first one in the hierarchy. If all pages are set at 0, they will be organized alphabetically.

      Once you click on Update, all your settings will be saved. You’ll want to do this for each page on your site. If you add new pages later, you can follow the same steps to organize them within your existing hierarchy.

      Removing a WordPress Page

      Deleting a page is a very straightforward process. To do this, go to the Pages screen of your dashboard. Hover over the page you want to delete, and you’ll see the word Trash in red lettering:

      edit existing WordPress pages

      Once you click on that button, the page will be moved to your trash bin. If you need to delete multiple pages, you can select the checkbox to the left of each one. Then, go to the Bulk Actions menu just above the list of pages, and select Move to Trash.

      Deleted pages can be restored by clicking on the Trash link above the page listing. Hover over the page you want and select Restore. If you’d like to remove the page for good, click on the red Delete Permanently link.

      Create Your First WordPress Page

      WordPress enables you to quickly add, edit, and organize pages on your website. These pages are primarily used for static content and can be organized hierarchically as part of your site’s overall architecture.

      To get started, you’ll need to add a new page and customize it with blocks. For example, you might add text, images, buttons, and more. When you’re ready, you can publish the page or save it as a draft.

      Do More with DreamPress

      DreamPress Plus and Pro users get access to Jetpack Professional (and 200+ premium themes) at no added cost!

      Managed WordPress Hosting - DreamPress



      Source link