kit17 Posted February 4, 2018 Posted February 4, 2018 Just out of curiosity. After issuing the certificate, I am being redirected to `https://<some random hex characters>.unraid.net` when I browse to the web UI with the URL `http://192.168.1.199`. Did unRAID create a subdomain `<some random hex characters>.unraid.net` that pointed to my local IP address? Can someone explain this? I am a programmer but just not so advanced in networking, so technical terms should be okay.
pwm Posted February 4, 2018 Posted February 4, 2018 There is a DNS server handling the unraid.net domain. And unRAID will report back your local IP number and this "random hex name" to this DNS server. And the DNS will append the host list for the domain unraid.net to include your unRAID system. If you change the IP of your unRAID, then your unRAID will report in the IP number change to the DNS to make sure the next DNS lookup will point to the new IP. Anyone who knows this "random hex name" and asks the DNS will manage to perform a DNS lookup and find the private IP of your unRAID. Which obviously doesn't matter because I can't from my home make use of the IP 192.168.1.199 to reach your unRAID - my machine would just try to find a machine with that IP within one of my networks.
kit17 Posted February 4, 2018 Author Posted February 4, 2018 1 hour ago, pwm said: There is a DNS server handling the unraid.net domain. And unRAID will report back your local IP number and this "random hex name" to this DNS server. And the DNS will append the host list for the domain unraid.net to include your unRAID system. If you change the IP of your unRAID, then your unRAID will report in the IP number change to the DNS to make sure the next DNS lookup will point to the new IP. Anyone who knows this "random hex name" and asks the DNS will manage to perform a DNS lookup and find the private IP of your unRAID. Which obviously doesn't matter because I can't from my home make use of the IP 192.168.1.199 to reach your unRAID - my machine would just try to find a machine with that IP within one of my networks. Thanks for the answer. So I guess this is just a CNAME record on the `unraid.net` DNS, pointing to `192.168.1.199`? And since `<some random hex characters>.unraid.net` is accessible on my local network, the browser knows that it equals to `192.168.1.199`, that's why I got redirected when I access `http://192.168.1.199`? Lastly, there is never nothing deal with my public address?
pwm Posted February 4, 2018 Posted February 4, 2018 1 minute ago, kit17 said: Lastly, there is never nothing deal with my public address? That's a question that only the the company hosting the DNS can answer. But it isn't impossible that the DNS server has a log entry with your public IP number from when the unRAID system reached out to register the CNAME entry. And it isn't impossible that the DNS server has log entries with your public IP number from when you make hostname lookup requests.
kit17 Posted February 5, 2018 Author Posted February 5, 2018 11 hours ago, pwm said: That's a question that only the the company hosting the DNS can answer. But it isn't impossible that the DNS server has a log entry with your public IP number from when the unRAID system reached out to register the CNAME entry. And it isn't impossible that the DNS server has log entries with your public IP number from when you make hostname lookup requests. I see. Are the first 2 questions correct?
pwm Posted February 5, 2018 Posted February 5, 2018 A CNAME is a record with an alias name mapping to the Canonical Name. So service-oriented name www.somedomain.com might get normalized into the actual machine name rambo.somedomain.com So you want to visit www.somedomain.com and the CNAME record translates www.somedomain.com into rambo.somedomain.com and then an A or AAAA record translates from rambo.somedomain.com into an actual IP number. In this case, you want a translation from a name into an IP number. So the DNS would register A records for IPv4 or AAAA records for IPv6. The browser asks the DNS for help with '<some random hex characters>.unraid.net' and the DNS locates an matching A or AAAA record and returns back an IPv4 or IPv6 address. The browser in this case receives back a private IP number (like 192.168.1.199) only meaningful within your local network while inside your firewall. https://en.wikipedia.org/wiki/CNAME_record
Cameron Posted August 9, 2019 Posted August 9, 2019 Thanks for the great explanations! During my research, I read that CAs are not allowed to issue certificates to internal names or reserved ip addresses (source). So when I ping '<some random hex characters>.unraid.net' I didn't expect to see my internal ip of 192.168.x.x. I thought this wasn't allowed, or am I missing something? On 2/4/2018 at 4:26 PM, kit17 said: And since `<some random hex characters>.unraid.net` is accessible on my local network, the browser knows that it equals to `192.168.1.199`, that's why I got redirected when I access `http://192.168.1.199`? From my understanding, when you access `http://192.168.1.199` the web browser automatically goes to port 80 and your unraid server basically tells the browser that it doesn't do insecure connections so it redirects it to the unraid subdomain. If you manually specify the port with `https://192.168.1.199:443` the unraid server will accept the connection, however you are not redirected to the unraid subdomain so the SSL certificate provided by letsencypt (which is assigned to your specific unraid subdomain) does not look valid.
ljm42 Posted August 9, 2019 Posted August 9, 2019 8 hours ago, Cameron said: During my research, I read that CAs are not allowed to issue certificates to internal names or reserved ip addresses (source). So when I ping '<some random hex characters>.unraid.net' I didn't expect to see my internal ip of 192.168.x.x. I thought this wasn't allowed, or am I missing something? CAs are not allowed to generate a certificate for https://192.168.1.199 because that would work on many computers, it does not uniquely identity one machine. They can however generate certs for any Fully Qualified Domain Name (i.e. xyz.unraid.net), and there is no restriction on what IP address the DNS for that FQDN actually points to. 8 hours ago, Cameron said: From my understanding, when you access `http://192.168.1.199` the web browser automatically goes to port 80 and your unraid server basically tells the browser that it doesn't do insecure connections so it redirects it to the unraid subdomain. If you manually specify the port with `https://192.168.1.199:443` the unraid server will accept the connection, however you are not redirected to the unraid subdomain so the SSL certificate provided by letsencypt (which is assigned to your specific unraid subdomain) does not look valid. Your browser is able to connect to http://192.168.1.199 because it is an insecure connection, no SSL cert required. Unraid responds and redirects to the proper FQDN for the https connection. Your browser refuses to connect to https://192.168.1.199 (regardless of port) because the browser is asking for a secure connection and Unraid doesn't have a certificate that matches "192.168.1.199" (per the comment above). Since your browser refuses to make an https connection without a valid cert, it never finds out that Unraid just wants to redirect it to the proper FQDN
Recommended Posts
Archived
This topic is now archived and is closed to further replies.