Resolving DNS names dynamically - similar to NIP.IO but with personally owned domains.

[ak2766]

What is Happening

I'm about to teach a TLS course to some students I'm looking for a way to automatically issue SSL certificates using custom DNS records.

What is the actual behavior and lacks which without that feature, and what's the fallback (if there is one) while this feature is not implemented yet.

Without this feature, the students would need to pester the TA to get their custom DNS records entered into a local DNS server.

What is Expected

Before this TLS course, we've been using nip.io with docker containers. Specifically, we've been using this DNS record: <student_id>-7f000001.nip.io. This has been working well since each student desk is labelled with a range of port numbers he/she can use for services they create on docker. So, say student with ID 112244 deploys a web service and exposes port 80 on the local host at port 12345, then they can access that service as follows:

http://112244-7f000001.nip.io:12345

I'm now planning to introduce https and have created the necessary entries to haproxy so that a student can access their secure web service at the following URL:

https://112244-12345-7f000001.nip.io

Currently, I've created a self-signed certificate for *.nip.io which works but has the issue with of presenting the usual self-signed certificate browser warning.

Please describe the wanted behavior with details of how it could work.

I'm hoping that the dns-proxy-server can be enhanced to have this feature so that anyone can use a domain they own and/or control. The issue with nip.io is that we do not own this DNS domain and as such cannot make use of DNS validation when requesting for certificates. This validation method is something I'd like to cover in a future syllabus of the course.

I hope I've been concise enough with this requirement.

I suspect you'd see a huge uptake in the dns-proxy-server user base if you were to implement this feature!

[mageddo]

Hey, I will try to resume what you asked with my own words to check if I understood it well. So are you proposing DPS to register the stored hostnames by the local database and/or by the docker containers/services to a Certificate Authority like Let's Encrypt?

[ak2766]

Sorry - I wasn't clear.

Let me get some diagrams together to help illustrate what this feature request is about.

Cheers, ak.

EDIT: I'm also renaming this to remove Let's Encrypt from the name.

[ak2766]

I was busy creating a whole story line of my curriculum, but figured this is overkill. So here's a quick summary.

Currently, if I want a URL to resolve to my laptop IP address (or any IP address for that matter), I simply prefix the NIP.IO domain name with the IP as indicated in the NIP.IO documentation.

I'm looking for the same feature in DPS. Here are some examples assuming my custom DNS domain is mydomcain.com:

$ dig @dps +short mservice.127.0.0.1.mydomain.com
127.0.0.1

$ dig @dps +short mservice.172-16-24-31.mydomain.com
172.16.24.31

$ dig @dps +short mservice.0a2f250f.mydomain.com
10.47.37.15

I hope this clears up this feature request for DPS.

[mageddo]

Got this, you would want DPS to implement nip.io resolution features, right?

Sounds me like an interesting feature to be implemented, that feature doesn't look complex to me. Never thought or heard of that feature before.

A doubt, is there an use case which nip.io isn't satisfacting you, it would be the fact you can't customize the domain suffix?

[ak2766]

Yep. You got it now.

The one situation where nip.io isn't working is when trying to implement TLS for services. Bringing back Let's Encrypt into the discussion, the problem is that they severely throttle this domain (50 certificates per week) as you can imagine it is being used by loads of people world wide.

Having DPS provide this feature bypasses this throttling problem.

[ak2766]

Additional Note.

Whenever you are implementing this feature, please ensure that we can do this for any and all IP addresses - RFC1918 or otherwise - since the Let's Encrypt servers need to communicate with the certbot process.

If my external IP address is 45.46.47.48, I should be able to do the same thing - i.e.:

$ dig @dps +short mservice.45.46.47.48.mydomain.com
45.46.47.48

[mageddo]

@ak2766 for now, seems like you can use the Local Solver DB feature, I consider the only difference is that you will need to create the DNS records config file previously.

[ak2766]

Thanks @mageddo. I'm in no particular rush at the moment. Will wait for the feature to testing...