Nameservers not resolving, and whm / cpanel login not accepting SSL

SudsMixer

New Member
Hi, I'm a newbie VPS admin.
Prior to KnownHost I was on shared domains, and as such I have very little knowledge about administering a happy, secure server.

This forum, as well as the kick-ass support team here at KnownHost has been a Gods-end though. So, in reading about nameserver and domain resolving problems, I was able to get a report from DNSreport. I was also able to patch the remaining holes in the CSF firewall, thank you all so much!

Now to my questions.

1) I have my domains at Google. (I know some people are not fans, but I happen to love them). The one problem they DO have, is that they are trigger-happy about having their customers do everything at their locations, and provide very scant help if a person chooses otherwise. Nameservers? Glue records? GOOD LUCK. Anyway, I have set these up in both locations (KH / Google), and checked and double-checked my settings.

The report from DNSReport is attached.​

NS1.mydomain.com and NS2.mydomain.com are now at the SAME IP address. (I only have two). I moved my domain to another IP, and this is now what it shows in the KH WHM/C panels. So they DO match. I also have A records set up for the host, and the hostname resolves.​
I have mail at Google, so the failure from DNSreport here is less of an issue to me, unless we are talking security vulnerability and then I want to fix it.

DNSSEC is GREEK to me. Google provides it one-click if you use their nameservers; and if you do not--good luck, not a single help document. There are default domainkeys in the KH DNS editor, they are text form and look like public keys; starting with v=DKIM1 --> Are those it?​
  1. If not, how do I go about getting the Domain Name System Security Extensions Key Tag and Digest?
I do have dynamic DNS enabled for my subdomain, which resolves just fine. Actually, all domains resolve just fine.​
I have each nameserver and my host listed as registered hosts. No issue it appears with the host. Just the nameservers.​
For custom resource records, I have the A record for IP address 2, which is what the nameservers use also. Nameservers are at IP address 2. IP address 1 is used for the host only. Records at KH and Google match. I have the TXT spf record, FTP, Mail (@google), and www. These are all correct with the dot at the end for domain names (vs IP addresses).

I have also checked my hostname record at the KnownHost dashboard. It matches.

So what gives?

Clearly I'm doing SOMETHING wrong.
Question 2; SSL. I have SSL enabled and functioning just fine on all domains, all directories, EXCEPT the CPanel and WHM. I cannot even begin to guess what I screwed up there; so I think the question to the community is, what SHOULD the settings in CPANEL and WHM be for SSL activation for CPANEL and WHM? I could start a support ticket, and perhaps I still will, but in asking you fine folks here, I will then learn something so that next time I can do it right.


Thank you so much for any input you can give.
Please let me know if you need anything extra in terms of documents.

Nina aka Sudsmixer


 

Attachments

Dan

Moderator
Hi SudsMixer and welcome to KH! :D

You say that your host name resolves yet I am unable to resolve the domain name listed in your DNS report by doing an NSlookup or even just trying to bring it up in a browser. I do see with Whois that your nameservers are listed at your registrar and they do check out in NSlookup. So it still seems like there's something going on there but without being able to do a dig on the DNS zone I cannot say what.

G Suites
You said you have your email at Google but your DNS report shows that your MX records do not reflect this, you only have one MX record and it's pointing to the local server IP so your email will never get to Google's servers. You need to modify your DNS zones that will be using G Suites. In your G Suite dashboard click the three dots in the upper right corner and pick Setup, that should walk you through it but pay particular attention to the Gmail setup as that's what we're concerned with here. You should be adding MX records to your DNS zones similar to this:

580


The first in the list is your current MX record pointing to your local host which you will find up above with a priority of 0, change it's priority to 40 (higher number = lower priority) so email will go to Google's servers first but if they're down then your server will collect the email and when Google comes back it will forward the email on.

I would also recommend adding the following records:

581


These will make it so you can go to email.mydomain.com to log into your email and to docs.mydomain.com to log into Google docs.

DNSSEC
DNSSEC is Greek to me too however it sounds like it's going to be important in the coming years so I'll be looking into this. I can say that cPanel does support it but only if using the PowerDNS server and this cannot be enabled with a KH standard VPS resolver file (/etc/resolv.con) as by default KH includes a localhost IP address and PowerDNS won't allow that. As I said I'll look into this further. I can also say that what you've seen (v=DKIM1...) is not DNSSEC, it's DKIM or domain keys which is yet another anti-spam verification system.

Some of this you have lost me on:
I do have dynamic DNS enabled for my subdomain, which resolves just fine. Actually, all domains resolve just fine.

I have each nameserver and my host listed as registered hosts. No issue it appears with the host. Just the nameservers.

For custom resource records, I have the A record for IP address 2, which is what the nameservers use also. Nameservers are at IP address 2. IP address 1 is used for the host only. Records at KH and Google match. I have the TXT spf record, FTP, Mail (@google), and www. These are all correct with the dot at the end for domain names (vs IP addresses).
cPanel doesn't support or even have any settings for dynamic DNS and why would you need it as you have static IP addresses on your server so...?
Also it looks to me like your nameservers (NS1 & NS2) resolve but not your domain name...

Maybe this part is the key "Records at KH and Google match." are you saying that you are configuring the DNS at Google AND on your VPS? Because you don't need both, all you should need to configure at Google are your nameservers (both as the nameservers for your domains and to define your nameservers under your host domain which it appears you have got correct).

SSL
Your VPS will use self-signed certificates for cPanel and WHM and they should work out of the box without any intervention from you. For example http://host.mydomain.com:2086 will get you to WHM and https://host.mydomain.com:2087 will get you to SSL secured WHM (2082 and 2083 for cPanel). In WHM | Tweak Settings is an option "Require SSL for cPanel Services" if you enable this all requests for WHM and cPanel will be redirected to the SSL ports automatically.
 

Dan

Moderator
Hello again SudsMixer!

I asked the question about DNSSEC and did got confirmation that unless we're on a Cloud VPS or dedicated server we can't use PowerDNS which means we can't use DNSSEC.

Unless you want to leave your DNS hosted at Google, then of course you could!

Hope that helps!
 

SudsMixer

New Member
Thank you so much Dan, this helps greatly. :)

So this would mean that the WHM/Cpanel concern I have is mute..
And that my configuration at Google is wrong.
The nameservers are still listed as not resolving in the WHM firewall report, but as you pointed out, now my main domain does not resolve.

I'll go through each of the points that you so very generously listed; and see if I can resolve what ails it. Especially thanks for the MX record info, I never would have thought to check it, as my G-suite functions perfectly.

Again thank you so kindly; I'll come back and update when I've gone through all of it.:)
 

SudsMixer

New Member
"Unless you want to leave your DNS hosted at Google, then of course you could! "

I am not a reseller and am not planning to go that way, at least for the foreseeable future.​
I want to follow best practice; but have to admit I like having the DNSSEC. Is there anything wrong with leaving the DNS hosted at Google for the main domain?

Clear as the day I am at the bottom end of the learning curve here. :p Student Web Developer so I expect I will get less painful over time. They say you cannot teach an old dog new tricks, but this dog is trying.​
"cPanel doesn't support or even have any settings for dynamic DNS and why would you need it as you have static IP addresses on your server so...?"
Google enables Dynamic DNS for the synthetic records. All my domains are registered with them, and the DNS is hosted there for all, except the main domain. I moved it back to the KH nameservers after reading the use of them were mandatory for a VPS.​
Here's Google's explanation about Synthetic records. (Hope Hyperlinks are ok to insert here in the forum).​
Other than that, because I'm an old lady who knows JUST enough to be really dangerous??​

"" are you saying that you are configuring the DNS at Google AND on your VPS? ""

Yes, Yes I did. I'm much akin to an old lady with a stick-o-dynamite and a blindfold.​
But this clears up a whole lot.​
If I then understand it correctly; pardon me; I'm no spring chicken and I'm slow... ;)
If I wanted to use the nameservers, and let's say for argument's sake that I also then wanted to host the e-mail and everything else at KnownHost; then all I needed to set up at Google, or any other Domain Registrar of my choice, are the nameservers? Then the CPANEL / WHM configuration tools at KH takes care of all the rest?
EUREKA!
This should help me greatly when I get going with my Dev projects. Think I'll be heading over to LinuxAcademy to see what I can find for my poor brain.

Thank you again so so much Dan! I really appreciate the help.
 

Dan

Moderator
Hi SudsMixer!

I see that your domain now resolves to your VPS! :D

I also see that you have things configured so your DNS is at Google.

Looks like your MX records are good as well as they all point to Google servers.

So if that was your objective it would appear as though you're there! ;)

I took a look at the explanation of synthetic records

Dynamic DNS - directs your domain or a subdomain to a resource with a dynamically assigned IP address
This still doesn't apply as it's talking about dynamic IP numbers which you don't have. This really should just be disabled as I don't know if it will conflict with the static IP which you have in your DNS.

Hope that helps!
 

SudsMixer

New Member
Thanks so much Dan! :) It took till 4AM and included some hair-pulling and some glassy-eyed-stares; but I got it back up and running knock on wood! At least now I can be secure while I figure out the world of private nameservers.

Thanks so much for the tip about the Dynamic IP. One thing though, I read it as it would direct you to somewhere with a dynamic IP, so that your static IP stays hidden, and is less prone to attacks. I read that as a security feature..... Remember, old lady with a blindfold and a stick-O-dynamite here. :p What do I know.
 

SudsMixer

New Member
So I stand corrected.... A non-resolving subdomain gave me the solid lesson I needed in the adventures of glue records, forwards and dynamic IP. :p

It quickly became apparent what the culprit was... YEP, dynamic IP....

Give me five minutes, and I'll break it!

Picture what damage I can do with a Developer Certification.... :oops:

Note to self: Next time, LISTEN to Dan, the FIRST time.:cool:
 
Top