This is how I setup DNSSEC on a Namecheap domain hosted on UpCloud using CloudFlare to setup DNS security extensions.
Read the full article here: https://fearby.com/article/setting-up-dnssec-on-a-namecheap-domain-hosted-on-upcloud-using-cloudflare/
namecheap
Setting up DNSSEC on a Namecheap domain hosted on UpCloud using CloudFlare
This is how I setup DNSSEC on a Namecheap domain hosted on UpCloud using CloudFlare to setup DNS security extensions
Advertisement:
If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.
About DNSSEC
Wikipedia has a great write-up on DNSSEC also read the ICANN page on DNSSEC.
Snip “DNSSEC is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.”
https://daniellbenway.net has a great video explaining DNSSEC
Handy DNSSEC Links
- NameCheap – What is DNSSEC.
- NameCheap – How can I check if DNSSEC is working?
- Namecheap – Managing DNSSEC
- dnsviz.net – View my DNSSEC Status
- Cloudflare – How does DNS Sec Work?
- IETF RTC 3685 – Delegation Signer (DS) Resource Record (RR)
- DNSSEC – Domain Name System – Security Extensions
Let’s view my DNSSEC status now
https://dnssec-analyzer.verisignlabs.com/ can help you check your sites DNSSEC status.
Prerequisites
This guide assumes you have already purchased a domain and set it up with say UpCloud hosting (read my setup guide here).
Buy a domain name from Namecheap here.
Read my old guide here that I created while setting up Cloudflare on the Vultr host to see how to setup Cloudflare.
Setting up DNSSEC
First I logged into My Namecheap account, selected my domain, selected Advanced DNS and enabled DNSSEC.
I can see a number of values for DNSSEC KeyType/Algorithm/Digest Type and Digest. Below are the options in the dropdowns for Algorithm and Digest Type.
DNSSEC Algorithms
DNSSEC Digest Types
I contacted NameCheap support and they said I needed to contact my UpCloud hosts to get relevant DNSSEC values.
My domain was purchased at NameCheap but by domain routers by Cloudflare DNS.
Advertisement:
By chance, I logged into my Cloudflare account and noticed they have a DNSSEC section under DNS. Nice.
I enabled DNSSEC
Cloudflare offers all the relevant DNSSEC values.
I entered these values into Namecheap under Advanced DNS on my domain.
After 5 mins re-ran the DNSSEC Analyzr tool.
Hmmm, Cloudflare seem to think something is wrong 🙁
I ran a DNS DS Lookup on my site. Everything appears ok.
I re-added the record in Namecheap and waited for 15 mins and this time Cloudflare was happy. Maybe I just needed to wait for DNS replication a little longer?
I tested my DNS serves with DNS Root Canary
I tested my site’s DNSSEC with https://zonemaster.iis.se/
Done
Skipping Cloudflare
I found that I can simply skip cloudflare by enabling Premium DNS at Namecheap
Then enabling DNSSEC
Easy (totally independant of Cloudflare)
I hope this guide helps someone.
Advertisement:
Please consider using my referral code and get $25 UpCloud VM credit for free.
https://www.upcloud.com/register/?promo=D84793
Ask a question or recommend an article
Revision History
V1.3 Namecheap DNSSEC
V1.2 ICANN DNSSEC link
V1.1 https://daniellbenway.net explainer video.
v1.0 Initial Post
Setting up a website to use Cloudflare on a VM hosted on Vultr and Namecheap
This guide will show how you can set up a website to use Cloudflare on a VM hosted on Vultr and Namecheap
Advertisement:
I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. This post will show how to let Cloudflare handle the DNS for the domain.
Update 2018: For the best performing VM host (UpCloud) read my guide on the awesome UpCloud VM hosts (get $25 free credit by signing up here).
Snip from here “Cloudflare’s enterprise-class web application firewall (WAF) protects your Internet property from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests with no changes to your existing infrastructure.”
Buy a Domain
Buy a domain name from Namecheap here.
Cloudflare Benefits (Free Plan)
- DDoS Attack Protection (Huge network to absorb attacks DDoS attacks over 600Gbps are no problem for our 15 Tbps networks)
- Global CDN
- Shared SSL certificate (I disabled this and opted to use my own)
- Access to audit logs
- 3 page rules (maximum)
View paid plan options here.
Cloudflare CDN map
Cloudflare CDN says it can load assets up to 2x faster, 60% less bandwidth from your servers by delivering assets from 127 data centres.
Setup
You will need to sign up at cloudflare.com
After you create an account you will be prompted to add a site
Cloudflare will pull your public DNS records to import.
You will be prompted to select a plan (I selected free)
Verify DNS settings to import.
You will now be asked to change your DNS nameservers with your domain reseller
TIP: If you have an SSL cert (e.g Lets Encrypt) already setup head to the crypto section and select ” Full (Strict)” to prevent ERR_TOO_MANY_REDIRECTS errors.
Cloudflare UI
I asked Twitter if they could kindly load my site so I could see if Cloudflare dashboard/stats were loading.
Could I kindly ask if you are reading this that you visit https://t.co/9x5TFARLCt, I am writing a @Cloudflare blog post and need to screenshot stats. Thanks in advance
— Simon Fearby (Developer) (@FearbySoftware) March 13, 2018
The Cloudflare CTO responded. 🙂
Sure thing 🙂
— John Graham-Cumming (@jgrahamc) March 13, 2018
Confirm Cloudflare link to a domain from the OSX Comand line
1 2 3 | host -t NS fearby.com fearby.com name server dane.ns.cloudflare.com. fearby.com name server nora.ns.cloudflare.com. |
Caching Rule
I set up the following caching rule to cache everything for 8 hours instead of WordPress pages
“fearby.com.com/wp-*” Cache level: Bypass
“fearby.com.com/wp-admin/post.php*” Cache level: Bypass
“fearby.com/*” Cache Everything, Edge Cache TTL: 8 Hours
Cache Results
Cache appears to be sitting at 50% after 12 hours. having cache os dynamic pages out there is ok unless I need to fix a typo, then I need to login to Cloudflare and clear the cache manually (or wait 8 hours)
Performance after a few hours
DNS times in gtmetrix have now fallen to a sub 200ms (Y Slow is now a respectable A, it was a C before). I just need to wait for caching and minification to kick in.
webpagetest.org results are awesome
See here: https://www.webpagetest.org/result/180314_PB_7660dfbe65d56b94a60d7a604ca250b3/
- Load Time: 1.80s
- First Byte 0.176s
- Start Render 1.200s
Google Page Speed Insights Report
Mobile: 78/100
Desktop: 87/100
Check with https://developers.google.com/speed/pagespeed/insights/
Update 24th March 2018 Attacked?
I noticed a spike in and traffic (incoming and threats) on the 24th of March 2018.
I logged into Cloudflare on my mobile device and turned on Under Attack Mode.
Cloudflare was now adding a delay screen in the middle of my initial page load. Read more here. A few hours after the Attach started it was over.
After the Attack
I looked at the bandwidth and found no increase in traffic from my initial host VM. Nice.
Thanks, Cloudflare.
Cloudflare Pros
- Enabling Attack mode was simple.
- Soaked up an attack.
- Free Tier
- Many Reports
- Option to force HTTPS over HTTP
- Option to ban/challenge suspicious IP’s and set challenge timeframes.
- Ability to setup IP firewall rules and Application Firewalls.
- User-agent blocking
- Lockdown URL’s to IP’s (pro feature)
- Option to minify Javascript, CSS and HTML
- Option to accelerate mobile links
- Brotli compression on assets served.
- Optio to enable BETA Rocket loader for Javascript performance tweaks.
- Run Javascript service workers from the 120+ CDN’s
- Page/URL rules o perform custom actions (redirects, skip cache, Encryption etc)
- HTTP/2 on, IPV6 ON
- Option to setup load balancing/failover
- CTO of Cloudflare responded in Twitter 🙂
- Option to enable rate limiting (charged at 10,000 hits for $0.05c)
- Option to block countries (pro feature)
- Option to install apps in Cloudflare like(Goole Analytics,
Cloudflare Cons
- No more logging into NameCheap to perform DNS management (I now goto Cloudflare, Namecheap are awesome).
- Cloudflare Support was slow/confusing (I ended up figuring out the redirect problem myself).
- Some sort of verify Cloudflare Setup/DNS/CDN access would be nice. After I set this up my gtmetrix load times were the same and I was not sure if DNS needs to replicate? Changing minify settings in Cloudflare did not seem to happen.
- WordPress draft posts are being cached even though page riles block wp-admin page caching.
- Would be nice to have ad automatic Under Attack mode
- Now all sub-domains were transferred in the setup ( id did not know for weeks)
Cloudflare status
Check out https://www.cloudflarestatus.com/ for status updates.
Don’t forget to install the CloudFlare Plugin for WordPress if you use WordPress.
More Reading
Check out my OWASP Zap and Kali Linux self-application Penetration testing posts.
I hope this guide helps someone.
Ask a question or recommend an article
Revision History
v1.8 host Command from the OSX CLI
v1.7 Subdomain error
v1.6 Cloudflare Attack
v1.5 WordPress Plugin
v1.4 More Reading
v1.3 added WAF snip
v1.2 Added Google Page Speed Insights and webpage rest results
v1.1 Added Y-Slow
v1.0 Initial post
How to buy a new domain (dedicated server from digital ocean) and add a SSL certificate from namecheap.
This guide will show you how to buy a domain and and link it to a Digital Ocean VM.
Advertisement:
Update (June 2018): I don’t use Digital Ocean anymore. I moved my domain to UpCloud (they are that awesome). Use this link to signup and get $25 free credit. Read the steps I took to move my domain to UpCloud here.
Buy a domain name from Namecheap here.
This old post is available fyi,
1. How to buy a new website domain from namecheap.com
1.1 Create an account at namecheap.com then navigate to registrations
1.2 Search for your domain (don’t forget to click show more to see other domain extension types).
1.3 Select the domain you want.
1.4 I am going to opt for a free year of Free WhoisGuard – (WhoisGuard is a service that allows customers to keep their domain contact details hidden from spammers, marketing firms and online fraudsters. When purchased, the WhoisGuard subscription is permanently assigned to a domain and stays attached to it as long as the fee is paid).
1.5 I will also opt-in into the discounted PositiveSSL for $2.74 (bargain) (fyi: name cheap ssl types).
1.6 Check the name cheap coupons page and apply this months coupon for 10% off.
1.7 Confirmed the order for $11.05 USD.
1.8 Congratulations you have just ordered a domain and SSL certificate.
More details: https://www.digitalocean.com/community/tutorials/how-to-point-to-digitalocean-nameservers-from-common-domain-registrars
2. Create a http://www.c9.io account
This will give you a nice UI to manager your unmanaged server.
2.1 Upgrade from the free account to the “Micro $9.00 / monthly” at https://c9.io/account/billing (this will allow you to use the c9.io IDE to connect to as many Ubuntu VM’s as you wish).
3. Buy the hosting (droplet) from digital ocean
3.1 Goto https://wwww.digitalocean.com and create an account and log in.
Note: If you are adding an additional server (droplet) to a digital ocean account and you want the droplets to talk to each other make sure your existing servers have a private network setup.
3.2 Click Create Droplet
3.3 Enter a server name: e.g “yourdomainserver”
3.4 Select a Server Size (this can be upgraded later), Digital Ocean recommends a server with at least 30GB for a WordPress install (but you can upgrade later).
3.5 Select an Image (you can stick with a plain ubuntu image) but it may save you time to install an image with the LAMP stack already on it.
LAMP stack is a popular open source web platform commonly used to run dynamic websites and servers. It includes Linux, Apache, MySQL, and PHP/Python/Perl and is considered by many the platform of choice for development of high-performance web applications which require a solid and reliable foundation. I will select LAMP.
3.6 Tick “private networking” if you think you may add more servers later (growing business)?
3.7 Paste in your SSH key from your c9.io account at https://c9.io/account/ssh (this is important, don’t skip this).
3.8 Click Create Droplet
3.9 Congratulations you have just created an Ubuntu VM in the cloud.
3.10 If you type your droplets IP into a web browser it should load your pages from your web server.
3.11 You can view your ubuntu droplet details in the digital ocean portal. You may need to reboot the server, make snapshots (backups) of reset passwords here.
3.12 You will need to change your droplets root password that was emailed to you from digital ocean (if you never recived one you can reset a root passowrd change in the digitalocean.com portal). You can change your password by using the VNC window in the digital ocean portal https://cloud.digitalocean.com/droplets/ -> Access -> Console Access). If you had no luck changing you password with the VNC method you may use your Mac terminal and type: ssh root@xxx.xxx.xxx.xxx (where xx is your droplets IP) – then type yes, enter your password from the digital ocean email and change the password to a new/strong password (and write it down).
3.13 Now we will need to install the distro stable nodejs (for c9.io IDE) into the droplet by typing “sudo apt-get update” then “sudo apt-get install nodejs“.
4. Now we can link the digital ocean ubuntu server to the http://www.c9.io IDE.
4.1 Login to your c9.io account.
4.2 Click Create a new wordspace.
4.3 Enter a Workspace name and description.
4.4 Click Remote SSH Workspace
4.5 Enter “root” as the username
4.6 Type in your new servers IP (obtained from viewing your droplet at digital ocean https://cloud.digitalocean.com/droplets ).
4.6 Set the initial path as: ./
4.7 Set the NodeJS path as: /user/bin/nodejs
4.7 Ensure your SSH key is the same one you entered ito the droplet.
4.8 Click Create Workspace.
Troubleshooting: If you workspace cannot login you may need to SSH back into your droplet (via Digital ocean VNC or telnet SSH and paste your c9.io SSH key into the ~/authorized_keys file and save it). I used the command “sudo nano ~/.ssh/authorized_keys”, pasted in my c9.io SSH key then pressed CTRL+0 then ENTER then CRRL+X
4.9 If all goes well you will see c9.io now has a workspace shortcut for you to launch your website.
4.10 You will be able to connect to your droplet from c9.io and edit files or upload files (without the hassle of using SFTP and CPanel).
5. No we will link the domain name to the IP based droplet.
5.1 Login to your name cheap account.
5.2 Click “Account” then “Domain List“, turn off domain parkingand thne click “Manage” (next to the new domain) then click “Advanced DNS”
5.3 Click “Edit” next to “Domain Nameserver Type” then choose “Custom“.
5.4 Add the following three name servers “ns1.digitalocean.com“, “ns2.digitalocean.com” and “ns3.digitalocean.com” and click “Save Changes“.
5.5 Login to https://cloud.digitalocean.com/domains and select your droplet and type your domain name (e.g “yourdomain.com”) into the domain box and select your droplet
5.6 Configure the following DNS A Name records “@”-“XXX.XXX.XXX.XXX” where XXX is our server name and CName Records “www”-“www.yourdomain.com.” and “*”-“www.yourdomain.com.”
It can take from 24-48 hours for DNS to replicate around the world so I would suggest you goto bed at this stage: You can use https://www.whatsmydns.net/#A/yourdomain.com to check the DNS replication progress.
5.7 But if you are impatient check out the DNS replication around the world using this link: https://www.whatsmydns.net
fyi: The full name cheap DNS guide is here.
fyi: The Digital Ocean DNS guide is located here
Setup a SSL Certificate
You can skip section 6 to 6.17 and install a free SSL certificate if you wish (read this guide on using Lets Encrypt ).
Follow the rest of this guide if you want to buy an SSL cert from Namecheap (Comodo (Lets Encrypt is easier)).
6. Login to the Namecheap server.
6.1 Open your c9.io workspace to your domain
6.2 Click the Windows then New Terminal menu
6.3 Type: cd ~/.ssh/
6.4 openssl req -newkey rsa:2048 -nodes -keyout servername.key -out servername.csr
6.2 Type the following to generate CSR files (my server is “servername.com”, replace this with your server name ).
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | # cd ~/.ssh .ssh# <strong>openssl req -newkey rsa:2048 -nodes -keyout servername.key -out servername.csr</strong> Generating a 2048 bit RSA private key .............................+++ ............+++ writing new private key to 'servername.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:New South Wales Locality Name (eg, city) []:Your City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Fearby.com Organizational Unit Name (eg, section) []:Developer Common Name (e.g. server FQDN or YOUR name) []:servername.com Email Address []: your@emamil.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:**************** string is too long, it needs to be less than 20 bytes long A challenge password []:*************** An optional company name []:Your Nmae ~/.ssh# ls -al total 20 drwx------ 2 root root 4096 Oct 17 10:20 . drwx------ 7 root root 4096 Oct 17 10:17 .. -rw------- 1 root root 399 Oct 17 08:06 authorized_keys -rw-r--r-- 1 root root 1175 Oct 17 10:20 servername.csr -rw-r--r-- 1 root root 1704 Oct 17 10:20 servername.key |
6.3 Using the folder structure in c9.io browser to /root/.ssh/ and open the text file “servername.csr” and copy the file contents.
6.4 In a separate window go to https://ap.www.namecheap.com/ProductList/SslCertificates paste in the “” file contents and click Submit
6.5 Verify your details and click next
6.6 Next you will need to verify your domain by downloading and uploading a file to your server. Under “DCV Method” select “HTTP” and follow the prompts at name cheap to download the file.
6.7 Complete the Form (company contacts and click next).
6.8 Go to Certificate Details page to download the validation file. Or you can wait for the email with zip file attached.
fyi: the support forums for this certificate are https://support.comodo.com (but the site is rubbish, most pages load empty (e.g this one)).
6.9 Under “DCV Methods in Use” click ‘Edit Methods” then “Download File”
6.10 Using the c9.io interface upload the file to the /var/www/html folder (drag and drop)
6.11 Wait 1/2 hour and then go back to your name cheap dashboard and see if the certificate has been verified (it may take longer than that).
6.12 After a while a certificate will be issued, Unser See Details click Download Certificate.
6.13 Upload the certificate files (“weatherpanorama_link.ca-bundle”,”weatherpanorama_link.crt” and “servername.p7b” ) files using the c9.io IDE to /root/.ssh/
6.14 Add this “ServerName localhost” to “/etc/apache2/apache2.conf”.
6.16 In a c9.io terminal run this command “sudo nano /etc/hosts” and add this line “127.0.0.1 servername.com”
6.17 Run this command in a c9.io terminal ‘sudo a2enmod ssl”
fyi: Comodo support forums: https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/1
fyi: Comodo apache certificate installation instructions: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/637/37/certificate-installation-apache–mod_ssl
Don’t forget to cache content to optimise your Web server
Security
Having a server introduces risks, do check your website often in https://www.shodan.io and see if it has open software or is known to hackers.
todo: SSL https://www.namecheap.com/support/knowledgebase/article.aspx/794/67/how-to-activate-ssl-certificate
Easily deploy an SSD cloud server on @DigitalOcean in 55 seconds. Sign up using my link and receive $10 in credit: https://wwww.digitalocean.com
end skip —
Seriously Lets Encrypt allows you to add an SSL cert in minutes (over Comodo SSL certificates)
Donate and make this blog better
Ask a question or recommend an article
v1.7 added some more.