Expired Domains - A headache, but a learning experience!

Hey all! It's been a few months, I know. But I wanted to share an experience I had with my recent domain name headache.

So as you may or may not know, I've owned ppsstudios.com since May 2013. I purchased it via Google Apps which in turn set my registrar to eNom. Both are useful services and work reasonably well. I was attracted mostly to the (back in 2013) $10/year with free ID protection deal that Google Apps offered. Since then they've gone up to $12/year, but that's not really an issue.

The process was relatively simple. Reserve your name, run through Google's checkout system, enter your card number and registration info and within seconds you have it!

The confusing thing is realizing that Google Apps doesn't just give you the domain. It gives you a portal for your employees or professional team to collaborate, brings a huge suite of tools to your disposal including a Gmail account that ties directly into your new domain name, a Google Drive account for online storage, user permissions and a ton of other possibilities. None of which I actually needed.

However, a few months later I also purchased another domain for a MUSH game I actively host. I thought, this is going to be just as easy. I'll go to Google Apps and buy the domain from them again. Well, for some reason the process hiccuped. I was not able to get the email (mx) service working. I don't know why, and frankly I don't care. But I have a feeling it had to do with the fact that Google Apps for Business had this clause that the first account is free and any others tied to your main Google Account will cost you so much per year ($50 I think) charged on a monthly basis. Nowadays, I think it's outright $50/year which I'll explain my experiences with later.

So this last April I started getting the feeling that, you know, ppsstudios.com is not really utilizing any of my Google Apps for Business features. eNom seems to be the most useful tool, as it can tie the domain to a Google Sites account I made just for it, plus this blog on the blog.ppsstudios.com subdomain, and then my personal website I host from my computer at home. eNom is doing all the work! Why don't I just try to transfer the domain to a full-out eNom account that I create myself? Why should I be locked into Google Apps with a bunch of features I'm not using?

Not really knowing anything about the DNS system and the little marketing loopholes that registrars like eNom put you through, I decided, well I'll just create a user account on eNom, then DELETE my Google Apps for Business account (which should release the domain to the public, right), and then re-purchase it on eNom.

Wrong.

Google Apps still hung onto that domain. It would not let go! And now that my Apps account was dead, I couldn't log in to retreive it. I started looking into my second domain and found out there was a transfer process I could go through to give eNom permission to pull the domain away from Google (which, by the way, I did and it worked for THAT one).

But I was stuck! Ppsstudios.com was just plain locked down. Sure I could still get into my eNom access control and edit the host records and point subdomains to various locations. Everything I cared about still worked, but I could not actually prove I was the owner of the domain and transfer it over.

So I made up my mind. Well, the only thing I can do is let it expire. It'll go back to unregistered and  I can re-purchase it. This turned out to be the biggest headache I've had with the DNS system to date.

eNom (and all big-name registrars I've come to realize) has this little game. When a domain expires from the user not pay the annual renewal fee to keep it in their account, it immediately goes into some form of public auction. eNom (or one of its partners) takes control of the domain and points it to one of those annoying advertizing websites that says, "This domain up for public auction! Click here to bid on it! Or you can click here for dancing uniforms, or here for cheap airline tickets, or here for luxury backyard swimming pools!"

I followed the links through. Turns out to recover a domain that's gone from "registered to an actual person" to "public auction" you have to pay a minimum of $60, but the entire public can start bidding on it and raise the price to some crazy amount! I was not going to go through this process and give my payment information to yet another service (eNom doesn't handle the actual bidding. It passes that off to a partner company or something).

I'd wait it out. 

For 30 whole days.

Or maybe I can recover it if I re-create my Google Apps account. Oh wait. I have to pay a $50 annual fee to belong to Google Apps now? It's not a free for the first domain deal anymore? Okay..fine. Paid the $50, to be charged on a $4.17 per month basis, got a transfer code from Google, and sent the transfer request to eNom (they SAID I was in charge of ppssstudios.com again).

Your Tranfer Request is Denied.

This amount of mixed messages tells me, I need to just give up on Google Apps. This is why I'm my own web developer. So I don't have to rely on third parties to host my site and its development tools!

I'll just...delete that Google Apps account. Wait I have to pay the remaining balance of that $50, even if I've only had the account for 30 minutes and don't want it anymore? Yes, I did read the Terms of Service for both services. Yes, it was the usual legal jungle of flowery language to make sure that in no way, shape, or form would anything actually be THEIR fault. Even if their system is the most confusing thing I've ever dealt with online.

Well, granted, the domain would have sat there for 30 days anyway, being bid upon. But what I did learn (again the hard way) is that if nobody does bids on it after the 30 day public auction period, it goes into something called "recovery mode" which, from what I read, allows the ORIGINAL owner to buy it back at an inflated price. And the host records are FINALLY deleted, which means visiting http://ppsstudios.com took me to the standard browser 404 page instead of a fore-mentioned advertising garbage. At least it's making progress!!

This is a personal domain. I don't NEED it. Yeah, I've changed all my forum signatures and online account "Website" fields to point to ppsstudios.com and all, but I am not suffering because I can't access this domain. Besides that, guess what! Recovery Mode is a moot point. I deleted that account. I can't get it back. I already tried that. There is no way for me to recover it, and I'm not going to risk paying ANOTHER $60+ to re-create the Google Apps account and attempt recovery which may or may not (probably will not) work. So I have to wait ANOTHER 30 days for it to drop out of recovery mode.

The umpteenth headache: after recovery mode it didn't get deleted. It went into Pending Delete status. Thank God this, for eNom anyway, is only five days. But I have no idea why they have Pending Delete. At the rate they originally grabbed that domain away from me after it had expired back in May and rerouted it to their advertising site during public auction, I have high doubts that they "simply didn't have enough server speed to delete it right away, and needed to put it into a five-day waiting line for the DNS guillotine."

But I had to just shrug my shoulders, say, "oh well," and wait it out.

Then last night I checked. I went to the eNom front page and typed ppsstudios.com into the "Register  a New Domain" box like I'd been doing for the past three months and...

"This Domain is Available! Click here to purchase now."

FINALLY!

After a reasonably easy checkout process, I now have ppsstudios.com back in my possession, under one single account with a company that has been a leading registrar for decades. And I can even point it back to my old Google accounts like Blogger and Sites!

Welcome back PPSStudios!

Integer Math - Converting to Binary

Yes, I realize this is a beginning digital logic concept, but I need somewhere to write this so I don't forget again.

Unsigned Integer to Binary and Back

You are given a number: 25382
Take the modulo of it to test if it is even or odd: 25382 % 2 = 0 <= ???? ???? ???? ???0
Divide by two to get a new integer: 25382 / 2 = 12691
Take the modulo of the new number to test if it is even or odd: 12691 % 2 = 1 <= ???? ???? ???? ??10
Divide by two to get a new integer: 12691 / 2 = 6345
Take the modulo of the new number to test if it is even or odd: 6345 % 2 = 1 <= ???? ???? ???? ?110
Divide by two to get a new integer: 6345 / 2 = 3172
Take the modulo of the new number to test if it is even or odd: 3172 % 2 = 0 <= ???? ???? ???? 0110
Divide by two to get a new integer: 3172 / 2 = 1586
Take the modulo of the new number to test if it is even or odd: 1586 % 2 = 0 <= ???? ???? ???0 0110
Divide by two to get a new integer: 1586 / 2 = 793
Take the modulo of the new number to test if it is even or odd: 793 % 2 = 1 <= ???? ???? ??10 0110
Divide by two to get a new integer: 793 / 2 = 396
Take the modulo of the new number to test if it is even or odd: 396 % 2 = 0 <= ???? ???? ?010 0110
Divide by two to get a new integer: 396 / 2 = 198
Take the modulo of the new number to test if it is even or odd: 198 % 2 = 0 <= ???? ???? 0010 0110
Divide by two to get a new integer: 198 / 2 = 99
Take the modulo of the new number to test if it is even or odd: 99 % 2 = 1 <= ???? ???1 0010 0110
Divide by two to get a new integer: 99 / 2 = 49
Take the modulo of the new number to test if it is even or odd: 49 % 2 = 1 <= ???? ??11 0010 0110
Divide by two to get a new integer: 49 / 2 = 24
Take the modulo of the new number to test if it is even or odd: 24 % 2 = 0 <= ???? ?011 0010 0110
Divide by two to get a new integer: 24 / 2 = 12
Take the modulo of the new number to test if it is even or odd: 12 % 2 = 0 <= ???? 0011 0010 0110
Divide by two to get a new integer: 12 / 2 = 6
Take the modulo of the new number to test if it is even or odd: 6 % 2 = 0 <= ???0 0011 0010 0110
Divide by two to get a new integer: 6 / 2 = 3
Take the modulo of the new number to test if it is even or odd: 3 % 2 = 1 <= ??10 0011 0010 0110
Divide by two to get a new integer: 3 / 2 = 1
Take the modulo of the new number to test if it is even or odd: 1 % 2 = 1 <= ?110 0011 0010 0110
Divide by two to get a new integer: 1 / 2 = 0
Take the modulo of the new number to test if it is even or odd: 0 % 2 = 0 <= 0110 0011 0010 0110

25382 = 0110 0011 0010 0110

With a bit of programming, this can be highly consolidated:

int decVal = 25382;
char binVal[16];
printf("Integer: = Binary: ");
for (int i = 0; i < 16; i++) {
    binVal[i] = (decVal % 2);
    decVal /= 2;
    printf("%d", binVal[i]);
}

Note however that the binary value's lowest-order bit is expressed on the right-hand side whereas an array's lowest-order element is expressed on the left-hand side. This will result in the direct output of the array being displayed as the reverse of the binary string it represents.

binInt = 0110001100100110;
          = B15 B14 B13 ... B2 B1 B0;

binVal[16] = {0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 0, 1, 1, 0};
                  = {I0, I1, I2, ... , I13, I14, I15};

Thus, we will need to parse through the array in reverse order when using its values to either print to the standard output or convert back into the regular integer:

// binVal is calculated from for loop above.
// binVal[16] = {0, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 0, 1, 1, 0};
int decVal;
printf("Binary String: ");
for (int i = 0; i < 16; i++) {
    if (binVal[16-(i+1)] == 1) {
        decVal += pow(2,i);
    }
    printf("%d",binVal[16-(i+1)]);
}
printf(" = Integer: %d",decVal);

Finally! An internal DNS Server that works (for me)!

So it's been much too long since I wanted to do this, but thankfully, I have finally discovered the solution for which I can serve up my own DNS server for internal LAN things, but still have an external host that administers my public website!

My scenario and quandry was this:

Right now, our company is having our website (and inherently our domain) maintained and hosted with an outside provider. This is fairly simple to set up, and all the back-end stuff is kept nice and tidy on some remote server that isn't likely to have any serious power outages, so our public content is pretty much guaranteed to always be live.

However, our domain and its DNS records were being handled by this service as well (company.com, www.company.com, ftp.company.com, etc). This wasn't too much of a problem, because before we didn't care.

Then I decided, hey it would be really nice to have a server where we could host internal company things such as an internal website, network storage area, svn/git, etc. This was easy. Just get the boss to buy us a fancy new server computer from Dell, install a good, solid Linux server OS on it and get going. And it worked no problem.

And it turns out our public (internet) IP was static as well, which meant that I could get up on that public webhost DNS record and add a nice little subdomain for our public IP to let us serve up internal.company.com with a few port forwarding configurations through our NAT router and cable gateway. Awesome!

However, there was one big issue. For because we are set up with a two-step configuration to connect to the internet (router signs into cable modem as a client, and cable modem signs into Comcast), we were not able to pull up internal.company.com from INSIDE the company. Of course, what sort of issue is that, when you can just dial in the reserved IP 192.168.10.2 from inside? Well...that's confusing. Not that confusing to someone who knows what they're doing, but definitely confusing to someone who is just trying to make it work.

But how should I set it up so that if someone from outside the LAN is trying to access internal.company.com they get routed to our Comcast public IP, but if they're inside the LAN, they get routed to 192.168.10.2?

I had toyed with the idea of an in-house DNS for quite a while. Yet, everywhere I read, there was a ton of legaleze mixed into the documentation: "You shouldn't have records to a name that you don't own, you shouldn't create records for a domain that already has a master record somewhere else, etc." This was annoying. How would I ever be able to even play with the idea of a DNS server if everyone kept telling me I shouldn't do it the only way I saw it could be done?

But then I had this thought: "The entire internet is not going to be able to access my DNS server as long as I don't forward the port it uses through the router. Nobody in the Internet Policing Agency is going to even KNOW that I have a DNS server that is routing domains that I don't own. And after reading all the "this is what DNS actually does" documentation with its levels of looking up names all the way from the website-level DNS servers to the root DNS servers, no actual computer out there will ever use my public IP address to look up DNS records, because I simply won't let the world know it's even possible! I'm not qualified as a valid DNS host, nor do I ever intend to be.

I found a pretty good tutorial at http://doxfer.com/Webmin/BINDDNSServer that was super descriptive in telling me just exactly what DNS did. And then I found the entire article was based around a cool browser-based interface called Webmin. Turns out I can pretty well administrate the entire server over that service. I'm definitely using it for other stuff!

But anyway, after a bit of reading, I decided to give using it a shot.
  1. I couldn't very well test out a DNS server without configuring a client to route through it for lookups, so I changed my LAN adapter settings in Windows to look at 192.168.10.2 for a primary DNS server. Since I don't care about standards with the system, I decided to leave the secondary field blank, which it took.
  2. I installed BIND9 via aptitude: sudo apt-get install bind9 bind9-host bind9-doc
  3. Next I grabbed Webmin from Sourceforge to prepare for its installation: wget http://prdownloads.sourceforge.net/webadmin/webmin_1.660_all.deb though if this article is outdated (which in a few months it probably will be) the actual page to download will be more likely at http://webmin.com/download.html.
  4. Tried installing it once and it failed due to a few missing libraries, so I grabbed those as well after reading the actual installation instructions from the Webmin wiki: sudo apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python
  5. Now, since I had attempted to install Webmin from the .deb file before, it automatically asked in no simple terms if I wanted to retry after aptitude finished installing those libraries. I apparently said yes to this (sudo apt-get -f install) and webmin was installed from some cache somewhere. However, if I had done it right, I would have next tried: sudo dpkg --install webmin_1.660_all.deb
  6. Once Webmin was installed and autoconfigured, I was then prompted to navigate to http://server:10000 in my browser:
  7. Once logged in via Webmin, I navigated to Servers > BIND DNS Server


    However, this only let me access the internet as the internet, the internal network by their hostnames and the local computer as itself.
  8. Now all the tutorials I found said that you should only create a master zone if you own it, and if this was the primary location for its record (to avoid clashing with the actual one or something). However, again, this was all for experimentation, and I had to put rules and standards aside. So I clicked Create master zone in the zone section of the BIND DNS Server configuration window.
    After all, creating a slave zone only lets you ask an already-existing master for its records. You can't create DNS records in a slave zone.
  9. From here, I specified the Zone type as Forward, the Domain as company.com, left Records file set as automatic, set, as was recommended on the above-mentioned tutorial, to put the server hostname (server) in the Master server field, and for the heck of it put my email in the email field. The rest I left as default.
  10. With no problems whatsoever, I was brought to the Edit Master Zone screen. 
  11. Clicking the Address icon, I was brought to an A-NAME record entry screen, where I entered the Name internal and the address 192.168.10.2. I left Update reverse? as Yes which is its default.
  12. To test it out, I clicked the Apply Zone link at the top right of the screen. However, since I left Time-To-Live as default, I had to wait a few minutes before it actually worked. In time, I was able to open another browser window and successfully load the internal webpage at internal.company.com!!

    Sweet! So it works the way I want it. The internal subdomain successfully loads my internal webpages. But what about the external site that was hosted elsewhere, along with its domain name record which is also hosted elsewhere? Well, I've told my own internal domain name server that I'm controlling the root company.com now as the master record, when in all actuality the official root and www subdomains are being controlled offsite by some other company. I guess this is what they meant by making sure there was only one master zone. Well, thankfully BIND can take care of this issue as well!
  13. Backing out to the Master Zone Config screen by clicking the Return to record types link at the bottom the page, I was able to click the Name Server icon. This record type allows me to enter a subdomain and pass all the DNS lookup work off on some other server...which is exactly what I needed to do.
  14. In the Zone Name field, I first entered @ which is the default root prefix for any domain name. In the Name Server field, I then entered our website hosting DNS server ns1.external.net. Of course, since public, qualified DNS servers have two to three (and in the case of root domain servers, 13) actual machines doing all the work, I created a new Name Server record for the root subdomain with our host's second dns server name ns2.external.net. I also repeated this process for the www and ftp subdomain.
    In all reality, this seems a lot like the experience one might have with connecting through several devices to get onto the Internet, or port forwarding a port through multiple levels of network firewalls. The cable modem thinks the entire network consists of one client: the router, with an IP address of 10.1.10.48. But the ROUTER sees the rest of the computers on the LAN and serves them up with 192.168.10.xxx IP's. In the same way, the router sees 192.168.10.2 as the actual machine with the webserver that we tell it to forward through to the outside world. But to the router, the outside world is only its single wire from it to the modem on the 10.1.10.xxx network that the modem is serving. And the modem thinks that the router at 10.1.10.48 is the machine with the webserver that it needs to forward through. A lot of information passing just to get information to the outside world, and by then, who knows where it goes with all the routing and hopping?
  15. In any case, I'd gotten all of my public website subdomain requests passed to our hosting provider's name servers at ns1.external.net and ns2.external.net, applied the zone settings (and just to be safe, applied the configuration as well) in Webmin.
    After a few minutes, I was able to confirm that yes in fact company.com got me to our external website, as did www.company.com. And still internal.company.com routed me via the LAN to the server's webpage.
  16. I was basically done.. Except for one thing. How in the world was I going to get all the computers in the shop to look at my DNS server before they went outside to look at the real, public ones? I had set it up on my own computer to look at 192.168.10.2 as its primary DNS server via the IPv4 settings in the Ethernet driver settings, but I had no way of telling the other computers around the shop to do the same. Or did I?

    Opening up the main LAN router settings (an Apple Airport Extreme), I was pleased to find in its Internet > TCP/IP settings a little field there titled DNS Server(s):.
    Entering the LAN IP of my server (again 192.168.10.2), and saving it, I was able to login over the Wi-Fi with my laptop, visit internal.company.com and www.company.com and re-verify that everything STILL worked. Now with every request the router received to pull information from the internet or elsewhere, it would first look at my internal server to pick apart domain names before going outside to the public servers.
So that's that! Now I just need to do something similar at home. That, and creating internal subdomains for different sites hosted off of the same machine. THAT should prove interesting... but given that it's almost the end of the work day, that will have to wait until either next week, or when it finally proves practical.

So in short, if its for internal use, you can use any domain name you want on in your DNS records. Nobody or computer will know any different unless you explicitly tell it to search your own DNS server first. This method could even be used as a website filtering service. No more proxies through external services. Just create a blacklist and route all traffic via DNS records back in to a page that says, "Sorry. That website is blocked."

And because many people complain that the BIND configuration is super hard to figure out, I would highly recommend running Webmin on your server. It brings a GUI interface to so many of your tools...and eliminates a lot of the headache of typing everything in a console, or figuring out where everything is kept.

OpenVPN

New project at work! Setting up OpenVPN. It's great fun...except when it doesn't work.

I love the Windows interface for setting up the Server. It's straight-forward, and following the tutorial at http://openvpn.net/index.php/open-source/documentation/howto.html works like a charm. Setting up the client is just as easy, and the connection can be made in a matter of minutes.

However, I started running into problems when I began trying to replicate the server over to Ubuntu 12.04. The tutorial once again was straightforward and everything SEEMED to work out. I could start up the server and everything. It was all good.

However, for some strange reason, I was unable to actually connect to the client. I would generate the certificate authority key, server key, and client key plus the Diffie Hellman number. Server again started up great. But after transferring the client keys to my Windows computer, and setting up the client configuration, I kept getting an odd error "Private key password verification failed."

Looking this error up, all I could find were forum entries on http://forum.openvpn.eu talking about making sure you didn't set a challenge password when generating keys and ensuring that the user/password authentication on your OpenVPN server was turned off. Both of these were true in my case, so no help.

Then I started thinking, could it be the age-old, infamous Unix vs. MS line ending problem? Let's find out! Opened each of the files, ca.crt, client.crt and client.key in a text editor in turn, made a slight change, undid it and saved the file to ensure they all had MS line endings.

Well....it was in this process that I found my big problem. Opening client.key (the private RSA key that the client would use when authenticating over SSL), I found that instead of a standard RSA hash, it read:


<html><head><br /><title>403
Forbidden</title></head><body><br /><h1>
Forbidden</h1>
<br />You don't have permission to access /Lynx/dp_m14x.key<br />on this server.<br />
<br /><hr />
<br /><address>
Apache/2.2.22 (Ubuntu) Server at 192.168.10.21 Port 80</address>
</body></html>


Oops.  Turns out that Ubuntu, when generating the key/cert via easy-rsa, decided to give the private key file root-only access, which, for this type of file is a *very good thing*. Thus, when attempting to access it via the standard Apache www-data user from the browser, it gave me a 403 which I did not see as I did a right-click > Save As on my directory listing of the file.

Attempted to instead copy it to my Samba folder and transfer it over to my Windows client that way. Still no go. Now I got Windows access errors "Could not read file..."

Finally decided to get smart about it.
cp /etc/openvpn/easy-rsa/keys/client.key /home/daniel/Documents
chmod 777 /home/daniel/Documents/client.key

rm /home/daniel/Documents/client.key

Now I just need to figure out how in the world to transfer it over without being so unsecured about it. Gzip?

-------------------------------
11-2014 Edit:
I recently had to rebuild my IP tables this last week due to some unforseen ISP issues. For future reference, here's what I had to input in order to allow OpenVPN clients full internet plus LAN access:

iptables -I FORWARD --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -i tun0 -o eth0 -s 10.8.0.0/24 -d 192.168.10.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j MASQUERADE

It's also good to note that I did have to do a full server reboot to apply this.

This Annoying Christmas Theme

Amazing. I've neglected this site so much in the past year that I forgot to take my Christmas theme down and now it's time to put it back up!

Awesome.