Using No-IP to Mask a URL

Greetings,

I am looking for advice on the following networking question. I have a Windows 2000 web server that is running a custom .NET application and a SQL server database. I have registered a domain - let's say mrchip.com for illustration purposes. I am using the service from No-IP to manage my DNS. In other words, my domain registrar (Network Solutions) points any requests for mrchip.com to No-IP's name servers which then redirects the request to the numeric IP address of my server, 65.2.105.123 for illustration.

When someone clicks on a link that says mrchip.com, they correctly see my web page. The problem is that their address bar shows http://65.2.105.123/xxxxxxx as opposed to http://mrchip.com/xxxxxx.

No-IP offers an option that would solve this by masking my URL. They say "selecting Mask URL puts the URL you are redirecting to inside a frame. This way you will always see http://mrchip.com/. "

Here are my questions:
1. Is there any risk in using this Mask feature? Can some browsers either refuse to show my site or show a security warning saying that the site is masked? If so, which ones may show problems?

2. Can any browser or security software flag my site as risky because it has frames?

3. How does the frame created for the mask impact my page content, if at all?

I tried using this feature two years ago. At that time, several visitors to my site reported problems viewing my site. These problems went away when I turned off masking. I cannot recall what browsers these visitors were
using - it may have been an old version of IE on the Mac.

I am in the middle of a study and cannot easily pull my site offline for testing. Down the road, I plan to hire someone locally to set up a DNS server. I am not technically savvy enough to try and do that on my own with a web server in production.

I would greatly appreciate any thoughts on the above, or ideas on how to easily have my domain name, as opposed to IP address, show in the header bar.

Mr. Chip

 

Masking is OK, and a cheap (in the UK anyway) way of assigning a domain name to a site. However, there are issues with it. The main one I have come across concerns IE seeing the hosting of your pages within another page as a security issue. Effectively, because the site you are viewing is not in the same name space as that being presented by the main page, IE assumes this is some sort of phishing scam.

In my experience, this means that masking works fine for viewing content (static or dynamic), but starts hitting problems when you want to assign cookies (and therefore sessions), and allow user input.

If you are using .Net this may become a problem quicker that you may think as some features may rely on background session tracking without you explicitly setting it up.

Again this view is biased from my UK point of view, but I believe your easiest option is to find an ISP who will provide you with a static IP address and assign Domain names to it for you. In the UK such ISPs can be found that are competitive with the cheapest ISP. I don't know if this is also true in your part of the states. You may find you have to pay a small premium to get this service.

The other option is to find a hosting company that will host the .Net application for you and sort out the domain naming at the same time. Setting up the remote .Net site is not a trivial matter (as the ISP needs to set up their server's to specifically host your application - it's not like PHP where you can just post scripts up to the server), but the host-site's team should be able to help with the set up, and once set up your .Net application should be fine. The advantage of this option is that you can let the hosting site worry about security - you don't have to open a part to your own server/firewall to remote access. The down side is loss of direct link for maintenence and updating.

 

Thank you ReggieB (and TonyT)

ReggieB,

Thank you for the excellent explanation of the risks associated with URL masking. You are correct that my .NET application uses a session cookie. This is probably the reason we ran into problems when we tried the URL masking some time back. You also point out that I run the risk of all kinds of problems with I.E..

Thanks to both of your comments, I can officially and permanently put to rest the idea of using URL Masking.

ReggieB, you also raised a point that I never thought of - and the obvious solution (I think). My web server already has static IP addresses through my ISP. I will contact my ISP to see what I need to do to have my domain point to my web server.

Thanks again. This is why I love this BBS!

 

Hi Tony, I do have a business account. In fact I have SDSL service with 5 fixed IP addresses. I asked my software developer about my plan and he said that I would need to set up Domain Name Service on my server. Here are the details of my current situation and my plan (with actual domains hidden for security):

Right now my domain (mrchip.com) is registered at Network Solutions. Network solutions points to No-IP name servers which then forwards the domain to my server’s router IP address of 12.3.456.789.

What I was hoping to do was:
1) First update Covad’s name servers to point to my router’s IP of 12.3.456.789. Then wait until Covad says their DNS is updated (I think this takes 24 hours).

2) Then I update my Network Solutions to point to Covad’s name servers instead of No-IP. I seem to remember that Network Solutions needs 24-48 hours for these changes to "propagate through the internet." In the meantime, mrchip.com still points to No-IP which forwards to my router.

3) Once Network Solutions is updated, when you type in mrchip.com you should go straight to my box and see mrchip.com in the header. At that point I can close my No-IP account if I like.

My .NET developer says "Covad will direct the HTTP request to your network, but I think that your server will still need to resolve mrchip.com to an IP address - which requires Domain Name Service running on your server. "

Is he correct? If so, do you know the step by step procedure for setting up and running Domain Name Service on a Windows 2000 server?

Thanks so much for your continued help!

 

I'm glad that TonyT and I were able to help.

Forgive me if I'm stating the obvious, but don't forget that if you do this, you've just shifted your security risks up a notch. Nothing unmanageble, but I would strongly recommend investing in a decent firewall. That means either software (Smoothwall, or ISA for example) or a hardware firewall that at least does stateful inspection (for example a small Cisco PIX, Watchguard soho, or Sonicwall box). Personally I believe relying just on NAT and standard OS firewall options isn't good enough if you start hosting services on the internet.

 

ReggieB - Nothing to forgive. You two have been a huge help. I already have a hardware firewall from NetScreen installed and set up.

As an update since my last post, I have updated my registrar to point my domain to my ISP's name servers. I also set up my DNS settings at my ISP, so now my domain resolves to my server and my domain name appears in the headers.

Everything is working with one minor glitch. EMail that were sent in the past few weeks contained a hyperlink that no longer works. When I click on the link I see a page that says "Directory Listing Denied ". Is there any way to change the wording of this error page?

Mr. Chip

 

Splendid news that everything is working.

Assuming that this message is coming from your webserver (IIS I presume), rather than one of your ISP's mail servers, then yes you can definitely customise it. You can over-ride any error message with your own.

I've not played with this feature myself, so I'd advise checking the IIS documentation. If nothing else this should give you the object names for the data presented in the error pages, that you may well want to use in you own error pages.

On a 2003 server, go into the IIS management screens and select the "Web Sites" object. Right click on the object and select properties. Go to the "Custom Errors" tab. That screen then shows you all the mappings of error message to error type. To put in your own error pages, create the pages and change the mapping on this screen.

You don't have to make this change at the "Web Sites" level. The daughter object of "Web Sites" also have "Customer Errors" options, including virtual sites. Therefore, you can choose customer errors for the whole site, or just sections of the site.

Oh! and the step I should have noted earlier, make a note of the error number you currently get the problem with, as you will probably at this stage only want to edit the page mapping for that error.

As I said earlier, I haven't played with this myself so don't know if there are any gotcha's to watch out for. Make a note of any current mapping before you make a change, so that you can roll it back. Also I'd suggest you start at a low level daughter object first. I'd even be tempted to create a small virtual site first and have a play with that.

In different versions of IIS, the place where these values are set may be in a different location, but you can definitely still change them. Just the process may be slightly different.

If you use Apache, you can also change you error pages. I think it requires changes to http.conf.