Question

Custom domains - do you use internal or external domains for this?

0

In Mendix Applications you can set up a custom domain. This is done using the cname DNS entry. So if we use a public sub-domain for the applications like myapp1.xxx-yyy.com, the users can easily open this application in the browser and they benefit because offollowing: The application belongs to our company – based on the domain and based on the SSL certificate (No phishing app mimicking the frontend) There can be an easy pattern to memorize – myapp1.xxx-yyy.com, myapp2.xxx-yyy.com , myapp3.xxx-yyy.com etc Later if needed its our company that can re-route the users to a new application because of the domain name managed by us. But – for potential hackers the public domain can be visible and can enable invetorisation of the applications from ourside. This may have security implications and there are concerns in this area. Therefore the question – is it possible to use only internal domain names as a custom domain, those that are not publicly visible in the Internet and used only in INTRANET? Example. “http://myappl1.intranet” ? Is there any general recomendation for this?

asked 2019-10-25

Miroslav Pscolka

2 answers

Michal Mesaros · Answer 1 · 2019-10-28

Maybe I don't get the question.

How does setting DNS name expose your application to attacker more? That's just the name for (v)Host address. It doesn't make sense to me, once service is published on the internet DNS record doesn't make it more or less vulnerable.

If you have on-premise installation you can make whatever DNS record on your local DNS server and route that traffic to the desired destination and set IIS/Apache/NGINX to serve correct application.

If it is on cloud and you have such possibility to configure DNS record to be processed directed to your vHost – it should work.

Miroslav Pscolka · Answer 2 · 2019-11-04

One could disccover application nodes that are not indended for public access simply by enumaering and repeating the patterns used in the name of the domain such as ap1.bla.com , ap1-t.bla.com , ap1-a.bla.com (for production node, test node and acceptance node).

Another option is to dig into the SSL – but there for security reasons I would not reveal more info.

Anyway big brother such as Google/Microssoft etc they know everything because the browsers and OS can reveal the information as well and pass it on as “telemetry data”.

Anyhow all the nodes must be properly configured and security applied, but you know – during teh developemt things may happen and I would like to take every opportunity to protect our environment and applciations.

Nevertheless – lets come back to my quesion – do you have experience using internal DNS names and internal certificates? I consider it as a secondary measure (primary is of course encryption and proper authentication)