PHP DNS – Wildcard Certificates and Local Stuff
Whenever you work in a local environment, you have to deal with a variety of problems. From setting fixed DHCP leases to creating special name server entries. Sometimes it is helpful to have a reflecting name server.
I was confronted with a problem. A hotel has a private wireless network and runs a number of services on it. Those services change depending on events happening at the location and the hotel management doesn’t really have a geek on duty to setup the ip-numbers or dhcp entries. They wanted me to setup an environment that is able to securely connect to any ip-number within their realm and not display errors or warnings due to self signed or not matching certificates.
This is easy I thought – not realizing that something always is much more complicated than it sounds. In my case I soon discovered that one can’t have a valid trusted SSL/TLS for local domains. So simply discovering the server and connecting to it didn’t work – because certificates for “service.local” will not be trusted anymore.
I had two problems now. I had to discover a server and to securely connect to it even though the location, ip-number or name was unknown.
The services in question usually run on a PC, laptop or Raspberry Pi. I changed their configurations so that the units periodically send their currently assigned local ip-number and some information (“Live Video Concert Garden”) info to the hotels main web-site. The guest simply connects to this main website, finds the list of services and connect to it by simply clicking the link. That solved part one. I know had a local ip number, but not a valid certificate.
I found a small little DNS server (written in PHP) on github and changed it so that what ever I ask, it answers my own question. It simply reflects pretty much what I ask back. Cool. I delegated the sub-domain “local.xyhotel.com” to this little DNS server and I was almost ready to rumble.
$ ping firstname.lastname@example.org 64 bytes from 192.168.2.62 (192.168.2.62): icmp_seq=1 ttl=46 time=40 ms 64 bytes from 192.168.2.62 (192.168.2.62): icmp_seq=2 ttl=46 time=38 ms
Cool. It could now get a valid, trusted (wild card) certificate for “local.xyhotel.com”. All that was left to do was to change the dynamically generated links on the main website from the plain ip-address to my echo resolving name server.
<a href="https://192.168.2.61/listen">Click to listen to the concert</a>
<a href="https://192-168-2-61.local.xyhotel.com/listen">Click to listen to the concert</a>
the guest’s browser connects and everything worked as expected.
Now – before you ask: The problem as described may have easily been solved with a different approach. I know. But the devices in questions are being used in a lot of the hotel (-chain) locations and are usually simply plugged in by the staff. My solution made it possible that there is no need to configure the devices and that they can be easily accessed by guests with valid SSL/TLS certificates.
And that little PHP dns name server can be used for a variety of services and to solve problems (or inconveniences) during software development or testing. It can easily be extended to provide additional services such as forwarding but I leave this to your imagination.
You can download it here:
This version allows you to reflect IP-numbers as described, but I also added a crude forwarder that allows to resolve other domains into their respective IP numbers as well. Use at your own peril.
Original (non-reflecting) PHP DNS Server on github
About the author:
Michaela Merz is an entrepreneur and first generation hacker. Her career started even before the Internet was available. She invented and developed a number of technologies now considered to be standard in modern web-environments. Among other things, she developed, founded, managed and sold Germany’s third largest Internet Online Service “germany.net” . She is very much active in the Internet business and enjoys “hacking” modern technologies like block chain, IoT and mobile-, voice- and web-based services.