I would be interested to know if someone does this outside of Cloudron for their existing business/personal use. Seems like a lot of work (and probably just easier to switch out your NS provider if they are flaky). We use route53 for cloudron.io and AFAIK it has never gone down.

@briankb-0 said in Root Domain Hosts Shopify Site Subs Are Cloundron:

What happens if I add the domain to Cloundron so I can use it to setup sub-domains for NodeBB and Ghost?

When you add a domain:

To validate credentials, the code will add a cloudrontestdns A record and remove this immediately. To configure the server to send emails: If there is an existing SPF record, it is edited to have a:my.my.domain.com . The SPF record essentially whitelists which servers can send email on behalf of the domain. This is NOT destructive, your existing SPF record is only amended. A DKIM record is added under <random>._domainkey.domain.com. This is used to sign/verify emails by mail servers. Because of the 'random' part, it won't conflict with any of your existing DKIM keys If there is no existing DMARC record, we create one with the value "v=DMARC1; p=reject; pct=100". This essentially is a strict DMARC policy not allowing anyone outside the SPF record to send emails on behalf of the domain.

Other than that, it is what @BrutalBirdie said. The bare/root domain is untouched. Cloudron only adds entries when you install apps. Also, if you had a root domain DNS entry already, it will warn you that it's in use, if you try to install an app on the root domain (it does this check for any subdomain).

@humptydumpty yeah, and I think the vast majority of sites do not and will not get "slash dotted" or get DDoS attacked and anecdotally I've seen WAY more people (including on here) mentioning issues/ problems caused by Cloudflare than people saying "thank good I was using Cloudflare" (I don't think I've ever seen anyone say anything like that)

I think it's a bit like High Availability stuff. As @marcusquinn has I think mentioned elsewhere, most people just don't need it.

And whether or not all/ most of that article I posted is now outdated, it seems obvious to me that everyone using Cloudflare (who in the end are just another investor owned private profit seeking big corporate) contributes to the over centralisation of everything on the web.

Just for info, I also found these bits of their recent SEC return interesting:

We have a history of net losses and may not be able to achieve or sustain profitability in the future.
We have incurred net losses in all periods since we began operations and we may not achieve or maintain profitability in the future. We experienced net losses of $260.3 million, $119.4 million, and $105.8 million for the years ended December 31, 2021, 2020, and 2019, respectively, and as of December 31, 2021, we had an accumulated deficit of $680.8 million. Because the markets for our products are rapidly evolving, it is difficult for us to predict our future results of operations. We expect our operating expenses to increase over the next several years as we continue to hire additional personnel, expand our operations and infrastructure both domestically and internationally, and continue to develop our products. In addition to the expected costs to grow our business, we also are incurring significant additional legal, accounting, and other expenses as a public company, as described in greater detail in the risk factors below. If we fail to increase our revenue to offset the increases in our operating expenses, we may not achieve or sustain profitability in the future.
We have experienced rapid revenue growth, which may not be indicative of our future performance.
We have experienced rapid revenue growth in recent periods, with revenue of $656.4 million, $431.1 million, and $287.0 million for the years ended December 31, 2021, 2020, and 2019, respectively. You should not consider our recent growth in revenue as indicative of our future performance. In particular, our revenue growth rates may slow or decline in the future and may not be sufficient to achieve and sustain profitability, as we also expect our costs to increase in future periods. We believe that historical comparisons of our revenue may not be meaningful and should not be relied upon as an indication of future performance. Accordingly, you should not rely on our revenue and other growth for any prior quarter or year as an indication of our future revenue or revenue growth.

@gobenizzle see the unbound section of https://docs.cloudron.io/troubleshooting/#recovery-after-disk-full in case you hit the disk space issue.

@Mastadamus From the earlier screenshot you posted, the issue seems to be "Could not establish chain of trust". So, I would investigate that angle (which is DNSSEC related)

@nebulon Unfortunatelly not.

Just if anyone wants to contribute them self 😉

https://git.cloudron.io/cloudron/box/-/tree/master/src/dns

I figured it out. There was an issue in namecheap because after checking the ip adress in dnschecker it had two ip addresses: One was the server ip and the other from namecheap. Now there is only one available after chatting with them.

@jdaviescoates ah yes then this most likely was the issue with the unbound anchor file. See https://docs.cloudron.io/troubleshooting/#recovery-after-disk-full

@jodumont For apps that require multiple domains from the get-go i.e they require multiple domains at installations time, this is part of the next release (7.1) - https://forum.cloudron.io/topic/5982/what-s-coming-in-cloudron-7-1 .

Many (most?) apps can only handle being configured with a single domain. There is usually an APP_ORIGIN or equivalent setting that can only be set to one domain and is not an array. It is used by the app to set up CORS headers, generate static links, email links etc.

@meeksfamily06 Cloudron uses unbound and does not use systemd-resolved. You won't see any issues unless when trying to use the mail server (or maybe some apps like nextcloud might act strange when going to the apps section).

FWIW, a great DNS tool for checking on DNS propagation progress is here: https://dnschecker.org

@scooke yes, you can mix between Cloudron's automation and manual DNS changes. In fact, that's the normal and only mode of operation.

The automation is only adding and removing things that you would have to do normally outside Cloudron. For example, when you install an app, you have to setup A records. When you uninstall an app, you remove the A records. This is all the automation does. If you try to install an app in a location and there is already a DNS entry in your DNS provider, Cloudron will inform you of the same and let you 'overwrite' it or cancel the app installation.

Same goes for email stuff. It sets up things like DKIM/SPF records automatically. These are updated carefully to not collide with existing entries. The MX record is only touch if you enable incoming Cloudron Email. Even in that case, there is a checkbox to not update DNS.

@khadanja Is your idea to forward all queries ? The example config you pasted will only forward DNS queries for cloudron.lan (sic). You need the config in https://forum.cloudron.io/topic/5756/custom-dns-server-in-local-network/2 to forward all queries to your router.

@klfc556 does that domain contain any special characters? Also can you query the nameservers from your server if you are logged in via SSH?

This can be done for example with host -t NS example.com

@murgero I didn't say it wouldn't be accessible; it would, just through my proxies, that make sure to remove any information, that would help in disclosure.

You also miss an option with Intranets.

@klfc556 let's follow up at https://forum.cloudron.io/topic/5715/domain-setup-shows-queryns-eservfail

@brutalbirdie ok, thank you - I've got the idea!

If you like you can send us your domain name to support@cloudron.io and we can check if it's something on your side (i.e. some browser caching issue) or if we see it as well.

@girish Thanks, I thought maybe I set the DNS wrong but it must be the host then

Problem solved by install all three instances into one and bought a license from cloudron. Now it works 😉

@d19dotca Okay, that is a bit confusing, but I will only be able to figure it out once I try it.

I appreciate everyone's help and responses.

@girish said in DNS CNAME and Cloudron Redirect for WWW:

roundbear.org

Thanks - that'll teach me to test things simultaneously! Fixed.

Solution:

set cname on cloudflare to www / baredomain.com set redirection on the app to add www

@mastadamus right, the spamlists won't work if those lookups get blocked. Currently, if the lookups fail, the mail server will simply go ahead and try to detect spam via spamassassin. It's just one of the metrics for spam detection. I guess it's fine if it's working OK for you without it .

@girish Just when I thought I understood DNS I learn about negative caching. Not sure if this was the issue, but it is possible. Thanks.

@girish No I've not patched manually, I have assumed 😛 sorry
I assumed the latest update was with the CNAME/A-record fix was live.

The thing was that my home server has been offline for a while and when I started it up it updated to from v7.0.4 to v7.1.3 then v7.1.3 to v7.1.4.

After that the DNS propagation didnt work any longer, as it had done before.