JD Cloud has launched a DNS domain name resolution service, but has been using DNSPOD due to habit issues. Recently, I have received feedback from many friends, prompting whether the mining site is inaccessible in certain areas. After ruling out the problem of the host line, it is speculated that it may be caused by the DNS resolution. After all, there are more or less problems when the server is placed abroad.

So I thought of adding CAA records to DNS. CAA stands for DNS Certification Authority Authorization, which is a technology authorized by a DNS certificate authority. With the help of the Internet's Domain Name System (DNS), domain holders can specify a digital certificate certification authority (CA) that is allowed to issue certificates for their domain.

CAA records can prevent middlemen from forging SSL certificates to hijack URL connections to a certain extent, and can protect normal DNS resolution to the greatest extent. It is a pity that DNSPOD, the largest free DNS resolution service provider in China, does not support CAA records. So far, cloudxns and JD Cloud DNS have supported CAA record resolution.

JD Cloud DNS free domain name resolution service - supports major line partition subdivisions and can add CAA resolution records

This article will share the domain name resolution service of JD Cloud DNS. Currently, JD Cloud DNS can be upgraded to the enterprise version for free, supporting intelligent line resolution such as China Telecom, China Mobile, China Unicom, Founder, Wasu, China Railcom, and Changkuan. The minimum TTL is 60 seconds, it supports pan-resolution, the traffic protection is 2GB, and the QPS protection is 5W. Generally speaking, the enterprise version of JD Cloud DNS is better than DNSPOD.

Regarding free DNS resolution services, you can also check out these:

  1. Give up free DNS and switch to paid DNS - Google cloud DNS application usage and resolution results
  2. Summary list of free DNS domain name resolution services at home and abroad - Find more free DNS domain name resolution
  3. Comparison of foreign domain name providers Name and Namecheap - cheap .com domain names and Whois protection

PS: Updated on June 26, 2018, Thanks to my friend Diary for the enthusiastic reminder. Currently, the free DNS that supports CAA in China are as follows: DNS.com, Alibaba Cloud (Wanwang) DNS, and DNSDUN. com. Among them, DNSDUN also supports domestic partition resolution and DNSSEC (but you need to pay to use it)

PS: Updated on July 4, 2018, Although JD Cloud supports CAA, it does not support DNSSEC. If you want to experience more secure DNS resolution, you can try GCP DNS: Enable DNSSEC for DNS domain name resolution to prevent DNS hijacking -Google Cloud DNS settings DNSSEC.

1. JD Cloud DNS registration and use

website:

  1. HTTPS://wuwuwu.I feel ugly.com/

DNS domain name resolution service is a major business of JD Cloud. You only need to log in to the JD Cloud management backend to find the DNS domain name resolution page. Regarding JD Cloud VPS, you can read my previous review: Jcloud JD Cloud VPS Host Performance and Speed ​​Evaluation -The price is cheap but VPS hard disk IO reading and writing is slow.

At present, JD Cloud DNS Enterprise Edition is still free. Now add a domain name and directly upgrade to JD Cloud DNS Enterprise Edition. The following are the functional differences between JD Cloud DNS Free Edition and Enterprise Edition. (Click to enlarge)

Instructions for adding a CAA record are as follows:

If you directly fill in the top-level domain name for the host record, it will be automatically applied to the multi-level domain name.

CAA data fill in 0 issue "certificate authority domain name" .
If you use a free certificate issued by Let’s Encrypt, just fill in the CAA data section directly with 0 issue "letsencrypt.org".

You can also add a CAA record for 0 iodef mailto:iwzfou@gmail.com, indicating that if a violation of the CAA record is found, an email notification will be sent to this email address.

In addition to common DNS resolution services such as Google Cloud DNS, Route 53, DNSimple, etc., if you are using BIND, PowerDNS, dnsmasq, etc., adding domain name CAA records will be different from the above. It is recommended to use CAA records to be automatically generated online.

  1. HTTPS://SSL mate.com/CAA/

Enter the domain name directly, and the tool will automatically query what certificate your website uses, and then you can see the CAA record you want to fill in. The following is the effect of adding the CAA record to wzfou.com.

Finally, we can use the SSL certificate online testing website to check whether the CAA record of our domain name is valid: https://www.ssllabs.com/ssltest/index.html.

4. Summary

Currently, any domain name added to JD Cloud DNS can be upgraded to the enterprise version for free. The enterprise version of JD Cloud DNS has more functions and is more practical than the free version of DNS, such as line division, CAA records, regional division, etc. These are DNSPOD There is nothing left.

For DNS CAA records, it can be said that to a certain extent, it can prevent middlemen from forging SSL certificates and hijacking DNS resolution. In order to ensure that DNS is "foolproof", it is recommended to enable HSTS and join the HSTS Preload List to make HTTPS access to the website more secure. The effect can be found on the wzfou.com website.

Leave a Reply