In this article, we’ll set up a typical DNS record for a website hosted outside his domain name registrar. As I always advocate, you should use https://www.youdomain.com as your main domain if you are a blogger or small business owner. As a good practice, we’ll use DNS redirect to properly redirect all non-www traffic to the www subdomain. Namecheap will be the registrar in our example.
1. Our Setup
1.1 The Network Architecture
The approach could be different for a different architecture. In our discussion, we assume the architecture is like the following.
- You registered a domain name from one of the registrars, such as Namecheap;
- You will install an SSL certificate on your host, but your host is not with the registrar. For example, it could be an EC2 instance on AWS or your own desktop in your school lab.
1.2 Limit Configuration only within Registrar Portal
Since the redirection can happen from anywhere along the path, we’ll limit our discussion to using the DNS entry in the Registrar’s Portal only. We do not use server-side redirection by Nginx or Apache. I’ll write another article about that.
For the rest of this article, I’ll use wwwinsights.com as an example. The registrar is Namecheap. wwwinsights’ content is hosted on 52.23.210.66, which is the public IP address of the EC2 VPS (Virtual Private Server) on AWS.
2. Configuration Process
2.1 Add A Record to your Host IP
An ‘A record‘ is THE first DNS entry you need to add. It bridges a domain name with an IP address which is the host of the content for the domain name. There are various ways to configure this A record. But our goal is (1) to use www.wwwinsights.com as the main domain; (2) to push the redirection burden to Namecheap. so we configure an ‘A record’ for www, not the root domain.
Follow the step shown in the above diagram to find the place to add a DNS record. Then add the A record to have your www domain name pointing to the EC2’s IP address.
Wait for a while (usually a few minutes) then open any command line and try to ping www.wwwinsights.com.
If your EC2 does not respond to ICMP, you won’t be able to successfully ping it. But you should be able to see the ping resolves to the correct IP address shown in the following diagram.
Open your favorite web browser, and type www.wwwinsights.com in the address bar, you should be able to see the index.html in the root directory of the site, although the web browser is very likely to warn you that you are visiting an unsecured website. A small tip you can use is to modify the index.html to be site-specific, so you know for sure you are seeing this particular file.
At this point, you can also type wwwinsights.com and okay.wwwinsights.com in the web browser, none of them shall work. Because besides the exact match of www.wwwinsights.com, no one knows how to route other domain names.
2.2 Install SSL Certificate on your EC2 Host
I’ll write another detailed article on how to install SSL Certificate.
After successful installation, the Certbot blocks HTTP port 80 for www.wwwinsights.com, and responds with a 301 permanent redirection for any www.wwwinsights.com HTTP traffic to the corresponding HTTPS. At this time, if you type in www.wwwinsights.com in your web browser’s address bar, your web browser follows the redirect command and visits https://www.wwwinsights.com.
With Chrome, ‘https://www.’ is hidden. While Edge or Firefox shows the entire address. All of them have a lock showing it is HTTPS.
2.3 Redirect the Root Domain to WWW
Then continue to add the following DNS record.
Host @ means the root domain itself. For the traffic to wwwinsights.com, redirect to our main domain. The ‘301 permanent’ tells the web browser it is changed to the main domain permanently.
At this point, if you ping wwwinsights.com, you will get the ICMP response.
Who is responding? It’s not your host. It’s someone else. Its IP info tells us it belongs to Namecheap. Yes, it’s Namecheap’s DNS server that is responding to the ping on behalf of you, as they know a redirect for this domain name.
Here comes the interesting part. If you type wwwinsights.com directly in the browser, it’ll be successfully redirected. However, if you type https://wwwinsights.com, it won’t be redirected. The browser will give you an unreachable message.
Why can it not redirect the root domain with https in front of it? Because the URL Redirect Record is for HTTP, not HTTPS. When you type the root domain without anything in front, the browser treats it as HTTP. So the above DNS record is able to redirect it.
There is a trick you can make this work by adding the following A record.
This A record will tell the host of the root domain. The web browser can use this information to do HTTPS negotiation. Along with the URL redirect, https://wwwinsights.com in the web browser can successfully to redirected to https://www.wwwinsights.com.
As a side note, you won’t be able to use CNAME to redirect the root domain, as CNAME per definition does not work for the root domain.
2.4 Redirect any other subdomain to WWW
Similarly, make use of the following DNS record to redirect any other subdomain to www subdomain.
Host * stands for all undefined subdomains. With this record, yes.wwwinsights.com or http://yes.wwwinsights.com will be successfully redirected to https://www.wwwinsights.com. Also for the same reason, https://yes.wwwinsights.com won’t be redirected anywhere.
2.5 What is still not redirected?
So far, we got almost everything working besides redirection for https://yes.wwwinsights.com. You have to step back and ask yourself, do you really need that redirection? It’s very rare that users type https:// in the address bar.
Let’s check https://yes.google.com or https://yes.amazon.com. Both of them simply cannot be reached, and no redirection is implemented.
So it’s really okay that we stop here, and leave them as they are. But what if you really would like them to work for some reason? There are two ways. (1)perform HTTPS redirection on the host side; (2) Move your SSL certificate to Namecheap and buy DNS service so that Namecheap can properly redirect HTTPS traffic.
3. Why Push Redirection to the DNS Sever?
It’s always to reflect on why we want to push redirection mostly on Namecheap. The main reason is the potential extension. You may always purchase the DNS service to block DNS attacks, and let Namecheap be your first line of defense. Otherwise, you’ll need to deploy your defense on your host.
4. Conclusion
This is a long exercise. We need to know it’s only one of the many ways to configure your website. Your IT administrators might have better suggestions for your particular use case.
For further understanding of DNS redirect, I recommend this old blog post by Simone Carletti. You can also learn more from our blogs about Network. If you have any suggestions, please leave your comment below, and we can continue our discussion there.