DNS based subdomain URL redirection

A tool for web admins to quickly and easily redirect subdomains to URLs based on DNS alone.

HSTS includeSubDomains setting 301 Redirect potential issue

Using a 301 redirector to take people to a secure website is a reasonable thing to do and quite useful.  Recently however the increase use of HSTS to dynamically "force" HTTPS to be utilised for a domain could cause an issue with a domain and DNS based redirector.

HSTS (HTTP Strict Transport Security)

If your redirected 301 site suddenly starts failing and automatically requesting an SSL encrypted version of the site, then you could have a primary domain set with HSTS and  the "includeSubdomain" option set.

Recently this ocurred when a site which was utilising subdomain redirects updated the nginx server configuration to include the HSTS header:

For nginx:

The header must be set per website, the configuration file is usually found in /etc/nginx/sites-available/.

server {
listen 443 ssl default deferred;
...
# config to enable HSTS(HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains;";
...
}

For Apache:

<VirtualHost *:443>
...
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
...
</VirtualHost>

The use of "includeSubdomains" meant that whilst foo.com was forced into SSL (which is good) subdomain.foo.com was also forced into SSL.  This is bad as (currently) this is not a feature which is implemented by REDIR301. 

This can be configured, however it is currently a manual process on a per domain basis which is costly.

HSTS configurations are advised to include the subdomain setting in most instances, so as servers are upgraded, it is potentially going to become more of an issue.

The problem does not appear to be widespread, as most people don't configure their domains in this way, however it is worth noting and being aware of.

To check your website for this setting, visit: https://geekflare.com/tools/hsts-test 

To clear dynamic browser settings in Chrome, visit chrome://net-internals/#hsts 

Thanks to the following websites for ideas and solutions:

Why do this at all?

14 November 21

That's a very good question to ask.

The answer is also simple - because I needed to in order to free myself from the clutches of my existing domain name hosting provider and provide a solution which whilst functional is also elegant and quick to check and get working.

Every since I wrote the original Domain Name management tool for Melbourne IT back in 1996, I've had a great interest in the DNS system. It runs the front facing part of the internet after all.

The original system was written in Perl (Perl3 I think back then!) and linked up to a miniSQL database. The system allowed the processing of domain name applications in the .COM.AU domain space which numbered only around 10,000 at that time. There were over 3,000,000 .AU domains in 2017, and now many more.

These days, the .AU domain space is managed by AUDA and there are many more domain name providers, but not all provide the same level of capacity.

25 years has seen a great many changes in the DNS space with many new TLDs becoming available for the public to register. Indeed the idea of a .LINK domain (which this site is set on) would not have even been thought of back then.

But what about this REDIR301.LINK site?

It's simply there to help people for now.  It starts by helping me, and if it can help others, then awesome.

What are the big plans? Well, I really don't know currently. It depends on how much traction the project is able to generate. If people want to use the redirect service, then that's great.  If they don't then the project will continue quietly to service my needs.  

In the end, it's a good, simple and easy to use DNS based subdomain URL redirection system - and that's what I needed.