views:

217

answers:

1

Our company develops a web application that other companies can license. Typically, our application runs on:

www.company.example

And a client's version of the application is run on:

client.company.example

Usually, a client runs their own site at:

www.client.example

Sometimes, clients request to have their version of the application available from:

application.client.example

This kind of setup is often seen with blogs (Wordpress, Blogger, Kickapps).

Technically, achieving this "DNS Masking" with a CNAME/A Record and some application configuration is straightforward. I've thought out some potential issues related to this, however, and wonder if you can think of any others that I've missed:

1) Traffic statistics (as measured by external providers, e.g., compete.com) will be lower since the traffic for company.example won't include that of application.client.example. (Local stats would not be affected, of course)

2) Potential cookie disclosure from application.client.example to company.example. If the client is setting cookies at .client.example, those cookies could be read by the company.example server.

3) Email Spoofing. Email could be sent from company.example with the domain application.client.example, possibly causing problems with spam blacklisting due to incompatible SPF records.

Thanks for any thoughts on this.

A: 

CNAME has been widely used for so long, especially by hosting companies. There are no major issues.

The biggest problem for us is when you have to use HTTPS. It's very difficult to support multiple CNAMEs on the same server. We use aliases in certificate (SAN extension). We have to get a new cert every time a new CNAME is added in DNS. Other than that, everything works great for us.

As to the issues you mentioned,

  1. This should be an advantage. It's a lot easier to combine the stats than to separate them. So we prefer granular reports.
  2. Cookies are not shared between domains, even if they are on the same IP. As long as apps are properly sandboxed on the server, they can't read each other's cookie.
  3. You should rate-limit your own outgoing SMTP traffic on the server end so you don't get blacklisted.
ZZ Coder
Thanks ZZ Coder. I like the idea of using a Subject Alternative Name (SAN) SSL Certificate to handle multiple names at the SSL certificate level rather than doing individual certs and a lot of extra web server administration.Regarding your points:1) The thought is that external people who are looking into our company using sites like Compete.com won't see an accurate view of our traffic so we have a business concern.2) Correct. It would only be a problem with cookies set at .client.example (not client.example), but I admit that's not too common a usage.3) Good idea.Thanks again.
Paul Burney