Every Presto server component is secured using a wildcard certificate for *.collobos.net. Collobos administers the name servers for the collobos.net domain. When a Presto client connects to a Presto server, it will ultimately use some form of a *.collobos.net domain name to connect to. Here is where things get a bit tricky.
After a Presto client discovers a Presto server component that it wishes to connect to, the client will send the server a message asking for a secure name to use to connect to. The server component will respond with it’s IP address encoded with a collobos.net suffix. For example, if the server component is running on 192.168.10.2, it will respond with a DNS name that is 192-168-10-2.collobos.net. So in other words, it replaces the dots (“.”) in 192.168.1.2 with dashes (“-“) and appends collobos.net to it.
Collobos DNS is programmed to return an IPv4 address of the form a.b.c.d. when asked to resolve a name of the form a-b-c-d.collobos.net. For example, if asked to resolve 192-168-10-2.collobos.net, it will return 192.168.1.2. That is how Presto clients can make secure TLS connection to Presto server components, on whatever network they happen to be running on.
One thing to note in this is the following. Some network routers have something called DNS rebinding attack protection. Part of that protection prevents a public DNS server (like Collobos DNS) from returning non-routable IP addresses.
It is very straightforward to check whether DNS rebinding attack protection is affecting Collobos DNS. To check, open up a command prompt window and type in the following:
C:\> nslookup 127-0-0-1.collobos.net
If everything is working as it should, you should see output that looks something like this:
If there is no address listed, it’s quite possible that DNS rebinding attack protection has stripped the 127.0.0.1 address from the answers supplied by Collobos name servers.
It is important to ensure that the collobos.net domain is whitelisted in any DNS rebinding attack protection, otherwise Presto client components will be unable to successfully connect to Presto server components.