Importance of Proper DNS Setup
For your Commerce website to operate correctly, NetSuite needs to establish and retain control over your domain's DNS.
This is especially true for domains secured with an automatic certificate. Setting the DNS verification (ACME challenge) CNAME to point to a NetSuite domain lets NetSuite prove ownership of the domain to the Certification Authority (CA) on your behalf. It also lets NetSuite obtain new domain certificates or renew the existing one.
NetSuite servers and databases hold the data and serve the web content hosted on your domain. Delegating your domain with a CNAME that points to a NetSuite hosting DNS record lets NetSuite host your domain and serve web content when accessed by your customers.
NetSuite uses its own Content Delivery Network (CDN) and, when you have a proper DNS setup, you can fully benefit from all of its features, including, but not limited to:
-
Enhanced caching that improves the performance of your web store.
-
Security features that protect your web store from a variety of threats.
-
On-demand cache invalidation.
The risks posed by improper DNS setup, including using a third-party CDN, include:
-
Reliability – NetSuite is unable to ensure reliable service delivery when DNS is incorrectly set up. Issues arising from improper DNS setup cannot be properly investigated due to limited visibility and control.
-
Disaster recovery – In the event of a disaster, NetSuite would move customer accounts to unaffected regions. This also includes moving domains. If your DNS is not set up properly, or a third-party CDN is used, it is possible that your domain would not be moved in the event of a disaster. This is because the move is done on the DNS level. In general, third-party CDNs and reverse proxies usually use a hardcoded hostname or IP address and will not respect the change in the DNS setup.
-
Cache control – For better performance, NetSuite uses caching. If you use a third-party CDN, NetSuite cannot control what is and what is not cached or for how long. Automated cache invalidation is an inbuilt feature for SuiteCommerce, SuiteCommerce Advanced, and SuiteCommerce MyAccount. If a third-party CDN is used, automated cache invalidation will not work properly because there will be another caching layer that cannot be controlled by NetSuite. Consequently, page load time could increase significantly and various issues with a stale cache could arise.
-
Automatic SSL certificates – Improper DNS setup can interfere with NetSuite’s ability to automatically issue SSL certificates. If a domain uses the automatic SSL certificate issuance process, and NetSuite is unable to successfully complete domain-ownership checks, NetSuite will be unable to issue or renew a certificate. A domain that does not have a valid certificate will be unsecured and potentially be unable to process transactions.
Note:You should use automatic SSL certificates to secure your domain. See Automatic and Manual Certificates.
-
Security – Since a proxy or CDN terminates SSL traffic, the SSL version and cipher profile of a third-party CDN is not under the control of NetSuite, and may not be compliant with NetSuite’s security standards.
-
Traffic – With improper DNS setup, such as the use of a third-party CDN, traffic to your website could be blocked, or the wrong traffic could be let through.
-
If you use a third-party CDN, the NetSuite account that hosts your website may not be able to forward traffic to another data center when load balancing is required.
-
Third-party CDNs may not use the same filtering strategies to identify and filter out malicious traffic.
-
Using DNS Query Tools
To check that your DNS is set up properly, you can use online dig or server lookup tools to query DNS servers. If you are using Windows, it comes with a nslookup tool that can also be used to query DNS servers.
The following example shows the response from a dig command run on www.correct-netsuite-dns.com for web hosting. In this example, you can see both the CNAME being translated and the hits to Akamai. Therefore, we know that the CNAME for web hosting is set up correctly.
$ dig www.correct-netsuite-dns.com
; <<>> DiG 9.10.6 <<>> www.correct-netsuite-dns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42979
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.correct-netsuite-dns.com. IN A
;; ANSWER SECTION:
www.correct-netsuite-dns.com. 3600 IN CNAME www.correct-netsuite-dns.com.hosting.netsuite.com.
www.correct-netsuite-dns.com.hosting.netsuite.com. 300 IN CNAME www.correct-netsuite-dns.com.e99999.c12345567.hosting.netsuite.com.edgekey.net.
www.correct-netsuite-dns.com.e99999.c12345567.hosting.netsuite.com.edgekey.net. 10800 IN CNAME e123456.x.akamaiedge.net.
e123456.x.akamaiedge.net. 20 IN A 2.16.153.216
e123456.x.akamaiedge.net. 20 IN A 2.16.153.214
;; Query time: 70 msec
The following example shows the response from a dig command run on www.correct-netsuite-dns.com for DNS verification. In this example, you can see both the CNAME being translated and the hits to the ACME challenge. Therefore, we know that the CNAME for DNS verification is set up correctly.
$ dig _acme-challenge.www.correct-netsuite-dns.com
; <<>> DiG 9.10.6 <<>> _acme-challenge.www.correct-netsuite-dns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39090
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.www.correct-netsuite-dns.com. IN A
;; ANSWER SECTION:
_acme-challenge.www.correct-netsuite-dns.com. 3600 IN CNAME www.correct-netsuite-dns.com.hosting-verify.netsuite.com.
;; AUTHORITY SECTION:
hosting-verify.netsuite.com. 300 IN SOA a1-124.akam.net. dnsadmin.nsgbu.internal. 76 3600 1800 604800 1800
;; Query time: 72 msec
;; SERVER: 2606:b400:300:d:feed::1#53(2606:b400:300:d:feed::1)
;; WHEN: Mon Sep 30 10:44:16 CEST 2024
;; MSG SIZE rcvd: 226