Filed with Developers Ability to control zone access from a DNS Only server [Case 33628]

[Doobla]

Currently any web server can pull the full list of zones from a cPanel DNS cluster by using the --full flag on /scripts/dnscluster. The following is how that script describes the --full flag.

Operation modifiers:
-F, --full
If the --full flag is specified then zones that are not
local to this server (in /etc/userdomains) will be pulled
in as well. This was the default behavior prior to 11.24.5

This is undesirable because there is not necessarily a trusted relationship between web servers and the DNS cluster for zones other than those under the control of the web server.

In the GUI, you can currently configure the web server as having a standalone relationship where zones are not synced to the web server. However, this does not seem to limit the command line script in any way and thus allows any cPanel server configured to publish to the DNS cluster to also pull all zones available on the cluster and then subsequently modify them and republish them to the cluster.

Please add some sort of ACL or some other control mechanism to allow us to define the relationship more specifically between the web server and the DNS cluster servers. Please also make sure that the command line scripts and the GUI honor the same set of permissions.

[Doobla]

A colleague of mine suggested that the --full flag be dropped from the dnscluster script altogether and that the functionality it provides only be available from the cluster server itself.

[UH-Matt]

Definitely needed. As it stands it is a security concern to anybody selling dedicated servers, providing root, and allowing the cpanel server to use a dns cluster which also serves other peoples servers...

[cPanelDavidG]

This is undesirable because there is not necessarily a trusted relationship between web servers and the DNS cluster for zones other than those under the control of the web server.

In DNS clustering, as it stands today, whenever you add a server to a DNS cluster, you are explicitly granting a root-trust relationship among all servers in the DNS cluster.

As a result of this explicit root-trust relationship, it is not advised to add any server to the cluster that is managed by an individual you do not want to have the ability to edit any zone in the cluster.

However, the addition of ACLs and such to modify how DNS clustering relationships work can be investigated if we see much support for this functionality.

[Doobla]

In DNS clustering, as it stands today, whenever you add a server to a DNS cluster, you are explicitly granting a root-trust relationship among all servers in the DNS cluster.

As a result of this explicit root-trust relationship, it is not advised to add any server to the cluster that is managed by an individual you do not want to have the ability to edit any zone in the cluster.

However, the addition of ACLs and such to modify how DNS clustering relationships work can be investigated if we see much support for this functionality.

I am curious why root trust is necessary to begin with. For DNS clustering purposes, there should not be a need for full blown root access, IMO, however I understand if this is just how it is currently implemented. I would hope that cPanel look for a better way since I hate to have a root trust between too many servers in case on becomes compromised.

At United Hosting we seek to offer value added services that are important to our dedicated client base. One of these opportunities we saw was the ability to allow our dedicated customers to offload the dns load onto a UH provided cluster which would also give them the same global redundancy that we provide to our shared accounts. It would be nice to be able to offer such a solution via cPanel without worry of a root trust relationship between their server and our own.

[Doobla]

Other discussion aside, it would really be beneficial if the dnscluster scripts honored the settings defined in the WHM GUI on the DNS server and not publish zones to web servers that are set as Standalone. That change alone would prove helpful as it would avoid the potential for mistakes by staff members, etc.

This does seem logical to me. Do you agree David?

[cPanelDavidG]

I am curious why root trust is necessary to begin with. For DNS clustering purposes, there should not be a need for full blown root access, IMO, however I understand if this is just how it is currently implemented. I would hope that cPanel look for a better way since I hate to have a root trust between too many servers in case on becomes compromised.

This is currently being investigated. For what it's worth, the root trust is currently done through the Remote Access Key, not SSH credentials.

At United Hosting we seek to offer value added services that are important to our dedicated client base. One of these opportunities we saw was the ability to allow our dedicated customers to offload the dns load onto a UH provided cluster which would also give them the same global redundancy that we provide to our shared accounts. It would be nice to be able to offer such a solution via cPanel without worry of a root trust relationship between their server and our own.

This is one of the specific scenarios we intend to address with our rewrite of DNS Clustering functionality. Part of allowing this is rearchitecting DNS Clustering to move away from assuming all servers within a DNS cluster should be trusted to edit any zone in the cluster.

[cPanelDavidG]

Other discussion aside, it would really be beneficial if the dnscluster scripts honored the settings defined in the WHM GUI on the DNS server and not publish zones to web servers that are set as Standalone. That change alone would prove helpful as it would avoid the potential for mistakes by staff members, etc.

This does seem logical to me. Do you agree David?

Standalone vs. Synchronize refer to the methods of how DNS zones are synchronized rather than if they are synchronized. I have discussed this with our UI team and lead developer for DNS clustering to try to obviate this.

In Standalone, no zones are propagated out. Instead, you rely on other servers in the DNS Cluster to pull records from the server and integrate them into the rest of the cluster. You can think of Standalone as "have other servers pull records from this server, do not push records"

Synchronize means to push zone updates out immediately to all cluster members and retrieve updates from other cluster members. This pulling of DNS records will be done regardless if the other cluster members are set to Standalone or Synchronize.

To make this much easier, rule of thumb is:
- cPanel/WHM servers create/modify DNS records, so they should be set to Synchronize so those records propagate immediately
- cPanel DNSONLY servers do not create/modify DNS records, so they should be set to Standalone so the cPanel/WHM servers push records to it and retrieve DNS records from other cluster members occasionally.

In a pair of DNS clustered servers, setting both servers to Synchronize is just a waste of network bandwidth. You essentially want to set things up so one server is Synchronize and the other server is Standalone.

Setting both servers in a pair of clustered servers to Standalone will result in no DNS records being shared, but that essentially removes all redundancy of DNS clustering and defeats the primary purpose of DNS clustering (added redundancy for DNS).

This is all very confusing to explain in words so if you're still wondering how this all works, I've attached an image that explains it visually: DNS Clustering.pdf

[jfw]

in Guide to DNS Cluster Configuration

Note: Setting a nameserver to synchronize data to a web server is not recommended, as it will create extraneous zones on the web server.

but no matter what the setting extraneous zones are always created
it should be a choice but as long as it's not the doc should be updated..

[cPanelDon]

in Guide to DNS Cluster Configuration

Note: Setting a nameserver to synchronize data to a web server is not recommended, as it will create extraneous zones on the web server.

but no matter what the setting extraneous zones are always created
it should be a choice but as long as it's not the doc should be updated..

Are the extraneous DNS zones from the cluster listed only in WebHost Manager (WHM), or are the same extraneous DNS zones also visible in the DNS/name server configuration files (e.g., added to the BIND configuration located at "/etc/named.conf")?

If the extraneous zones were already transferred to the web server while the DNS role was set to synchronize data, before the role was later changed to standalone, then you may need to remove any extraneous DNS zones that are not desired; as long as the role is standalone they should not be added into the web server's name server configuration.

[Bigwebmaster]

Just wanted to add that I hope changes are made to this as well. I really like the DNS Clustering feature and use it, however, I have to agree with Doobla and do not like how a full blown root trust relationship is shared between every server. My biggest concern is if for some reason one of the servers was compromised, then every server is now threatened.

Also I do not like how in WHM when you goto edit a DNS zone it shows every single zone in the cluster, versus just what domains belong on that server. Due to that trust relationship I do not want other servers being able to edit any zone in the cluster, only what that server should be in control of.

[eastitaly]

I hope this changes too, it's simply unpractical to bring up a dedicated DNSONLY installation for every dedicated FULL installation I sell to my customers.

[jack01]

Not sure if this is the right thread to ask, but is there a way to track progress on these DNS Clustering feature enhancements, or do we just keep checking the changelogs? Thanks.

[Snowman30]

we urgently need functionality added to WHM whereby when the DNS cluster functions are used only the domains locally hosted on a server are shown in the WHM DNS functions

if we had a remote cpanel dns only server running redundant and remote dns for a range of dedicated clients currently those clients if htye had access to their own WHM at root access would have viewing, editing and delete rights to all domains stored on the remote dns cluster.

In our scenario we could have 20,000+ domains being hosted on a dns only server and each dedicated client if they had root whm access would be have access to each of those domains dns records regardless of whether they owned them or not

to me this is a very big security rick and ive not been shown any other alternative solution to this short of not running dns clusters

[techdruid]

As with eastitaly, I would like to throw my support behind this feature request. I do not want to have to provide a DNSOnly server for every VPS/CPanel customer I sell to. The DNSOnly cluster is a great way to offer these customers a secondary DNS server. But I can't do that for every single VPS/CPanel customer without charging more than is reasonable.