dns clustering security flaw

[optize]

We recently enabled DNS clustering on all of our shared boxes, only to find out that you can edit any domain on any shared box, regardless of where it's located.

Therefore, if ANYONE gets into any of our shared boxes, they could delete every single domain across my network.

Why is this? Shouldn't syncing be one way?

[randomuser2]

If you think you've found a security issue in cPanel, the best thing is to email security@cpanel.net

For general feature requests or enhancements, the best route is http://bugzilla.cpanel.net

Do keep us posted on the outcome please.

Thanks.

[cPanelDavidG]

We recently enabled DNS clustering on all of our shared boxes, only to find out that you can edit any domain on any shared box, regardless of where it's located.

Therefore, if ANYONE gets into any of our shared boxes, they could delete every single domain across my network.

Why is this? Shouldn't syncing be one way?

You can set up syncing to be one way if you desire. That's all up to how you configure the DNS cluster.

Keep in mind, if you are root user on a server that is receiving DNS records from other servers, you can edit those other DNS records. DNS clustering is designed for owners that have multiple servers and wish to cluster their DNS.

Reseller users and lower can only change the DNS records they own. They cannot change the DNS records from other servers.

[optize]

You can set up syncing to be one way if you desire. That's all up to how you configure the DNS cluster.

Keep in mind, if you are root user on a server that is receiving DNS records from other servers, you can edit those other DNS records. DNS clustering is designed for owners that have multiple servers and wish to cluster their DNS.

Reseller users and lower can only change the DNS records they own. They cannot change the DNS records from other servers.

Not exactly sure what you mean.

I have my shared servers set for 'Sync' in clustering, they sync with ns1/ns2. NS1 and NS2 clustering is set for Standalone.

So the question is why would changes from lets say cp05, get sync to ns1, and then ns1 would re-sync to cp06.

I'm not worried about resellers, I'm worried about someone logging in as 'root'

Synchronize Changes: All changes made on this server will be replicated to any server linked to this server in the cluster. Synchronization is one-way: Changes made on the other server will not be replicated to this server unless Synchronize Changes is selected on that server as well.

Standalone: All changes made on this server will not replicated to any other server(s).

[cPanelDavidG]

Not exactly sure what you mean.

I have my shared servers set for 'Sync' in clustering, they sync with ns1/ns2. NS1 and NS2 clustering is set for Standalone.

So the question is why would changes from lets say cp05, get sync to ns1, and then ns1 would re-sync to cp06.

I'm not worried about resellers, I'm worried about someone logging in as 'root'

Synchronize Changes: All changes made on this server will be replicated to any server linked to this server in the cluster. Synchronization is one-way: Changes made on the other server will not be replicated to this server unless Synchronize Changes is selected on that server as well.

Standalone: All changes made on this server will not replicated to any other server(s).

Okay, let me understand this scenario correctly: NS1 set to synchronize to cp05 and cp06, cp05 is NOT set to synchronize yet root on cp05 is able to change a zone and have it propagate to cp06 despite the server being set to not synchronize?

[neutro]

Same here, why when i click on the edit dns, all the domains from ns1 and ns2 are loaded ( no db in /var/named) and no entry in named.conf)
If anybody logged in to one of the clustered servers they can simply modify record in ns1 and ns2. Can cpanel load domains from that server only? Based on named.conf in that particular server not from ns1 or ns2.

[optize]

This is how it's setup

cp05 (shared server) is setup to do clustering with ns1/ns2. On the cp05 side, it's set for 'Sync'

cp06 (shared server) is setup to do clustering with ns1/ns2. On the cp06 side, it's set for 'Sync'

On ns1/ns2, it's set for standalone between ns1/ns2, between ns1 & ns2/cp05, and between ns1 & ns2/cp06.

So, on cp06, I can see all the domains that are on cp05 and I can delete all of them. I see this as being a huge security flaw. If anyone gets into any of my shared servers via 'root', they could take down my entire cluster.

[optize]

Any update?

[cPanelDavidG]

This is how it's setup

cp05 (shared server) is setup to do clustering with ns1/ns2. On the cp05 side, it's set for 'Sync'

cp06 (shared server) is setup to do clustering with ns1/ns2. On the cp06 side, it's set for 'Sync'

On ns1/ns2, it's set for standalone between ns1/ns2, between ns1 & ns2/cp05, and between ns1 & ns2/cp06.

So, on cp06, I can see all the domains that are on cp05 and I can delete all of them. I see this as being a huge security flaw. If anyone gets into any of my shared servers via 'root', they could take down my entire cluster.

Something doesn't sound right. Synchronization is always one-way so cp05 should be going to ns1 and ns2 but ns1 and ns2 should NOT be sending that data to cp06 at all (as both are set as standalone to cp06, cp05 and each other) - meaning there shouldn't even be anything from cp05 on cp06 that can be viewed much less edited at all.

Based on your description, there seems to be a malfunction somewhere. I recommend having our technical analysts look at this for you so they can determine what is causing this issue. You can reach our technical analysts at: http://tickets.cPanel.net/submit

[optize]

so cPanel says it's supposed to work that way, even though it's a huge security flaw, they won't address it.

Please voice your concern to them.

--

Sorry for the confusion, this is not a security flaw but is intended behaviour.

When you setup a DNS cluster with another server this is setup as a "Root Trust Relationship" between the servers and each server in the cluster will access to all DNS Zones in the cluster.

This is the nature of a "Trust Relationship" between the servers.

Kevin Asklund
Technical Analyst 3
cPanel Advanced Support

[hbouma]

"When you setup a DNS cluster with another server this is setup as a "Root Trust Relationship" between the servers and each server in the cluster will access to all DNS Zones in the cluster.

This is the nature of a "Trust Relationship" between the servers."

cPanel should clarify that root trust relationships in a cluster are transitive in their documentation then. As pointed out in the example, srv05 and srv06 do not have an explicit trust relationship established between them yet they inherit it because they both trust the ns1 and ns2 name servers. This is what allows them to edit the other server's zones.

Hal

[JordiCS]

Hello,

First of all, sorry if there has been any answer to this problem, which I am experiencing too. I have though browsed the whole forum and Cpanel Bugzilla and have not found the solution.

I have two clustered vps. vps1 with dns role set to "Syncronize changes" to vps2, and vps2 as "Standalone". When I add, modify or change a zone on vps1, this is replicated to vps2. But when I do the same on standalone vps2, changes are also replicated to vps1 when they didn't have to.

Moreover, exactly the same is happening when I disable clustering on vps2 and remove vps1 IP from "Servers in your DNS cluster": changes on vps2 are still beeing propagated to vps1 -not always, but most times.

I don't know whether it can be related to the fact that "DNS Functions >> Synchronize DNS Records" is always showing the option "Synchronize all zones to all servers" checked by default, even after I have been performing a synchronization by any other method.

Best regards,

[optize]

There hasn't been a fix, it's still a security issue.

[SoftDux]

Just to clarify,

You setup a DNS cluster between a few hosts, and expect it to manage the DNS on all of those hosts (if you don't know it yet, that's exactly what a cluster does, it manages everything on the hosts involved), and want it to add DNS records to all the servers that you have setup.

BUT, when you suddenly login to 1 machine, and see DNS records from another, you say it's a security flaw?????? I think you may need to re-think this a bit. a Cluster does exactly what you are seeing right now.

If you setup a DNS cluster between NS1 & NS2, and put them both into sync, then ALL the records from both servers WILL BE available on EITHER. That's how it works, that's what it's supposed todo. If you can't understand this concept, then rather disable it.

[JordiCS]

I myself do understand perfectly clustering concept. But:

As stated in a lot of places -CPanel instructions related to clustering, several threads on these forums, and on WHM itself- there are two different ways for clustering:

-two-way clustering: all changes done on one server are being propagated to all clustered servers (option "syncronize changes" set on all servers).
-one-way clustering: changes made on server1 are propagataded to server2 and the rest, but changes made on a certain server2 are NOT propagated to server1 and the rest IF you set server2 as "standalone".

See the "Notes" on WHM "Cluster management" page about this. My english is not at all excellent, but I think I am understanding them quite well:

"Synchronize Changes: All changes made on this server will be replicated to any server linked to this server in the cluster. Synchronization is one-way: Changes made on the other server will not be replicated to this server unless Synchronize Changes is selected on that server as well.

"Standalone: All changes made on this server will not replicated to any other server(s)."

Well, this is what some people (me included) are finding: Clustering is always being TWO WAY, without real option of making it ONE WAY. When I set server2 as standalone, changes made on this server are also propagating to server1, and this was not expected to happen. Even if I unlink server1 on server2 clustering configurations, changes made on server2 are propagating to server 1, and this was not expected to happen.

Regards,