Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Allow Remote Domains - why is it a security problem?

Discussion in 'Bind/DNS/Nameserver' started by Gino Viroli, Oct 25, 2018.

  1. Gino Viroli

    Gino Viroli Well-Known Member

    Joined:
    Oct 2, 2007
    Messages:
    66
    Likes Received:
    4
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    Hello,

    I would like to let my cPanel users to create parked/addon domains without being forced to use my VPS nameservers.

    I understand I can do this by turning on: "WHM > Server Configuration > Tweak Settings > Allow Remote Domains"

    But the help caption says it's not recommended: "This can be a major security problem. If you must have it enabled, be sure not to allow users to park common Internet domains."

    I don't understand, could someone please make a simple example of a potential risk?
    What's a "common internet domain"? And what happens if a user parks a "common internet domain"?

    Thanks
     
    MajorLancelot likes this.
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,555
    Likes Received:
    2,182
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Gino Viroli,

    The primary risk for remote domains and common domains (e.g. gmail.com, hotmail.com) is that it can allow a malicious user to intercept emails sent from other users on your cPanel server to remote destinations.

    Exim assumes that domains existing in the /etc/localdomains file are hosted by the local cPanel server. Let's say a user adds gmail.com as an addon domain or alias in their cPanel account. If that were to happen, gmail.com would automatically be added to the /etc/localdomains file. If the person that added gmail.com creates a [email protected] email account in cPanel, and another domain hosted locally on your cPanel server sends an email to [email protected], then the email would be delivered to the person that created the gmail.com domain in cPanel as opposed to the actual Gmail servers.

    If you need to temporarily add a domain name that resolves to another server, then instead of enabling "Allow Remote Domains" in WHM >> Tweak Settings, you can instead temporarily add the IP addresses of the remote name servers utilized for that domain in the WHM >> IP Functions >> Configure Remote Service IPs >> Remote Name Server IPs interface. Users are permitted to add addon or parked domains only with nameserver IPs in this list.

    Thank you.
     
    Gino Viroli likes this.
  3. LucasRolff

    LucasRolff Well-Known Member

    Joined:
    May 27, 2013
    Messages:
    64
    Likes Received:
    49
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    It might be worth mentioning that gmail.com, hotmail.com, google.com, aol.com, yahoo.com and others cannot be added even if "Remote Domains" are allowed.

    cPanel maintains a list of "blacklisted" domains in /usr/local/cpanel/etc/commondomains and you're able to add additional domains in /var/cpanel/commondomains (you need to create the file).

    So there's a few security measures in place to prevent obvious domains from being added (such as gmail.com), but you really have to use the Remote Domains with care, because it can very well result in bad things.
     
    cPanelMichael and Gino Viroli like this.
  4. MajorLancelot

    MajorLancelot Well-Known Member

    Joined:
    Dec 17, 2014
    Messages:
    47
    Likes Received:
    4
    Trophy Points:
    83
    Location:
    Shinjuku-ku, Tokyo, Japan
    cPanel Access Level:
    Root Administrator
    Hello @cPanelMichael

    We do not want to enable "Allow Remote Domains" and we asked the customer to change the domain IP address and nameservers to point to our DNS cluster.

    Please, how can we get this to work for customers when they are using dynamic name-servers and without enabling Allow Remote Domains?

    And explanatory sentence said, "Users are permitted to add addon or parked domains only with nameserver IPs in this list."

    Shouldn't this be "Users are permitted to also add addon or parked domains with the nameserver IPs in this list."?

    If the first one is what described the real function of this feature, does this prevent users from adding addon or parked domains as normal when used?
     
    #4 MajorLancelot, Dec 19, 2018
    Last edited: Dec 19, 2018
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,555
    Likes Received:
    2,182
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @MajorLancelot,

    By "dynamic", do you mean their name server IP addresses are always changing? Do the name server IP addresses share a C-Class or rotate from a fixed list of IP addresses? How common do you face this issue, and is there a common registrar or DNS service provider with this setup?

    Yes, or also stated as: Users are only permitted to add addon or alias domains that utilize nameservers registered with IPs in this list or IPs added to this cPanel & WHM server and cluster.

    Thank you.
     
  6. MajorLancelot

    MajorLancelot Well-Known Member

    Joined:
    Dec 17, 2014
    Messages:
    47
    Likes Received:
    4
    Trophy Points:
    83
    Location:
    Shinjuku-ku, Tokyo, Japan
    cPanel Access Level:
    Root Administrator
    Sorry for the delayed response to this.

    Not really.
    Route 53 and Google Domain often tend to change the IP addresses associated with the name-servers they give to their customers.
    It doesn't necessarily affect the "4" in one go but it might affect "2" at a time.

    This would make more sense and would be more explanatory if it is what is available.

    I have attached a screenshot of what is there now.

    Thanks for being there for us every time!
     

    Attached Files:

  7. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,923
    Likes Received:
    177
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    And what was their response?

    I mean... this is kind of the order of things - "if you want to use addon domains... use the nameservers we designated for you" - I'm perplexed at the institution that not following that order... and still expecting things to work. Why have rules then?

    The purpose of forcing a domain name to use designated nameservers for your server is to validate that the person owning the domain name (capable of changing the nameservers for it) is the same one that is requesting hosting via an addon domain.

    Without that validation, then any low level user could create an addon domain, set up a default collection email address, and effectively steal all mail sent by users on the server to that (non-validated) domain name. Perhaps you can argue that the list of common Internet domains is sufficient... but are you really going to bank on that list (which is rather subjective) to be complete? What about amazon.com? walmart.com? usbank.com? I mean, there's a huge potential list and I don't believe it's cPanel's place to insure that that list is kept current because it's always going to be subjective.


    If you really, really want to get around this... create a subdomain off of the main account with the DocumentRoot set to the intended addon domain's DocumentRoot.

    Then using the root's WHM's park a domain function, park the addon domain name on top of the created subdomain. The WHM's park a domain function does not have the remote domain validation check. ... Of course... there's no API call for using WHM's park a domain function... which has been begged for since the dawn of time, so it makes any sense of streamlining this process impossible.
     
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,555
    Likes Received:
    2,182
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello Everyone,

    I believe what could help here is a feature that allows customers to validate ownership of a domain name without actually changing the name servers. For example, take this scenario:

    1. "Allow Remote Domains" is turned off.
    2. A customer owns a domain, but prefers to use a remote provider to manage the DNS for the domain.
    3. The customer wants to add the domain as an addon domain or alias.

    Currently, the hosting provider must turn on "Allow Remote Domains", add the remote name server IP addresses to WHM >> IP Functions >> Configure Remote Service IPs >> Remote Name Server IPs, or ask the customer to change their name servers. Otherwise, the third step above will fail.

    As an alternative, a new feature that allows the customer to validate ownership of the remote domain name themselves (i.e. perhaps by adding a DNS record for the domain via their DNS provider's interface to prove ownership) would make for a smoother process and avoid the need for manual intervention from the hosting provider.

    Does this sound like the right approach? Let me know of any feedback, and I'll proceed to create a feature request and check internally to see how feasible it is to implement a feature like this in the product.

    Thank you.
     
  9. InceptionHosting

    InceptionHosting Registered

    Joined:
    Apr 21, 2019
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi Folks,

    Just wondering if you could provide a status update on this?

    I have read the thread and fully understand the reason for this existing however from an end user experience perspective it is kind of silly.

    End user signs up for a hosting account.
    In all major billing platforms they are asked if they want to register a domain or update their own nameservers etc, they choose the latter as they already have a domain.
    Everything is setup, they like the hosting provided so they go to add another domain... CLANG! this setting hist them.
    They perhaps what to use cloudflare which is obviously significant and increasingly common, they have to point the domain at my nameservers then back again to add a domain? kind of silly from an end user (paying customer) perspective.

    So yes the ability to prove ownership probably through a text record is the right way forward as a middle ground and as a side note, there should already be a second 'greylist' that contains all domains already existing on the server to prevent anyone from adding a domain that already exists.

    my 2c, look forward to the update.
     
  10. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,555
    Likes Received:
    2,182
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @InceptionHosting,

    The following feature request is now open:

    Remote domain verification

    I recommend voting and adding feedback to this feature request if you'd like to see it implemented in the future.

    Thank you.
     
  11. JoelStickney

    JoelStickney Registered

    Joined:
    Apr 26, 2019
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Michigan
    cPanel Access Level:
    Reseller Owner
    Following up on: Remote IP

    Cloudflare doesn't disclose their IPs for their nameservers and they're constantly changing. So users have to TEMPORARILY set their nameservers to ours and then point them back. There should be other ways to verify domains, file verification would be the easiest and best.

    Features have been suggested for this (vote for it to get in core ^_-).
    Remote domain verification

    Has anyone found a temporary workaround for Cloudflare users except for the one I listed above?
     
  12. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,555
    Likes Received:
    2,182
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice