The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Configuration dns cluster: many webservers and 3 dns-only servers

Discussion in 'Bind / DNS / Nameserver Issues' started by bejbi, Jul 25, 2017.

Tags:
  1. bejbi

    bejbi Well-Known Member

    Joined:
    Jan 20, 2006
    Messages:
    94
    Likes Received:
    1
    Trophy Points:
    158
    Location:
    Poland
    cPanel Access Level:
    DataCenter Provider
    It is time for me to look into dns configuration.

    I have 3 webservers: ie. s1.example.com, s2.example.com, s3.example.com

    I have 3 dns-only servers, ie. dns.example.com, dns2.example.com, dns2.example.com

    I create accounts for customers like: customer123.example.com (they receive subdomain under my own domain).


    For now I have configuration:

    On each webserver I have 3 dns-only servers in dnscluster as role: write-only
    On each dns-only server I have 3 webserwer in dnscluster as role: standalone

    Such configuration means, that webservers push their zones into dns-only servers.
    It works, but ...

    I see now disadvantages of this (or even high risk):

    Scenario 1:

    My main domain (example.com) is parked on server s1.example.com

    Customer on his own account (on webservers: s2 and s3) can add ANY subdomain like: badword.example.com as his ADDITIONAL domain.
    It is so, becouse webserver s2 or s3 doesn't know, that this domain is owned by other user (on other webserver). But it is my domain :)

    The same is with domains of any customers located on other servers - any user can create subdomain of any domain from other webservers.

    I tried secure it using TweakSettings and option: "Prevent cPanel users from creating specific domains"
    But when I add my domain: example.com it is unable to create new accounts as subdomains of my domain using API.
    And it is not securing domains of other customers.

    Scenario 2:

    It is very interresting becouse ANY user can now add my domain: "example.com" as his additional domain and this will overwrite my original zone in dns-only cluster (new zone have higher zone serial) - it is very dangerous.


    ========
    The question is: how should be configured dns cluster (of 3 webserwers and 3 dns-only) to be safe ?

    W.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,278
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The following feature request is open to help avoid this issue:

    Ownership and access control of zones in the dns server.

    If you use "Synchronize" instead of "Write-Only" as the DNS role, then it will prevent the creation of a DNS zone on a hosting server if it already exists.

    Thank you.
     
  3. bejbi

    bejbi Well-Known Member

    Joined:
    Jan 20, 2006
    Messages:
    94
    Likes Received:
    1
    Trophy Points:
    158
    Location:
    Poland
    cPanel Access Level:
    DataCenter Provider
    Thank You for advice about changeing "Write-Only" into "Synchronize". I did it already when we were tested many configurations :)

    It resovles problem with creating existing domain, but make another problem:

    When the webserver is set to Synchronize, root user in WHM can edit all zones (even is they are not on this webserver).
    i.e
    when original account with subdomain: mydomain.example.com is on webserver s1.example.com
    and I edit this zone on webserver s2.example.com then:
    Synchronize push my new zone form s2.example.com into dns-only servers.

    When the dns-only servers are still "standalone" they DON'T push this new zone update into original webserver: s1.example.com

    So we have problem - new version of zone exists on dns-servers, but original account where this zone is parked CAN'T see this changes.

    We can go further: When customer is editing his domain in his cPanel account (on webserver s1.example.com) this new update of zone, will overwrite existing zone in dns-only cluster ...

    So root/reseller and user can overwrite zones each other :/

    W.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,278
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  5. bejbi

    bejbi Well-Known Member

    Joined:
    Jan 20, 2006
    Messages:
    94
    Likes Received:
    1
    Trophy Points:
    158
    Location:
    Poland
    cPanel Access Level:
    DataCenter Provider
    We find solution for this. It is under our investigation now:

    If I set on webservers role: Synchronize
    and on dns-only set Write only

    it look like works correcty:

    If I edit zone on "any" webserver - it push this zone into dns-only servers. And if dns-only is set to other servers in dnscluster in role "Write only" - so dnsserver pushes the updated zone into every webservers. After this, zones on every webservers still updated, and current. It is also very comfortable, becouse I can edit dns-zone on any webserver without trouble.

    Only disadvantage of this above is: when dns-only push updated zone, this zone (I mean: file on disk) will appear on every webservers. But this can I accept ...

    W.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,037
    Likes Received:
    1,278
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm happy to see you were able to find a workaround that suits your needs. Thank you for updating us with the outcome.
     
Loading...

Share This Page