Configuration dns cluster: many webservers and 3 dns-only servers

bejbi

Well-Known Member
PartnerNOC
Jan 20, 2006
153
27
178
Poland
cPanel Access Level
DataCenter Provider
It is time for me to look into dns configuration.

I have 3 webservers: ie. s1.example.com, s2.example.com, s3.example.com

I have 3 dns-only servers, ie. dns.example.com, dns2.example.com, dns2.example.com

I create accounts for customers like: customer123.example.com (they receive subdomain under my own domain).


For now I have configuration:

On each webserver I have 3 dns-only servers in dnscluster as role: write-only
On each dns-only server I have 3 webserwer in dnscluster as role: standalone

Such configuration means, that webservers push their zones into dns-only servers.
It works, but ...

I see now disadvantages of this (or even high risk):

Scenario 1:

My main domain (example.com) is parked on server s1.example.com

Customer on his own account (on webservers: s2 and s3) can add ANY subdomain like: badword.example.com as his ADDITIONAL domain.
It is so, becouse webserver s2 or s3 doesn't know, that this domain is owned by other user (on other webserver). But it is my domain :)

The same is with domains of any customers located on other servers - any user can create subdomain of any domain from other webservers.

I tried secure it using TweakSettings and option: "Prevent cPanel users from creating specific domains"
But when I add my domain: example.com it is unable to create new accounts as subdomains of my domain using API.
And it is not securing domains of other customers.

Scenario 2:

It is very interresting becouse ANY user can now add my domain: "example.com" as his additional domain and this will overwrite my original zone in dns-only cluster (new zone have higher zone serial) - it is very dangerous.


========
The question is: how should be configured dns cluster (of 3 webserwers and 3 dns-only) to be safe ?

W.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

The following feature request is open to help avoid this issue:

Ownership and access control of zones in the dns server.

If you use "Synchronize" instead of "Write-Only" as the DNS role, then it will prevent the creation of a DNS zone on a hosting server if it already exists.

Thank you.
 

bejbi

Well-Known Member
PartnerNOC
Jan 20, 2006
153
27
178
Poland
cPanel Access Level
DataCenter Provider
Thank You for advice about changeing "Write-Only" into "Synchronize". I did it already when we were tested many configurations :)

It resovles problem with creating existing domain, but make another problem:

When the webserver is set to Synchronize, root user in WHM can edit all zones (even is they are not on this webserver).
i.e
when original account with subdomain: mydomain.example.com is on webserver s1.example.com
and I edit this zone on webserver s2.example.com then:
Synchronize push my new zone form s2.example.com into dns-only servers.

When the dns-only servers are still "standalone" they DON'T push this new zone update into original webserver: s1.example.com

So we have problem - new version of zone exists on dns-servers, but original account where this zone is parked CAN'T see this changes.

We can go further: When customer is editing his domain in his cPanel account (on webserver s1.example.com) this new update of zone, will overwrite existing zone in dns-only cluster ...

So root/reseller and user can overwrite zones each other :/

W.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463

bejbi

Well-Known Member
PartnerNOC
Jan 20, 2006
153
27
178
Poland
cPanel Access Level
DataCenter Provider
We find solution for this. It is under our investigation now:

If I set on webservers role: Synchronize
and on dns-only set Write only

it look like works correcty:

If I edit zone on "any" webserver - it push this zone into dns-only servers. And if dns-only is set to other servers in dnscluster in role "Write only" - so dnsserver pushes the updated zone into every webservers. After this, zones on every webservers still updated, and current. It is also very comfortable, becouse I can edit dns-zone on any webserver without trouble.

Only disadvantage of this above is: when dns-only push updated zone, this zone (I mean: file on disk) will appear on every webservers. But this can I accept ...

W.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,218
463
Hello,

I'm happy to see you were able to find a workaround that suits your needs. Thank you for updating us with the outcome.