sparek-3

Well-Known Member
Aug 10, 2002
2,135
260
388
cPanel Access Level
Root Administrator
I thought that using a DNS cluster prevented you from having duplicate domain names in that cluster.

For example, if you have two web servers (web1, web2) and they both sync to one nameserver (ns1), then if you set up an account on web1 (for example fakedomain.com) then you would not be able to set up fakedomain.com on web2.

When fakedomain.com is set up on web1, then a DNS zone gets transferred over to ns1.

If you try to set up fakedomain.com on web2, you would get an error that the domain already exists.

At least this is how I thought DNS clustering used to work.

Is this how DNS clustering is suppose to work?
 

sparek-3

Well-Known Member
Aug 10, 2002
2,135
260
388
cPanel Access Level
Root Administrator
That is what I thought. I will look at it some more, it wouldn't be the first time that I've got something misconfigured.

In this scenario both web1 and web2 should have the DNS role set to Synchronize Changes and ns1 should have the DNS role set to Stadalone. Is that correct?
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
That is what I thought. I will look at it some more, it wouldn't be the first time that I've got something misconfigured.

In this scenario both web1 and web2 should have the DNS role set to Synchronize Changes and ns1 should have the DNS role set to Stadalone. Is that correct?
Here's what that setup looks like:

Web1 --> ns1
Web2 --> ns1

This means Web1 is sync'ing to ns1, but never sync'ing to Web2, hence no error on web2.

If you changed ns1 to synchronize, here's what that would look like:

Web1 <--> ns1
Web2 <--> ns1

Then records from Web1 would synchronize to ns1 and then to Web2.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,135
260
388
cPanel Access Level
Root Administrator
If you changed ns1 to synchronize, here's what that would look like:

Web1 <--> ns1
Web2 <--> ns1

Then records from Web1 would synchronize to ns1 and then to Web2.
I thought this was the least ideal setup?

Is this how most people have DNS clusters set up?

I don't currently employ any type of DNS clustering on our servers, but I would really like to. For some reason, I'm not able to wrap my head around how to deal with domain duplicates. We don't have a lot of duplicates, but we have had times where we would set up accounts on two different servers. I am trying to figure out what the best way to handle those instances. I would like to prevent resellers from being able to create duplicate accounts on the clusters, and thereby overwriting DNS.
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
I thought this was the least ideal setup?

Is this how most people have DNS clusters set up?

I don't currently employ any type of DNS clustering on our servers, but I would really like to. For some reason, I'm not able to wrap my head around how to deal with domain duplicates. We don't have a lot of duplicates, but we have had times where we would set up accounts on two different servers. I am trying to figure out what the best way to handle those instances. I would like to prevent resellers from being able to create duplicate accounts on the clusters, and thereby overwriting DNS.
Usually, most people are synchronizing their records to their nameservers from their servers they're using for web content, as illustrated at:

ConfigureCluster < AllDocumentation/WHMDocs < TWiki

Is there any particular reason you want to use DNS clustering as a means to prevent duplicate domains rather than using the tweak settings in the domains section of WHM -> Server Configuration -> Tweak Settings? For example, not allowing customers to use the domains of other custmers should reduce these issues.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,135
260
388
cPanel Access Level
Root Administrator
Well, what I'm trying to prevent is an instance where a reseller on another server can disrupt DNS for an account that is hosted on another server.

Say I have web1 and web2 that are both webservers, they both sync DNS to ns1 and ns2.

example.com is an account that is resolving to web1 and is using ns1 and ns2 nameservers.

A reseller on web2 can create an example.com account, which would then overwrite the DNS for example.com. Now instead of example.com resolving to web1 it is resolving to web2. The reseller on web2 can delete the example.com account and now example.com resolves to nothing.



I guess you could write something for prewwwacct that would check the DNS clusters and see if example.com already exists on the cluster.

Are there any "prewrappers" for parked domains and addon domains? Because the resellers on web2 in my example could just as easily park example.com instead of creating a new account.
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
Well, what I'm trying to prevent is an instance where a reseller on another server can disrupt DNS for an account that is hosted on another server.

Say I have web1 and web2 that are both webservers, they both sync DNS to ns1 and ns2.

example.com is an account that is resolving to web1 and is using ns1 and ns2 nameservers.

A reseller on web2 can create an example.com account, which would then overwrite the DNS for example.com. Now instead of example.com resolving to web1 it is resolving to web2. The reseller on web2 can delete the example.com account and now example.com resolves to nothing.



I guess you could write something for prewwwacct that would check the DNS clusters and see if example.com already exists on the cluster.

Are there any "prewrappers" for parked domains and addon domains? Because the resellers on web2 in my example could just as easily park example.com instead of creating a new account.
I'm confused. Why are you trying to build scripts and hooks for functionality that is already built into cPanel/WHM?
 

sparek-3

Well-Known Member
Aug 10, 2002
2,135
260
388
cPanel Access Level
Root Administrator
Maybe I am the one that is confused.

How do I prevent this from happening:

Say I have web1 and web2 that are both webservers, they both sync DNS to ns1 and ns2.

example.com is an account that is resolving to web1 and is using ns1 and ns2 nameservers.

A reseller on web2 can create an example.com account, which would then overwrite the DNS for example.com. Now instead of example.com resolving to web1 it is resolving to web2. The reseller on web2 can delete the example.com account and now example.com resolves to nothing.
Is there a way to prevent that? I'm not saying that there isn't, I'm just asking if there is a way.

Is the only way to prevent this to have web1 sync to ns1, ns2, and web2?

This could be come quite cumbersome if you have 10 or more web servers. There also could be potential security implications because if web1 is hacked into, then hackers would also have access to web2 due to the root hash (wouldn't they?)

Again, maybe I'm missing something.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,135
260
388
cPanel Access Level
Root Administrator
I think I may have figured it out.

You have to Disable BIND and NSD in Nameserver Selection on both web1 and web2.

If BIND is selected, then web1 (or web2) will just check locally to see if the domain name of the account you are trying to add (or park) exists. Since it doesn't exist on that server, then this is allowed to go through.

If Nameserver Selection is set to disable, then web1 (or web2) will check the cluster to see if a DNS entry already exists. This will prevent duplicates.