dns clustering security flaw

optize

Well-Known Member
Apr 27, 2005
146
0
166
We recently enabled DNS clustering on all of our shared boxes, only to find out that you can edit any domain on any shared box, regardless of where it's located.

Therefore, if ANYONE gets into any of our shared boxes, they could delete every single domain across my network.

Why is this? Shouldn't syncing be one way?
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
We recently enabled DNS clustering on all of our shared boxes, only to find out that you can edit any domain on any shared box, regardless of where it's located.

Therefore, if ANYONE gets into any of our shared boxes, they could delete every single domain across my network.

Why is this? Shouldn't syncing be one way?
You can set up syncing to be one way if you desire. That's all up to how you configure the DNS cluster.

Keep in mind, if you are root user on a server that is receiving DNS records from other servers, you can edit those other DNS records. DNS clustering is designed for owners that have multiple servers and wish to cluster their DNS.

Reseller users and lower can only change the DNS records they own. They cannot change the DNS records from other servers.
 

optize

Well-Known Member
Apr 27, 2005
146
0
166
You can set up syncing to be one way if you desire. That's all up to how you configure the DNS cluster.

Keep in mind, if you are root user on a server that is receiving DNS records from other servers, you can edit those other DNS records. DNS clustering is designed for owners that have multiple servers and wish to cluster their DNS.

Reseller users and lower can only change the DNS records they own. They cannot change the DNS records from other servers.
Not exactly sure what you mean.

I have my shared servers set for 'Sync' in clustering, they sync with ns1/ns2. NS1 and NS2 clustering is set for Standalone.

So the question is why would changes from lets say cp05, get sync to ns1, and then ns1 would re-sync to cp06.

I'm not worried about resellers, I'm worried about someone logging in as 'root'

Synchronize Changes: All changes made on this server will be replicated to any server linked to this server in the cluster. Synchronization is one-way: Changes made on the other server will not be replicated to this server unless Synchronize Changes is selected on that server as well.

Standalone: All changes made on this server will not replicated to any other server(s).
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
Not exactly sure what you mean.

I have my shared servers set for 'Sync' in clustering, they sync with ns1/ns2. NS1 and NS2 clustering is set for Standalone.

So the question is why would changes from lets say cp05, get sync to ns1, and then ns1 would re-sync to cp06.

I'm not worried about resellers, I'm worried about someone logging in as 'root'

Synchronize Changes: All changes made on this server will be replicated to any server linked to this server in the cluster. Synchronization is one-way: Changes made on the other server will not be replicated to this server unless Synchronize Changes is selected on that server as well.

Standalone: All changes made on this server will not replicated to any other server(s).
Okay, let me understand this scenario correctly: NS1 set to synchronize to cp05 and cp06, cp05 is NOT set to synchronize yet root on cp05 is able to change a zone and have it propagate to cp06 despite the server being set to not synchronize?
 

neutro

Well-Known Member
Apr 11, 2004
70
1
158
Same here, why when i click on the edit dns, all the domains from ns1 and ns2 are loaded ( no db in /var/named) and no entry in named.conf)
If anybody logged in to one of the clustered servers they can simply modify record in ns1 and ns2. Can cpanel load domains from that server only? Based on named.conf in that particular server not from ns1 or ns2.
 

optize

Well-Known Member
Apr 27, 2005
146
0
166
This is how it's setup

cp05 (shared server) is setup to do clustering with ns1/ns2. On the cp05 side, it's set for 'Sync'

cp06 (shared server) is setup to do clustering with ns1/ns2. On the cp06 side, it's set for 'Sync'

On ns1/ns2, it's set for standalone between ns1/ns2, between ns1 & ns2/cp05, and between ns1 & ns2/cp06.

So, on cp06, I can see all the domains that are on cp05 and I can delete all of them. I see this as being a huge security flaw. If anyone gets into any of my shared servers via 'root', they could take down my entire cluster.

:eek:
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,212
13
313
Houston, TX
cPanel Access Level
Root Administrator
This is how it's setup

cp05 (shared server) is setup to do clustering with ns1/ns2. On the cp05 side, it's set for 'Sync'

cp06 (shared server) is setup to do clustering with ns1/ns2. On the cp06 side, it's set for 'Sync'

On ns1/ns2, it's set for standalone between ns1/ns2, between ns1 & ns2/cp05, and between ns1 & ns2/cp06.

So, on cp06, I can see all the domains that are on cp05 and I can delete all of them. I see this as being a huge security flaw. If anyone gets into any of my shared servers via 'root', they could take down my entire cluster.

:eek:
Something doesn't sound right. Synchronization is always one-way so cp05 should be going to ns1 and ns2 but ns1 and ns2 should NOT be sending that data to cp06 at all (as both are set as standalone to cp06, cp05 and each other) - meaning there shouldn't even be anything from cp05 on cp06 that can be viewed much less edited at all.

Based on your description, there seems to be a malfunction somewhere. I recommend having our technical analysts look at this for you so they can determine what is causing this issue. You can reach our technical analysts at: http://tickets.cPanel.net/submit
 

optize

Well-Known Member
Apr 27, 2005
146
0
166
so cPanel says it's supposed to work that way, even though it's a huge security flaw, they won't address it.

Please voice your concern to them.

--

Sorry for the confusion, this is not a security flaw but is intended behaviour.

When you setup a DNS cluster with another server this is setup as a "Root Trust Relationship" between the servers and each server in the cluster will access to all DNS Zones in the cluster.

This is the nature of a "Trust Relationship" between the servers.

Kevin Asklund
Technical Analyst 3
cPanel Advanced Support
 

hbouma

Well-Known Member
Jun 8, 2002
60
0
306
"When you setup a DNS cluster with another server this is setup as a "Root Trust Relationship" between the servers and each server in the cluster will access to all DNS Zones in the cluster.

This is the nature of a "Trust Relationship" between the servers."

cPanel should clarify that root trust relationships in a cluster are transitive in their documentation then. As pointed out in the example, srv05 and srv06 do not have an explicit trust relationship established between them yet they inherit it because they both trust the ns1 and ns2 name servers. This is what allows them to edit the other server's zones.

Hal
 

JordiCS

Well-Known Member
Dec 3, 2003
57
0
156
Catalonia, EU
cPanel Access Level
Root Administrator
Hello,

First of all, sorry if there has been any answer to this problem, which I am experiencing too. I have though browsed the whole forum and Cpanel Bugzilla and have not found the solution.

I have two clustered vps. vps1 with dns role set to "Syncronize changes" to vps2, and vps2 as "Standalone". When I add, modify or change a zone on vps1, this is replicated to vps2. But when I do the same on standalone vps2, changes are also replicated to vps1 when they didn't have to.

Moreover, exactly the same is happening when I disable clustering on vps2 and remove vps1 IP from "Servers in your DNS cluster": changes on vps2 are still beeing propagated to vps1 -not always, but most times.

I don't know whether it can be related to the fact that "DNS Functions >> Synchronize DNS Records" is always showing the option "Synchronize all zones to all servers" checked by default, even after I have been performing a synchronization by any other method.

Best regards,
 
Last edited:

SoftDux

Well-Known Member
May 27, 2006
1,023
5
168
Johannesburg, South Africa
cPanel Access Level
Root Administrator
Just to clarify,

You setup a DNS cluster between a few hosts, and expect it to manage the DNS on all of those hosts (if you don't know it yet, that's exactly what a cluster does, it manages everything on the hosts involved), and want it to add DNS records to all the servers that you have setup.

BUT, when you suddenly login to 1 machine, and see DNS records from another, you say it's a security flaw?????? I think you may need to re-think this a bit. a Cluster does exactly what you are seeing right now.

If you setup a DNS cluster between NS1 & NS2, and put them both into sync, then ALL the records from both servers WILL BE available on EITHER. That's how it works, that's what it's supposed todo. If you can't understand this concept, then rather disable it.
 

JordiCS

Well-Known Member
Dec 3, 2003
57
0
156
Catalonia, EU
cPanel Access Level
Root Administrator
I myself do understand perfectly clustering concept. But:

As stated in a lot of places -CPanel instructions related to clustering, several threads on these forums, and on WHM itself- there are two different ways for clustering:

-two-way clustering: all changes done on one server are being propagated to all clustered servers (option "syncronize changes" set on all servers).
-one-way clustering: changes made on server1 are propagataded to server2 and the rest, but changes made on a certain server2 are NOT propagated to server1 and the rest IF you set server2 as "standalone".

See the "Notes" on WHM "Cluster management" page about this. My english is not at all excellent, but I think I am understanding them quite well:

"Synchronize Changes: All changes made on this server will be replicated to any server linked to this server in the cluster. Synchronization is one-way: Changes made on the other server will not be replicated to this server unless Synchronize Changes is selected on that server as well.

"Standalone: All changes made on this server will not replicated to any other server(s)."

Well, this is what some people (me included) are finding: Clustering is always being TWO WAY, without real option of making it ONE WAY. When I set server2 as standalone, changes made on this server are also propagating to server1, and this was not expected to happen. Even if I unlink server1 on server2 clustering configurations, changes made on server2 are propagating to server 1, and this was not expected to happen.

Regards,
 
Last edited:

optize

Well-Known Member
Apr 27, 2005
146
0
166
I've spent too many hours going back and forth on cPanel about this.. This is their response:

"It's not really clustering, as it doesn't copy the actual zone files to each server, however each cPanel server in a cluster can edit/delete the other zone files"

Huge freaking security loophole here.

:eek:
 

EWD

Well-Known Member
PartnerNOC
Aug 19, 2003
165
0
166
NY
Been complaining about this for ages. I never understood why they do not "see" this as a security flaw.
 

optize

Well-Known Member
Apr 27, 2005
146
0
166
Been complaining about this for ages. I never understood why they do not "see" this as a security flaw.
They have created a bug request to fix this. Hopefully it will be done soon and not in 2 years :)

If you want it fixed as well, please let them know by replying in this thread, it's attached to the bug request.
 

JamesSmith

Well-Known Member
Sep 17, 2003
185
0
166
UK, Luton
I add my support to this.

There should be a feature at least allowing a server to be excluded from listing and modifying the zones (the cluster side, to prevent it being turned off). A good example of this is allowing a dedicated server client to use our name servers. I obviously don't want them to modify and delete all other zones on other servers also using the name servers.

Its not so much of a problem if the server is fully managed, as the client wouldn't have access as root.
 
Last edited:

DomineauX

Well-Known Member
PartnerNOC
Apr 12, 2003
429
11
168
Houston, TX
cPanel Access Level
Root Administrator
It is my understanding that a revamp of the DNS clustering is planned to address these issues.
From what I heard, they will be building in granular security so that, for example, a dedicated server could use the cluster and not have access to any zones that are not from his server, and resellers only have access to zones under them.

This is something that is a big concern for me as well and so I brought it up at cPanelConf.