DNS Issues and CSF Firewall

Joe Gold

Member
Oct 31, 2018
7
0
1
Las Vegas
cPanel Access Level
Root Administrator
On (1) of (4), identical WHM server configurations, I started having problems over the last few weeks with DNS issues. It started first with nightly notifications of "Failed UPCP update". Then I started getting complaints that customers were getting their IP addresses banned. Then AutoSSL stopped being able to update. I asked Cpanel's amazing support team to investigate and they found that when they executed:

Code:
for i in {a..m}; do echo -n "$i.root-servers.net: "; dig -4 "$i".root-servers.net @"$i".root-servers.net +short;done
That several of the root servers were being blocked. They also found when executing:

Code:
dig @xx.x.xx.xxx version.bind txt chaos +short
that "the server's nat configuration is not properly configured for loopback (hairpin)" -- [when you run that the response is "connection timed out; no servers could be reached"]

Cpanel support concluded that this was a network issue by the provider. The provider is AWS, and after some quick investigation, I was able to conclude this was not the case.

After a lot of troubleshooting, I did find out that if I disabled CSF firewall, none of these DNS issues occur any longer. However, once it's enabled, the problem occurs. I've tried comparing my CSF config with my other identical servers and it is the same. I cleared all current IP blocks from CSF and this did not help. I also whitelisted all (11) root server IP's in CSF and this cleared up that issue.

However, I still have the UPCP update issue. I also still have the NAT issue. The AutoSSL issue still also occurs with CSF on too.

I've spent hours trying to figure out why this (1) server out of (4) is the only one having these issues. I've also tried configuring NAT in CSF (something that is not configured in CSF for the the other (3) servers) but that did not help either.

Does anyone have any suggestions on what I should try to resolve these problems?

NOTE: all servers are running ConfigServer Security & Firewall - csf v14.01 and WHM - v84.0.21.


Thank you very much!
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hello,

I would strongly urge you to re-open the support ticket you had going, to allow our analysts to look further into the issue. We have also put v86 into the CURRENT tier and expect it to go to RELEASE next week. I know some of the issues you noted are marked as being resolved in v86.
 

keat63

Well-Known Member
Nov 20, 2014
1,913
259
113
cPanel Access Level
Root Administrator
If your'e confident that it's CSF related, have you tried exporting the config from one server to another.
Rather than comparing ?