kgikiji

Registered
Aug 25, 2021
2
0
1
United Kingdom
cPanel Access Level
Reseller Owner
Hi,

Apologies if this has already been discussed or answered somewhere. I've tried to search for something similar to our situation but couldn't find it.

We host a reseller cPanel/WHM solution. As probably most in our situation, we ship DNS, web hosting, email and so on for ourselves and our customers. However, we are trying to transition to a different setup. We want to host our website externally behind a WAF and, in doing so, also provide email support under the new hosting solution for our clients still being at the current cPanel server. This is to avoid clients being locked out of support if they inadvertently lock themselves out of their accounts. It's important to note we also have a clustered DNS solution, where 3 DNSOnly servers mirror the current DNS zones provided by the master server.

We've hit a snag at being able to get a WAF in front of our website. Specifically, for a WAF to work on our apex domain, it must have DNS features that cPanel does not currently support. For example, since DNS RFC forbids CNAME records on apex domains, we either have to keep a WAF CDN IP list updated in real-time in cPanel's DNS or provide an ALIAS record. Neither of which is possible on cPanel. The option to redirect traffic from a standalone web server with an HTTP 301 is not really a solution, as it leaves the standalone server vulnerable.

So we've settled with the following. We move the public DNS zone from cPanel to a DNS provider with an ALIAS record support at the registrar level. We then duplicate all relevant records from cPanel to the new DNS provider to make everything work. We deploy the DNS and WAF through the new DNS provider. What we are worried about is that this could break cPanel operation for our clients in unforeseen ways:
- We are not sure of the minimum set of DNS records required for cPanel operation.
- We do not know if cPanel requires root domain DNS control for normal operation. (Note: We will keep the root DNS zone on cPanel, so effectively it will get updates from cPanel, but they will not automatically be propagated publicly.)
- We are not sure the DNS cluster will continue to operate as expected.

It would be nice to know a few details. For example:
- Is this setup at all possible?
- Is it enough to set the WebHost Manager to use explicit DNS servers and replicated the current root domain zone on the external DNS provider?
- What about email routing? Is it possible/advisable to set email routing to external DNS always for every account?

It would be great to get some clarity about these points and possibly other crucial aspects of the setup we might have missed.

We really appreciate any help you can provide.
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,439
1,003
313
cPanel Access Level
Root Administrator
Hey there! I think I understand what you're trying to set up, so I'll answer things in order to make sure I don't miss anything.

We are not sure of the minimum set of DNS records required for cPanel operation.
This depends on how your users access their services. If you go to WHM >> Edit Zone Templates and check the standardvirtualftp template, you'll see all the records that are created by default on a cPanel machine. If your users use the subdomains like webmail.domain.com or cpanel.domain.com to access server resources, you'll want to make sure those are in place.

We do not know if cPanel requires root domain DNS control for normal operation
Even if the DNS isn't served from the local system, you'll want to keep the DNS zones around. They don't take up much space, and cPanel expects them to exist.

- We are not sure the DNS cluster will continue to operate as expected.
This, as well as the rest of the questions in your post, comes down to "are there changes with the public IPs that could break things." If not, I would expect everything to work normally. As long as the servers can speak to each other, and your MX records are setup to point to the correct machine, everything else should fall into place. We don't do much testing on our end with systems behind firewalls, but as long as the traffic is being routed properly to the system, you and users shouldn't notice any difference in the server's behavior.

If you have a way to do it, I'd recommend testing this out with one system and one domain before implementing it for all users just to see how it does end up working in your particular environment.
 

kgikiji

Registered
Aug 25, 2021
2
0
1
United Kingdom
cPanel Access Level
Reseller Owner
Alright, all that sound promising. We are planning on having the website and portal (WHMCS) served from a VM separate from cPanel/WHM. Then we want to control WHM from the external WHMCS. Essentially, want the following things on the external WHMCS portal:
- website
- purchasing
- client portal
- support
- billing
and we want the following to stay cPanel/WHM:
- client DNS
- client mail
- client web hosting
Root domain mail will also be external to cPanel. Previously, we've had some issue with internal mail routing ignoring public DNS MX records and it might be an issue for the root domain given the defunct DNS zone will remain on cPanel. I'm not sure cPanel will poll public DNS for a zone it thinks it has control over. We want to avoid the situation where we cannot answer any support tickets because mail is routed internally to the incorrect place. Not sure if there is a setting we can enforce globally to address this.

From what I've read and understood from the above, I think this is all possible. I've checked the client templates and they do indeed avoid subdomaining the root domain, so no issues there.

I did want to ask how we should go about testing this. Currently, in my head I think it's kind of impossible given we have to somehow test for the root domain, but can't move it elsewhere beforehand. Maybe I'm missing something. Any ideas?