Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Firewall ports on DNSONLY

Discussion in 'Bind/DNS/Nameserver' started by KrisLowet, Mar 4, 2019.

  1. KrisLowet

    KrisLowet Member

    Joined:
    Feb 15, 2018
    Messages:
    5
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Sint-Truiden, België
    cPanel Access Level:
    Root Administrator
    Hi

    3 questions about DNS clustering.

    Firewall ports
    On this page, I read that ports 53, 953, and 2087 must be open.
    Port 953: does this port have to be open to the world, or only to the other cPanel servers?
    2087: does this port have to be open to just the cPanel webservers or to all DNSONLY webservers?

    DNS cluster also between DNSONLY servers?
    I have 2 cPanel servers and 4 cpanel DNSONLY servers. Do I only link the cPanel with the DNSONLY servers? Or do I link the DNSONLY servers also between themselves?

    API privileges
    When setting up the API token between cPanel and DNSONLY, is it enough to enable the privilege "DNS Clustering"? Or do I have to enable also other privileges too?

    Thanks
     
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,815
    Likes Received:
    443
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @KrisLowet

    This and 53 primarily need to be open to the DNS servers from the webserver and should be open on the dns servers.

    This should be open to the DNS servers and vice versa but should also be open to anyone who is authorized to log in to the servers.


    I would suggest only linking the DNS servers with the webservers the following documentation may be helpful for you as well: Guide to DNS Cluster Configurations - cPanel Knowledge Base - cPanel Documentation


    You should only need the DNS related permissions:

    DNS Standard Privileges
    • Add DNS Zones create-dns
    • Remove DNS Zones kill-dns
    • Park DNS Zones park-dns
    • Edit DNS Zones edit-dns
    Documentation on the API tokens can be found here and may be helpful as well: Manage API Tokens - Version 78 Documentation - cPanel Documentation



    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. KrisLowet

    KrisLowet Member

    Joined:
    Feb 15, 2018
    Messages:
    5
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Sint-Truiden, België
    cPanel Access Level:
    Root Administrator
    Hello Lauren

    Thanks for your the comprehensive answer!

    So 53 open to the world (logic) and 953 open to the webservers. Correct?

    Strange. The last few days I set it up with just the API "DNS Clustering" enabled on the webservers and the nameservers. And that turned out to work, I could see the zone files everywhere. But ok, I'll change it to only "DNS Standard Privileges".

    In the documentation I read this note:
    So the clustering option "Synchronize changes" isn't the suggested option in my situation? On my two cPanel webservers I have DNS disabled. Which option do you suggest on the webserver side and which option on the DNSONLY side?

    Thanks
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,815
    Likes Received:
    443
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    That will work but here's how I was intending that to be:

    953/53 on DNS only servers open
    953/53 on Webserver open only to DNSOnly servers

    Actually, that is perfect it includes all the DNS standard permissions.

    You don't want the nameservers to sync with the webservers you want the webservers to sync with the nameservers. This is because you would be making modifications to zones on the webserver then the change needs to be pushed to the nameservers. If you set the nameservers up to synchronize you could end up with stale data which in turn can cause DNS issues for your domains.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. KrisLowet

    KrisLowet Member

    Joined:
    Feb 15, 2018
    Messages:
    5
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    Sint-Truiden, België
    cPanel Access Level:
    Root Administrator
    Hi

    Good point with that sync. So it is best to set "write only" on the webservers and "standalone" on the name servers. Correct?
     
    cPanelLauren likes this.
  6. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    5,815
    Likes Received:
    443
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @KrisLowet

    Correct! In my opinion, this is the safest configuration.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice