Firewall ports on DNSONLY

[KrisLowet]

Hi

3 questions about DNS clustering.

Firewall ports
On this page, I read that ports 53, 953, and 2087 must be open.
Port 953: does this port have to be open to the world, or only to the other cPanel servers?
2087: does this port have to be open to just the cPanel webservers or to all DNSONLY webservers?

DNS cluster also between DNSONLY servers?
I have 2 cPanel servers and 4 cpanel DNSONLY servers. Do I only link the cPanel with the DNSONLY servers? Or do I link the DNSONLY servers also between themselves?

API privileges
When setting up the API token between cPanel and DNSONLY, is it enough to enable the privilege "DNS Clustering"? Or do I have to enable also other privileges too?

Thanks

 

[cPanelLauren]

Hi @KrisLowet

Port 953: does this port have to be open to the world, or only to the other cPanel servers?
2

This and 53 primarily need to be open to the DNS servers from the webserver and should be open on the dns servers.

2087: does this port have to be open to just the cPanel webservers or to all DNSONLY webservers?

This should be open to the DNS servers and vice versa but should also be open to anyone who is authorized to log in to the servers.

I have 2 cPanel servers and 4 cpanel DNSONLY servers. Do I only link the cPanel with the DNSONLY servers? Or do I link the DNSONLY servers also between themselves?

I would suggest only linking the DNS servers with the webservers the following documentation may be helpful for you as well: Guide to DNS Cluster Configurations - cPanel Knowledge Base - cPanel Documentation

When setting up the API token between cPanel and DNSONLY, is it enough to enable the privilege "DNS Clustering"? Or do I have to enable also other privileges too?

You should only need the DNS related permissions:

DNS Standard Privileges

• Add DNS Zones create-dns
• Remove DNS Zones kill-dns
• Park DNS Zones park-dns
• Edit DNS Zones edit-dns

Documentation on the API tokens can be found here and may be helpful as well: Manage API Tokens - Version 78 Documentation - cPanel Documentation



Thanks!

 

[KrisLowet]

Hello Lauren

Thanks for your the comprehensive answer!

This and 53 primarily need to be open to the DNS servers from the webserver and should be open on the dns servers.

So 53 open to the world (logic) and 953 open to the webservers. Correct?

You should only need the DNS related permissions

Strange. The last few days I set it up with just the API "DNS Clustering" enabled on the webservers and the nameservers. And that turned out to work, I could see the zone files everywhere. But ok, I'll change it to only "DNS Standard Privileges".

In the documentation I read this note:

We do not recommend that you set up the nameserver to synchronize data to a web server, because this creates extraneous zones on the web server. This means that you do not need to log in to WHM on the nameserver and set the web server's DNS role to Synchronize changes.

So the clustering option "Synchronize changes" isn't the suggested option in my situation? On my two cPanel webservers I have DNS disabled. Which option do you suggest on the webserver side and which option on the DNSONLY side?

Thanks

 

[cPanelLauren]

So 53 open to the world (logic) and 953 open to the webservers. Correct?

That will work but here's how I was intending that to be:

953/53 on DNS only servers open
953/53 on Webserver open only to DNSOnly servers

Strange. The last few days I set it up with just the API "DNS Clustering" enabled on the webservers and the nameservers. And that turned out to work, I could see the zone files everywhere. But ok, I'll change it to only "DNS Standard Privileges".

Actually, that is perfect it includes all the DNS standard permissions.

So the clustering option "Synchronize changes" isn't the suggested option in my situation? On my two cPanel webservers I have DNS disabled. Which option do you suggest on the webserver side and which option on the DNSONLY side?

You don't want the nameservers to sync with the webservers you want the webservers to sync with the nameservers. This is because you would be making modifications to zones on the webserver then the change needs to be pushed to the nameservers. If you set the nameservers up to synchronize you could end up with stale data which in turn can cause DNS issues for your domains.

 

[KrisLowet]

Hi

Good point with that sync. So it is best to set "write only" on the webservers and "standalone" on the name servers. Correct?

 

[cPanelLauren]

Hi @KrisLowet

Correct! In my opinion, this is the safest configuration.

 

[coursevector]

An update to this as I just setup a DNSOnly server and was surprised how off the documentation is. On this page is says:

• To use cPanel DNSOnly your server must allow traffic on the following ports: 53, 953, and 2087.
  • If you wish to allow the DNSOnly server to send email notifications, you must also open port 25.

When in reality I've needed to open these ports in order not to get errors:
TCP In: 22,25,53,953,2087,2089
TCP Out: 22,25,53,80,443,873,953,2087,2089
UDP In: 53
UDP Out: 53,123,873

22 - SSH
25 - Email notifications
53 - DNS, for obvious reasons
80 out - Used for /usr/local/cpanel/scripts/rpmup , all the URLs are HTTP
123 - Network Time Protocol (NTP), used for time synchronization
443 out - Used for /usr/local/cpanel/bin/checkallsslcerts , hits cPanel Store - Cart . Also used for /usr/local/cpanel/scripts/updatenow , hits Secure Downloads | cPanel, Inc.
873 - rSYNC, used with /usr/local/cpanel/scripts/upcp
953 - BIND remote name daemon control (RNDC)
2087 - WHM
2089 - cPanel Licensing

Am I missing anything? Should the documentation be updated?

 

[cPanelLauren]

So the ports that aren't listed in the documentation are:

• Licensing can be done over other ports but it is good to have 2089 open for this purpose
• Port 22 is for users that log in via SSH to a standard SSH port (i.e., they've not customized it)
• Ports 80 and 443 (in and out) should be open now as cPsrvd now listens on them on DNSOnly for hostname SSL certificates
• Port 873 is a port we normally just recommend be open on standard cPanel servers, but that's a good point

We don't discern between UDP and TCP in that documentation and I believe you're correct, we should I'll notify our documentation for all of these and see about getting it updated.

 

[mmwai]

An update to this as I just setup a DNSOnly server and was surprised how off the documentation is. On this page is says:



When in reality I've needed to open these ports in order not to get errors:
TCP In: 22,25,53,953,2087,2089
TCP Out: 22,25,53,80,443,873,953,2087,2089
UDP In: 53
UDP Out: 53,123,873

22 - SSH
25 - Email notifications
53 - DNS, for obvious reasons
80 out - Used for /usr/local/cpanel/scripts/rpmup , all the URLs are HTTP
123 - Network Time Protocol (NTP), used for time synchronization
443 out - Used for /usr/local/cpanel/bin/checkallsslcerts , hits cPanel Store - Cart . Also used for /usr/local/cpanel/scripts/updatenow , hits Secure Downloads | cPanel, Inc.
873 - rSYNC, used with /usr/local/cpanel/scripts/upcp
953 - BIND remote name daemon control (RNDC)
2087 - WHM
2089 - cPanel Licensing

Am I missing anything? Should the documentation be updated?

 

[mmwai]

I am receiving an error on the email deliverability area in WHM "Home »Email »Email Deliverability" when I enable the firewall

"DNS ERRORS OCCURRED"
The system failed to complete validation of “myservername”’s “DKIM” because of an error: (XID tqf3jt) DNS query (default._domainkey."myservername"/TXT) timeout!

Although all emails both incoming and outgoing are working fine, When i disable the firewall the email deliverability error disappears. What port do I need to open or what does the DNS client use a random port above 1023?

I have opened these ports on the firewall (below)

TCP In: 22,25,53,953,2087,2089
TCP Out: 22,25,53,80,443,873,953,2087,2089
UDP In: 53
UDP Out: 53,123,873