Problem with domains in cluster

bejbi

Well-Known Member
PartnerNOC
Jan 20, 2006
145
27
178
Poland
cPanel Access Level
DataCenter Provider
There is a security problem with adding domains:

dns cluster settings:

hostingserver1 (cpanel) - write only (only sends zones)
hostingserver2 (cpanel) - write only (only sends zones)
dnsserver (dnsonly) - standalone (only receives zones)

When I have domain parked (for example: mydomain.com) on hostingserver1 this domain is propagated to dnsserver.

When OTHER user creates account on hostingserver2 he can add additional domain i.e.: subdomain.mydomain.com (!!!)

So, he steal a subdomain of domain not owned by himself!

This new subdomain (stealed) will works correctly in internet, becouse both hostingservers are in the same dnscluster and have the same dns-servers.

The protection in cPanel works only when someone is trying to create subdomain on the same hostingserver (creation script is checking if dns zone exists in /var/named/ - and user received error, that domain is owned by another user). But when subdomain is created on another hostingserver protection is not working.

How to protect subdomain from being stealed by someone ?

=======
The second thing (a little similar):

How to protect some user from adding domain which already exists as a additional domain on another hostingserver and another user.

When both hoestingservers are in cluster, when one user has domain: mydomain.com and the another user on another hostingserver adds the same domain: mydomain.com - this first domain will be overwriten, becouse a new one has a higher TTL serial.

So any user could steal any domain, not owned by himself ?

There is a protection in WHM/Tweak settings: "Allow Remote Domains: On/Off" but when I click "Off" - no one could transfer his domain to my server (he cannot change dns-server of his domain, becouse my dns servers has no entry. My dns entry cannot be done, becouse domain is not added on my hostingserver ... infinite loop)

=======
Feature request:

It is need add a Tweak settings option:

When creating additional domain: check if domain exists in the dns-cluster and prevent create this domain or subdomain of this domain as "additional domain". Default: ON.

WB
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Hello,

The downside to using write-only mode is that WHM will not check whether a DNS zone exists before you create an account. Because of this, it is possible to create the same domain name on two or more of these servers. If this occurs, the servers compete for updates to that domain. Setting the role to Synchronize will prevent this from happening. Here's a description of each role from our DNS Cluster documentation:
The server's DNS role. You can choose from the following options:
  • Standalone — This method fetches DNS records from the remote server, but does not write records from the local server to the remote server.
  • Synchronize — This method synchronizes records between the local server and the remote server.
  • Write-only — This method pushes the local server's records to write to the remote server, but does not query records from the remote server to write to the local server.
The following feature request would address your concern:

Ownership and access control of zones in the dns server.

I encourage you to vote and add feedback to this feature request.

Thank you.
 

bejbi

Well-Known Member
PartnerNOC
Jan 20, 2006
145
27
178
Poland
cPanel Access Level
DataCenter Provider
Hello,

The downside to using write-only mode is that WHM will not check whether a DNS zone exists before you create an account. Because of this, it is possible to create the same domain name on two or more of these servers. If this occurs, the servers compete for updates to that domain. Setting the role to Synchronize will prevent this from happening. Here's a description of each role from our DNS
Synchronize changes is ok, when You have: 3 dns servers and <10 servers in cluster.

What about performance when many servers will synchronize all new zones between dns and each others ?

WB