The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem with domains in cluster

Discussion in 'Bind / DNS / Nameserver Issues' started by bejbi, Oct 28, 2016.

Tags:
  1. bejbi

    bejbi Well-Known Member

    Joined:
    Jan 20, 2006
    Messages:
    94
    Likes Received:
    1
    Trophy Points:
    158
    Location:
    Poland
    cPanel Access Level:
    DataCenter Provider
    There is a security problem with adding domains:

    dns cluster settings:

    hostingserver1 (cpanel) - write only (only sends zones)
    hostingserver2 (cpanel) - write only (only sends zones)
    dnsserver (dnsonly) - standalone (only receives zones)

    When I have domain parked (for example: mydomain.com) on hostingserver1 this domain is propagated to dnsserver.

    When OTHER user creates account on hostingserver2 he can add additional domain i.e.: subdomain.mydomain.com (!!!)

    So, he steal a subdomain of domain not owned by himself!

    This new subdomain (stealed) will works correctly in internet, becouse both hostingservers are in the same dnscluster and have the same dns-servers.

    The protection in cPanel works only when someone is trying to create subdomain on the same hostingserver (creation script is checking if dns zone exists in /var/named/ - and user received error, that domain is owned by another user). But when subdomain is created on another hostingserver protection is not working.

    How to protect subdomain from being stealed by someone ?

    =======
    The second thing (a little similar):

    How to protect some user from adding domain which already exists as a additional domain on another hostingserver and another user.

    When both hoestingservers are in cluster, when one user has domain: mydomain.com and the another user on another hostingserver adds the same domain: mydomain.com - this first domain will be overwriten, becouse a new one has a higher TTL serial.

    So any user could steal any domain, not owned by himself ?

    There is a protection in WHM/Tweak settings: "Allow Remote Domains: On/Off" but when I click "Off" - no one could transfer his domain to my server (he cannot change dns-server of his domain, becouse my dns servers has no entry. My dns entry cannot be done, becouse domain is not added on my hostingserver ... infinite loop)

    =======
    Feature request:

    It is need add a Tweak settings option:

    When creating additional domain: check if domain exists in the dns-cluster and prevent create this domain or subdomain of this domain as "additional domain". Default: ON.

    WB
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,086
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The downside to using write-only mode is that WHM will not check whether a DNS zone exists before you create an account. Because of this, it is possible to create the same domain name on two or more of these servers. If this occurs, the servers compete for updates to that domain. Setting the role to Synchronize will prevent this from happening. Here's a description of each role from our DNS Cluster documentation:
    The following feature request would address your concern:

    Ownership and access control of zones in the dns server.

    I encourage you to vote and add feedback to this feature request.

    Thank you.
     
  3. bejbi

    bejbi Well-Known Member

    Joined:
    Jan 20, 2006
    Messages:
    94
    Likes Received:
    1
    Trophy Points:
    158
    Location:
    Poland
    cPanel Access Level:
    DataCenter Provider
    Synchronize changes is ok, when You have: 3 dns servers and <10 servers in cluster.

    What about performance when many servers will synchronize all new zones between dns and each others ?

    WB
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,086
    Likes Received:
    1,288
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page