remote dns restrictions details

[gogocode]

It used to be, that regardless of the config, in WHM you could always park a domain which had not (yet) had it's nameservers changed or added to ips.remotedns (the old "Sorry, the domain is already pointed to an IP address that does not appear to use DNS servers associated with this server." error).

That does not appear to be the case so much any more, and it really is a pain for resellers who want to get a zone setup and ready before changing the NS.

Anyway I have two questions which the cPanel/WHM team might be able to answer, and a suggestion.

1. What is the rationale? We know that you can create an arbitrary DNS zone anyway simply by creating a new account in WHM before the NS is changed (or domain even exists). So what is the extra security problem in allowing creation of arbitrary parked domains in WHM over arbitrary account primary domains in WHM? I'm just curious to know.

2. What is the actual criteria for "passing the test", do all the NS of the domain have to be known to the server, does just one have to be known, does it have to be the NS recorded in the whois data, or just what dig returns...?

3. Wouldn't it be nice if you could add a special TXT record to the zone to allow this, in the same manner as various other services authenticate domain ownership.
_cpanel_authentication TXT "[some server specified unique code]"
then when parking the server could just check for this specific DNS record rather than necessitating screwing up the important stuff.

 

[cPanelMichael]

Hello,

The purpose of this restriction is to prevent users from adding domain names that do not belong to them to their account. The name server IP addresses must match IP addresses added in the /etc/ips files on the cPanel server. As for why it's a potential security issue, let's say a user adds xyz.tld to their account. That domain name is then automatically added to the /etc/localdomains file and thus Exim views it as a local domain name. This could allow the account to intercept emails intended for a remote mail server. The following options are available under the "Domains" tab in "WHM >> Tweak Settings" if you want to disable this security feature:

"Allow Remote Domains"
"Allow unregistered domains"

Thank you.

 

[gogocode]

> This could allow the account to intercept emails intended for a remote mail server.

Yes, but as already stated, this restriction is being applied in WHM (Allow Remote Domains = false did not previously prohibit the action in WHM).

In cPanel yes it is an understandable and necessary restriction, but not in WHM.

And it is perplexing especially as if you have access to WHM you can achieve the same (adding a domain to localdomains) by simply creating a new account with that domain name, an action which is not (so far as I recall) limited by this restriction.

 

[cPanelMichael]

Could you verify which version of cPanel is installed on your system? EX:

cat /usr/local/cpanel/version

I see that internal case number 95493 addresses this issue for cPanel version 11.42, and I can't reproduce this on cPanel version 11.48.

Thank you.

 

[gogocode]

Could you verify which version of cPanel is installed on your system?

WHM says: 11.46.2 (build 4)

So maybe this was fixed in .47 or .48?

 

[cPanelMichael]

Hello,

The change log shows the resolution was introduced in cPanel version 11.42.1.5. Is there anything in particular that is preventing you from upgrading to cPanel version 11.48 that we can help with?

Thank you.