Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Stop domain hijacking

Discussion in 'Bind/DNS/Nameserver' started by Haym, Aug 26, 2017.

Tags:
  1. Haym

    Haym Active Member

    Joined:
    May 12, 2017
    Messages:
    39
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hello,

    Consider the following scenario:

    Server A hosts the domain "mydomain.com"

    Server B hosts the domain "anotherdomain.org"

    Server A and B both push their DNS records to ns1.dnsdomain.com and ns2.dnsdomain.com

    How do we stop the user on Server B creating an alias or addon domain for "test.mydomain.com"? In such a case, the domain is created successfully and because mydomain.com is using the common nameservers, the test.mydomain.com hostname resolves to the hijackers account.

    This doesn't work if both users are on the same server because cPanel rightfully blocks the behaviour.

    Thanks
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,827
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Haym

    Haym Active Member

    Joined:
    May 12, 2017
    Messages:
    39
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi

    Sorry to bring up an old thread, however I would like to make sure I understand correctly.

    The only supported way to prevent DNS/domain hijacking currently is to sync all DNS zones, from all servers, to each other. Is that correct? For example Server1, Server2, Server3 and Server4 all have a copy of the DNS zones stored on the other servers?

    Does this not begin to effect performance at some point?

    Thank you
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,827
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    You can use "Synchronize" instead of "Write-Only" as the DNS role when configuring clustering on the hosting servers. This will prevent the creation of a DNS zone on your other web servers if the zone already exists (e.g. Customer on Web Server 1 can't create addondomain123.tld if a customer on Web Server 2 has already created addondomain123.tld). Is that the behavior you are looking for?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Haym

    Haym Active Member

    Joined:
    May 12, 2017
    Messages:
    39
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Yes but does this not result in all zones in the DNSOnly cluster being replicated to each of the cPanel servers? (i.e. every server has a copy of every zone) - or have I misunderstood this mode?

    Thank you!
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,827
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    No, that won't happen as long as the DNS role configured in WHM of the DNS-Only server is set as "Standalone" for the hosting servers.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Haym

    Haym Active Member

    Joined:
    May 12, 2017
    Messages:
    39
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi,

    Thanks for your help. I followed these steps but as thought, all DNS zones in the cluster are now in the hosting server's DNS Zone Editor page. The zones aren't actually present at /var/named but if you edit one of them (as it's not clear which belong to the current server or not), the zone file appears in the /var/named directory and is then replicated to the cluster. So I really have no clue what's going on, I really can't understand why the cPanel DNS cluster system works like this.

    I just would like the following setup:

    NS1 & NS2 Cluster
    Web1, Web2, Web3, Web4, etc normal hosting servers

    Zones from Web1 - Web4 are replicated to the cluster.
    Customers on Web1 - Web4 cannot create new accounts or domains for zones which already exist in the cluster.
    The only zones which appear on Web1 - Web4 in WHM, or are stored locally, are those which belong to that server.

    Right now, the last point isn't happening. I've set up as advised ("Standalone" on cluster WHM, "Synchronize" on hosting WHM) but all zones from the cluster are ending up on the hosting server
     
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,827
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    That's correct. The current DNS cluster functionality is not designed to be shared between different customers, but is intended for systems where only a single admin (or trusted group of admins) is managing the entire cluster. Thus, the particular functionality you are seeking isn't offered at this time. It's part of the feature request that's open at:

    Ownership and access control of zones in the dns server.

    I encourage you to vote for this request and subscribe for updates to be notified upon updates to it's status. In the meantime, using Synchronize as the DNS role for each hosting server will ensure the system checks whether a DNS zone exists in the cluster before it's created. Though, as you noted, it does result in the domain name appearing in the list of zones on all other servers in the cluster.

    Note: Our feature request website is currently undergoing maintenance. It should resume functioning soon.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Haym likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice