Firewall ports on DNSONLY

KrisLowet

• March 04, 2019 07:24

Hi 3 questions about DNS clustering. Firewall ports On

• 

  cPanelLauren

  • March 05, 2019 20:10

  Hi @KrisLowet

  Port 953: does this port have to be open to the world, or only to the other cPanel servers? 2

  
  This and 53 primarily need to be open to the DNS servers from the webserver and should be open on the dns servers.

  : does this port have to be open to just the cPanel webservers or to all DNSONLY webservers?

  
  This should be open to the DNS servers and vice versa but should also be open to anyone who is authorized to log in to the servers.

  I have 2 cPanel servers and 4 cpanel DNSONLY servers. Do I only link the cPanel with the DNSONLY servers? Or do I link the DNSONLY servers also between themselves?

  
  I would suggest only linking the DNS servers with the webservers the following documentation may be helpful for you as well: Guide to DNS Cluster Configurations - cPanel Knowledge Base - cPanel Documentation

  When setting up the API token between cPanel and DNSONLY, is it enough to enable the privilege "DNS Clustering"? Or do I have to enable also other privileges too?

  
  You should only need the DNS related permissions: DNS Standard Privileges

  • Add DNS Zones create-dns
  • Remove DNS Zones kill-dns
  • Park DNS Zones park-dns
  • Edit DNS Zones edit-dns

  Documentation on the API tokens can be found here and may be helpful as well: Manage API Tokens - Version 78 Documentation - cPanel Documentation Thanks!

  0
• 

  KrisLowet

  • March 06, 2019 06:16

  Hello Lauren Thanks for your the comprehensive answer! [quote]This and 53 primarily need to be open to the DNS servers from the webserver and should be open on the dns servers.
  So 53 open to the world (logic) and 953 open to the webservers. Correct? [quote]You should only need the DNS related permissions
  Strange. The last few days I set it up with just the API "DNS Clustering" enabled on the webservers and the nameservers. And that turned out to work, I could see the zone files everywhere. But ok, I'll change it to only "DNS Standard Privileges". In the

  0
• 

  cPanelLauren

  • March 06, 2019 15:39

  So 53 open to the world (logic) and 953 open to the webservers. Correct?

  
  That will work but here's how I was intending that to be: 953/53 on DNS only servers open 953/53 on Webserver open only to DNSOnly servers

  Strange. The last few days I set it up with just the API "DNS Clustering" enabled on the webservers and the nameservers. And that turned out to work, I could see the zone files everywhere. But ok, I'll change it to only "DNS Standard Privileges".

  
  Actually, that is perfect it includes all the DNS standard permissions.

  So the clustering option "Synchronize changes" isn't the suggested option in my situation? On my two cPanel webservers I have DNS disabled. Which option do you suggest on the webserver side and which option on the DNSONLY side?

  
  You don't want the nameservers to sync with the webservers you want the webservers to sync with the nameservers. This is because you would be making modifications to zones on the webserver then the change needs to be pushed to the nameservers. If you set the nameservers up to synchronize you could end up with stale data which in turn can cause DNS issues for your domains.

  0
• 

  KrisLowet

  • March 06, 2019 17:46

  Hi Good point with that sync. So it is best to set "write only" on the webservers and "standalone" on the name servers. Correct?

  0
• 

  cPanelLauren

  • March 06, 2019 18:30

  Hi @KrisLowet Correct! In my opinion, this is the safest configuration.

  0
• 

  coursevector

  • April 13, 2020 14:23

  An update to this as I just setup a DNSOnly server and was surprised how off the documentation is. On this cPanel Store - Cart . Also used for /usr/local/cpanel/scripts/updatenow, hits Secure Downloads | cPanel, Inc. 873 - rSYNC, used with /usr/local/cpanel/scripts/upcp 953 - BIND remote name daemon control (RNDC) 2087 - WHM 2089 - cPanel Licensing Am I missing anything? Should the documentation be updated?

  0
• 

  cPanelLauren

  • April 13, 2020 18:59

  So the ports that aren't listed in the documentation are:

  • Licensing can be done over other ports but it is good to have 2089 open for this purpose
  • Port 22 is for users that log in via SSH to a standard SSH port (i.e., they've not customized it)
  • Ports 80 and 443 (in and out) should be open now as cPsrvd now listens on them on DNSOnly for hostname SSL certificates
  • Port 873 is a port we normally just recommend be open on standard cPanel servers, but that's a good point

  We don't discern between UDP and TCP in that documentation and I believe you're correct, we should I'll notify our documentation for all of these and see about getting it updated.

  0
• 

  mmwai

  • June 09, 2020 03:05

  An update to this as I just setup a DNSOnly server and was surprised how off the documentation is. On this cPanel Store - Cart . Also used for /usr/local/cpanel/scripts/updatenow, hits

  0
• 

  mmwai

  • June 09, 2020 03:21

  I am receiving an error on the email deliverability area in WHM "Home "Email "Email Deliverability" when I enable the firewall "DNS ERRORS OCCURRED" The system failed to complete validation of "myservername""s "DKIM" because of an error: (XID tqf3jt) DNS query (default._domainkey."myservername"/TXT) timeout! Although all emails both incoming and outgoing are working fine, When i disable the firewall the email deliverability error disappears. What port do I need to open or what does the DNS client use a random port above 1023? I have opened these ports on the firewall (below) TCP In: 22,25,53,953,2087,2089 TCP Out: 22,25,53,80,443,873,953,2087,2089 UDP In: 53 UDP Out: 53,123,873

  0

Please sign in to leave a comment.