Skip to main content

PDNS Received NOTIFY but slave support is disabled in the configuration

Metro2
I have a rather strange issue and after tons of searching for a solution / correct actions to take I still haven't been able to find out what I can do to safely correct this. I'm hoping that someone here can help provide some guidance. In the information below, example.ca was a hosting account that I terminated quite some time ago and example.com was an Addon Domain under that account, and the xx.xx.xx.xx is the IP address of an OVH Canada server that the customer moved to (since they wanted to have all their services based in Canada and my service is based in the US). Here is the issue / notice, which seems to indicate that my WHM DNS Cluster thinks that the Addon Domain is still supposed to be here when it is not: [~]# grep example /var/log/messages May 2 01:58:01 hostname pdns[2841229]: Received NOTIFY for example.com from xx.xx.xx.xx:55921 but slave support is disabled in the configuration May 4 09:37:40 hostname pdns[2841229]: Received NOTIFY for example.com from xx.xx.xx.xx:40275 but slave support is disabled in the configuration May 4 10:13:39 hostname pdns[2841229]: Received NOTIFY for example.com from xx.xx.xx.xx:51749 but slave support is disabled in the configuration May 4 10:21:40 hostname pdns[2841229]: Received NOTIFY for example.com from xx.xx.xx.xx:44749 but slave support is disabled in the configuration So I did a basic locate of the Master domain and can see the server is still storing data about it, and I don't even run PHP 7.2 anymore: [~]# locate example.ca /opt/cpanel/ea-php72/root/etc/php-fpm.d/example.ca.conf.save /root/saved.vfilters/example.ca /usr/share/cagefs/.cpanel.multiphp/opt/cpanel/ea-php72/root/etc/php-fpm.d/example.ca.conf.save /usr/share/cagefs-skeleton/opt/cpanel/ea-php72/root/etc/php-fpm.d/example.ca.conf.save /usr/share/cagefs-skeleton/usr/local/apache/domlogs/ftp.example.ca-ftp_log.offsetftpbytes /var/log/apache2/domlogs/ftp.example.ca-ftp_log.offsetftpbytes I did a basic locate of the Account username and some of the remnant data is still being backed-up during my nightly cPanel backups, and something else strange I noticed is that there is an extra E added to the old deleted account's username: [~]# locate username /backup/.meta/username.db /backup/2022-05-03/system/dirs/_var_cpanel/notificationsdb/username /backup/2022-05-03/system/dirs/_var_cpanel/users.cache/usernameE /var/cpanel/notificationsdb/username /var/cpanel/users.cache/usernameE And a basic locate of the old deleted Addon domain that is indicated in the "Received NOTIFY" alerts: [~]# locate example.com /backup/2022-05-03/system/dirs/_var_cpanel/getmx/cache/example.com /backup/2022-05-03/system/dirs/_var_cpanel/ssl/domain_tls/mail.example.com /backup/2022-05-03/system/dirs/_var_cpanel/ssl/domain_tls/mail.example.com/certificates /backup/2022-05-03/system/dirs/_var_cpanel/ssl/domain_tls/mail.example.com/certificates.cache /backup/2022-05-03/system/dirs/_var_cpanel/ssl/domain_tls/mail.example.com/combined /backup/2022-05-03/system/dirs/_var_cpanel/ssl/domain_tls/mail.example.com/combined.cache /root/saved.vfilters/example.com /var/cpanel/getmx/cache/example.com /var/cpanel/ssl/domain_tls/mail.example.com /var/cpanel/ssl/domain_tls/mail.example.com/certificates /var/cpanel/ssl/domain_tls/mail.example.com/certificates.cache /var/cpanel/ssl/domain_tls/mail.example.com/combined /var/cpanel/ssl/domain_tls/mail.example.com/combined.cache Can anyone please point me to the proper / safe way that I can resolve this? Ultimately I would love it if cPanel didn't hang on to old deleted accounts info, but it always has in various locations, but at least the dozens of other deleted accounts that cPanel is still storing data for on the servers are not generating the "Received NOTIFY for" "but slave support is disabled in the configuration" entries in the logs. Many thanks for any input!

Comments

14 comments

Date Votes
  • cPRex Jurassic Moderator
    Hey there! It looks like there's two separate issues - the account cruft, and the DNS notification. If you do a "whois" check on the domain, is it possible they still have your nameservers listed? This would generate a DNS query to your machine even though the record doesn't exist. The first 8 files in your "locate" command seem normal to me, as those are backups or cached data that doesn't often get regenerated. certificates.cached and combined.cached also seem normal as well. As far as the actual /var/cpanel/ssl/domain_tls/mail.example.com/ data, we don't immediately remove these in order to keep the Dovecot mail server happy and reduce the number of restarts on that service. However, you may see additional data in the /var/cpanel/ssl/domain_tls/.pending_delete directory depending how long it's been since the domains are removed. The main thing that cPanel cares about in regards to if a domain "exists" on the system or not would be entries in /var/cpanel/userdata. If there aren't entries there, it's likely safe to manually remove any cruft you find. If you can reliably reproduce this problem on your machine when you remove a domain, it would be worth submitting a ticket to our support team so we can check this out, and get a case filed with the developers if necessary.
    0
  • Metro2
    @cPRex - Thank you so much for taking the time to give your detailed response and explaining why some data is retained even after an account is deleted, I very much appreciate it. You really do an awesome job at handling forum responses here and you're always very helpful! Quick note before I go in and try to do some cleanup - the account (and it's Addon) were deleted long ago, last year in fact, and the nameservers for both domains were changed to their new hosting provider last year. I always check Whois / IntoDNS / MXtoolbox in strange scenarios. I'll SSH in now to take a closer look based on the info you provided. Will update this with any findings of note.
    0
  • Metro2
    Nothing at all in /var/cpanel/ssl/domain_tls/.pending_delete (aside from usual empty ./ and ../) Nothing in /var/cpanel/userdata referencing the domains / account in question In /var/cpanel/ssl/domain_tls there are quite a few directories of subdomains that were terminated long ago, including mail.example.ca and mail.example.com in this case. I've removed the ones pertaining to this case / domain, and restarted dovecot and pdns. Waiting for the other shoe to drop ;)
    0
  • cPRex Jurassic Moderator
    Let us know how it goes! I do feel like we shouldn't be leaving cruft though, so it still might be worth a ticket.
    0
  • Metro2
    Unfortunately this is still occurring, and only with the one domain / account that is long gone: /var/log/messages: May 24 00:36:28 hostname pdns[4049562]: Received NOTIFY for example.com from xx.xx.xx.xx:54136 but slave support is disabled in the configuration May 24 00:36:38 hostname pdns[4049562]: Received NOTIFY for example.com from xx.xx.xx.xx:37082 but slave support is disabled in the configuration May 24 00:36:39 hostname pdns[4049562]: Received NOTIFY for example.com from xx.xx.xx.xx:37082 but slave support is disabled in the configuration May 24 00:37:26 hostname pdns[4049562]: Received NOTIFY for example.com from xx.xx.xx.xx:45579 but slave support is disabled in the configuration
    0
  • cPRex Jurassic Moderator
    At this point we'll need a ticket to do some more investigation - can you get one submitted to our team?
    0
  • Metro2

    I'm revisiting this since the issue still exists on some of my servers, and the ticket ID is no longer relevant since cPanel removed our ability as admins to submit / update tickets, and this new forum jumbles / bunches-up the old post info into something rather hard to read.

    Synopsis - I'm still receiving these alerts / notices regarding a domain and cPanel account that I terminated from my servers and WHM DNS Cluster over 2 years ago. Just a note - the master domain was the .ca domain, but all of them were cleanly transferred away to a Canadian provider (my severs are in the US, and the customer migrated away to a Canadian provider). In the 20 years I've been using cPanel / doing shared hosting, this has never occurred. Except for just this one account.

    pdns[2569215]: Received NOTIFY for example.com from 54.39.100.xxx but slave support is disabled in the configuration

    pdns[4049562]: Received NOTIFY for example.com from 54.39.100.xxx:40275 but slave support is disabled in the configuration

    /opt/cpanel/ea-php72/root/etc/php-fpm.d/example.ca.conf.save
    /root/saved.vfilters/example.ca
    /root/saved.vfilters/example.com
    /root/saved.vfilters/example.net
    /root/saved.vfilters/example.org
    /usr/share/cagefs/.cpanel.multiphp/opt/cpanel/ea-php72/root/etc/php-fpm.d/example.ca.conf.save
    /usr/share/cagefs-skeleton/opt/cpanel/ea-php72/root/etc/php-fpm.d/example.ca.conf.save
    /usr/share/cagefs-skeleton/usr/local/apache/domlogs/ftp.example.ca-ftp_log.offsetftpbytes
    /var/cpanel/getmx/cache/example.com
    /var/cpanel/getmx/cache/example.net
    /var/cpanel/ssl/installed/certs/example_ca_a3fe5_176dd_1488412799_58927ab096b6e3fc62281745d9377448.crt.cache
    /var/cpanel/ssl/installed/certs/example_ca_a7532_26951_1494979199_18dc17fafac297626503184c5b582109.crt.cache
    /var/cpanel/ssl/installed/certs/example_ca_b01ca_a86ed_1514764799_f638b4498412c977eaa7bc41af35efba.crt
    /var/cpanel/ssl/installed/certs/example_ca_b01ca_a86ed_1514764799_f638b4498412c977eaa7bc41af35efba.crt.cache
    /var/cpanel/ssl/installed/certs/example_ca_be28b_51a71_1501631999_85d12e6674a4e0d7c6c0c9411a5fccaf.crt.cache
    /var/cpanel/ssl/installed/certs/example_ca_c1d05_d2129_1508198399_a4b8c6dfc277b2b359b840020e41e329.crt.cache
    /var/log/apache2/domlogs/ftp.example.ca-ftp_log.offsetftpbytes

    /var/cpanel/notificationsdb/example
    /var/cpanel/users.cache/examplE

    Again, the master cPanel account was the .CA domain, but now I'm still getting these notices from the server yakking about their .COM domain, and I have not hosted them in years.

    Since my data center doesn't have a clue, do you?

    Thanks for ANY help!

    0
  • Metro2

    PS - I don't even have PHP 7.2 installed or running.

    0
  • cPRex Jurassic Moderator

    Since the list of files mentioned cagefs, have you tried forcing a rebuild of CageFS to see if that removes the old user data?

    https://support.cpanel.net/hc/en-us/articles/1500009718162-How-to-rebuild-Cagefs

    0
  • rbairwell

    At a guess, you need to reach out to the server maintainer of 54.39.100.xxx as they have the domain name example.com setup on their DNS server with your server being listed as a secondary/slave server. As your server isn't configured this way, it is disregarding the NOTIFY messages.

    If you ARE the server maintainer of 54.39.100.xxx, and it is a cPanel based server - run

    /scripts/whoowns example.com

    on that server to see if "example.com" is known the system. If it does come back with a username, you'll need to remove that domain from that user account. If it doesn't, (and

    grep example.com /var/cpanel/user* -r

    comes back with no results), you may need to manually edit /etc/named.conf and then remove /var/named/example.com.db if it exists - and then restart named on that server.

    If it isn't a cPanel server and you are an admin of 54.39.100.xxx, you'll need to look at the DNS configuration on it (usually /etc/named.conf ) and see if example.com is mentioned - and remove it if appropriate.

    0
  • Metro2
    • Edited

    cPRex - yes, CageFS had been rebuilt at least once after that account was terminated, but per your advice I ran the forced rebuild this morning and then ran updatedb on the server to make sure I wouldn't turn up stale results when using commands like "locate example". Still, the files referencing the  (terminated in late 2021) account remain:

    /opt/cpanel/ea-php72/root/etc/php-fpm.d/example.ca.conf.save
    /root/saved.vfilters/example.ca
    /root/saved.vfilters/example.com
    /root/saved.vfilters/example.net
    /root/saved.vfilters/example.org
    /usr/share/cagefs/.cpanel.multiphp/opt/cpanel/ea-php72/root/etc/php-fpm.d/example.ca.conf.save
    /usr/share/cagefs-skeleton/opt/cpanel/ea-php72/root/etc/php-fpm.d/example.ca.conf.save
    /usr/share/cagefs-skeleton/usr/local/apache/domlogs/ftp.example.ca-ftp_log.offsetftpbytes
    /var/cpanel/getmx/cache/example.com
    /var/cpanel/getmx/cache/example.net
    /var/cpanel/ssl/installed/certs/example_ca_a3fe5_176dd_1488412799_58927ab096b6e3fc62281745d9377448.crt.cache
    /var/cpanel/ssl/installed/certs/example_ca_a7532_26951_1494979199_18dc17fafac297626503184c5b582109.crt.cache
    /var/cpanel/ssl/installed/certs/example_ca_b01ca_a86ed_1514764799_f638b4498412c977eaa7bc41af35efba.crt
    /var/cpanel/ssl/installed/certs/example_ca_b01ca_a86ed_1514764799_f638b4498412c977eaa7bc41af35efba.crt.cache
    /var/cpanel/ssl/installed/certs/example_ca_be28b_51a71_1501631999_85d12e6674a4e0d7c6c0c9411a5fccaf.crt.cache
    /var/cpanel/ssl/installed/certs/example_ca_c1d05_d2129_1508198399_a4b8c6dfc277b2b359b840020e41e329.crt.cache
    /var/log/apache2/domlogs/ftp.example.ca-ftp_log.offsetftpbytes

    /var/cpanel/notificationsdb/example
    /var/cpanel/users.cache/examplE

    Also, despite having blocked the aforementioned Canadian host's IP 54.39.100.xxx a week ago in my CSF, it happened again 3 days ago from a different Canadian IP:

    Feb  5 18:02:24 pdns[2569215]: Received NOTIFY for example.com from 68.168.126.x but slave support is disabled in the configuration

    All IPs that I've seen this from are from ISP Web Hosting Canada and have hostnames such as rev4.web-dns1.com and rev1.web-dns1.com etc...

    It also does not occur regularly. It is random, sometimes in waves of once per day for a few days straight, and sometimes doesn't even occur for 2 to 3 months, but then returns.

    It has occurred approximately 125 times in over 600 days since May of 2022 when I first opened this thread and a ticket, so clearly it's random.

    I've done a lot of checking around on other hosting forums and other control panel forums as well, and after sifting through a LOT of threads related to PDNS NOTIFY, have not found this exact issue ever reported on any of them. It appears that either nobody else has ever encountered it, or maybe someone has and simply didn't notice it or post about it.

    0
  • Metro2

    rbairwell - Thank you for taking the time to add your input and advice as well, I really appreciate it.

    Following up to your post and suggestions:

    I am not the maintainer of any of the IPs that a triggering this. They're all owned by "Web Hosting Canada" , more specifically gtcomm(dot)net which redirects to globo.tech  . I put the . for gtcomm(dot)net in parenthesis because it's a non-secured redirect. I run a small hosting service in the USA, and the customer moved their hosting to the Canadian provider in late 2021 because they are company in Quebec and wanted to handle things with a local provider and IT team so that they could speak in French. (I unfortunately do not speak Français , and so it was an amicable / understandable split).

    But even though I'm not the host / server / DNS provider in any way for that former customer, I still tried your suggestion and investigated.

    Results from my server:

    /scripts/whoowns example.ca  returns nothing

    grep example /etc/named.conf  returns nothing

    grep example.com /etc/named.conf  returns nothing

    /var/named/example.com.db  does not exist

    I also checked /etc/apache2/conf/httpd.conf and /usr/local/apache/conf/httpd.conf and /usr/local/apache.ea4/conf/httpd.conf all again just in case, and there no references to that former user or any of their domains.

    However - grep example.com /var/cpanel/user* -r returns:

    /var/cpanel/users.cache/exampleE:{"DEADDOMAINS":[],"DOMAINS":["example.com","example.net","example.org"],"BWLIMIT":"47185920000","MAXPOP":"20","notify_password_change_notification_disabled":"","notify_bandwidth_limit":"1","PLAN":"EXAMPLEPlan1","notify_account_authn_link_notification_disabled":"","PUSHBULLET_ACCESS_TOKEN":"","USER":"exampleE","RS":"paper_lantern","notify_email_quota_limit":"1","MXCHECK-example.org":"0","MAX_EMAIL_PER_HOUR":"600","MAILBOX_FORMAT":"maildir","MAXADDON":"2","HASSPF":"1","MAXSUB":"10","MAXSQL":"2","DBOWNER":"exampleE","BACKUP":"1","STARTDATE":"1134129476","notify_contact_address_change_notification_disabled":"","HASDKIM":"1","MAX_EMAILACCT_QUOTA":"unlimited","FEATURELIST":"default","CONTACTEMAIL":"exmaple@gmail.com","DOMAIN":"example.ca","OWNER":"root","MAXLST":"0","DEMO":"0","MAXPARK":"3","CONTACTEMAIL2":"example@hotmail.com","notify_account_authn_link":"","LANG":"english","LEGACY_BACKUP":"0","notify_disk_limit":"1","MAXFTP":"unlimited","LOCALE":"en","__CACHE_DATA_VERSION":"0.81","MTIME":"1479802895","HASCGI":"1","notify_contact_address_change":"","MAX_DEFER_FAIL_PERCENTAGE":"70","MXCHECK-example.ca":"0","HOMEDIRLINKS":[],"IP":"209.xx.xx.xx","notify_password_change":""}

    (the 209 ip is the main shared ip of one of my servers)

    I'm not exactly sure what to do with that info grep example.com /var/cpanel/user* -r , but it did at least turn-up info from the dead domain.

    I will check see if it's possible for me to reach someone at the Canadian host who can maybe address some of the issue on their end, but we all know how difficult it can be to reach a tier 3 admin at a big company. Will take some time for sure.

    I welcome any further suggestions. Thanks!

    0
  • rbairwell

    Yep, running those commands on your server wouldn't have given any useful data - and so can be ignored.

    Technically, making unwanted requests to a third party server is network abuse - and so you should be able to contact their abuse department to take action (Abuse.net says that abuse@globo.tech is the best contact - and this is reflected on https://globo.tech/contact-us ). Just say you are receiving a high number of unwanted and potentially malicious NOTIFY requests to your server (include the IP address) from a customer of theirs from the IP address 54.39.100.xxx (include date/timestamps as examples) and if they could please take action under their acceptable use policy in particular "access or use data, systems or networks... without express authorization of the owner of the system or network;" to stop this unwanted and unauthorized traffic.

    (Potentially malicious? Well, the notify command is instructing your server to unnecessarily force a refetch and reload of a domain name and this increases your network traffic, may be an attempt to cause your server to participate in a DoS [how do you know that that domain actually exists on the server that is being called from] etc. Yes, it's a little bit petty, but can be enough to help "encourage" system administrators to take action).

    1
  • Metro2

    Thank you for the very useful info and advice. I guess I thought it seemed harmless since it's not crazy-frequent and I knew that they did move to the provider in Quebec, but now that you mention it - yes it's possible that they could have changed and/or something unfriendly is underfoot that they might not even be aware of. Thanks very much for taking your valuable time to provide guidance!

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post