Configuration dns cluster: many webservers and 3 dns-only servers

bejbi

• July 25, 2017 04:11

It is time for me to look into dns configuration. I have 3 webservers: ie. s1.example.com, s2.example.com, s3.example.com I have 3 dns-only servers, ie. dns.example.com, dns2.example.com, dns2.example.com I create accounts for customers like: customer123.example.com (they receive subdomain under my own domain). For now I have configuration: On each webserver I have 3 dns-only servers in dnscluster as role: write-only On each dns-only server I have 3 webserwer in dnscluster as role: standalone Such configuration means, that webservers push their zones into dns-only servers. It works, but ... I see now disadvantages of this (or even high risk): Scenario 1: My main domain (example.com) is parked on server s1.example.com Customer on his own account (on webservers: s2 and s3) can add ANY subdomain like: badword.example.com as his ADDITIONAL domain. It is so, becouse webserver s2 or s3 doesn't know, that this domain is owned by other user (on other webserver). But it is my domain :-) The same is with domains of any customers located on other servers - any user can create subdomain of any domain from other webservers. I tried secure it using TweakSettings and option: "Prevent cPanel users from creating specific domains" But when I add my domain: example.com it is unable to create new accounts as subdomains of my domain using API. And it is not securing domains of other customers. Scenario 2: It is very interresting becouse ANY user can now add my domain: "example.com" as his additional domain and this will overwrite my original zone in dns-only cluster (new zone have higher zone serial) - it is very dangerous. ======== The question is: how should be configured dns cluster (of 3 webserwers and 3 dns-only) to be safe ? W.

• 

  cPanelMichael

  • July 25, 2017 16:06

  Hello, The following feature request is open to help avoid this issue: Ownership and access control of zones in the dns server. If you use "Synchronize" instead of "Write-Only" as the DNS role, then it will prevent the creation of a DNS zone on a hosting server if it already exists. Thank you.

  0
• 

  bejbi

  • July 25, 2017 17:22

  Thank You for advice about changeing "Write-Only" into "Synchronize". I did it already when we were tested many configurations :-) It resovles problem with creating existing domain, but make another problem: When the webserver is set to Synchronize, root user in WHM can edit all zones (even is they are not on this webserver). i.e when original account with subdomain: mydomain.example.com is on webserver s1.example.com and I edit this zone on webserver s2.example.com then: Synchronize push my new zone form s2.example.com into dns-only servers. When the dns-only servers are still "standalone" they DON'T push this new zone update into original webserver: s1.example.com So we have problem - new version of zone exists on dns-servers, but original account where this zone is parked CAN'T see this changes. We can go further: When customer is editing his domain in his cPanel account (on webserver s1.example.com) this new update of zone, will overwrite existing zone in dns-only cluster ... So root/reseller and user can overwrite zones each other :/ W.

  0
• 

  cPanelMichael

  • July 25, 2017 18:13

  So root/reseller and user can overwrite zones each other :/

  
  There's no workaround to that issue at this time. It would require new functionality, as described at: Ownership and access control of zones in the dns server. Thank you.

  0
• 

  bejbi

  • July 25, 2017 19:31

  We find solution for this. It is under our investigation now: If I set on webservers role: Synchronize and on dns-only set Write only it look like works correcty: If I edit zone on "any" webserver - it push this zone into dns-only servers. And if dns-only is set to other servers in dnscluster in role "Write only" - so dnsserver pushes the updated zone into every webservers. After this, zones on every webservers still updated, and current. It is also very comfortable, becouse I can edit dns-zone on any webserver without trouble. Only disadvantage of this above is: when dns-only push updated zone, this zone (I mean: file on disk) will appear on every webservers. But this can I accept ... W.

  0
• 

  cPanelMichael

  • July 26, 2017 16:32

  Hello, I'm happy to see you were able to find a workaround that suits your needs. Thank you for updating us with the outcome.

  0

Please sign in to leave a comment.