Stop domain hijacking
Hello,
Consider the following scenario:
Server A hosts the domain "mydomain.com"
Server B hosts the domain "anotherdomain.org"
Server A and B both push their DNS records to ns1.dnsdomain.com and ns2.dnsdomain.com
How do we stop the user on Server B creating an alias or addon domain for "test.mydomain.com"? In such a case, the domain is created successfully and because mydomain.com is using the common nameservers, the test.mydomain.com hostname resolves to the hijackers account.
This doesn't work if both users are on the same server because cPanel rightfully blocks the behaviour.
Thanks
-
Hello, This is discussed on the following thread: Configuration dns cluster: many webservers and 3 dns-only servers Thank you. 0 -
Hi Sorry to bring up an old thread, however I would like to make sure I understand correctly. The only supported way to prevent DNS/domain hijacking currently is to sync all DNS zones, from all servers, to each other. Is that correct? For example Server1, Server2, Server3 and Server4 all have a copy of the DNS zones stored on the other servers? Does this not begin to effect performance at some point? Thank you 0 -
Sorry to bring up an old thread, however I would like to make sure I understand correctly. The only supported way to prevent DNS/domain hijacking currently is to sync all DNS zones, from all servers, to each other. Is that correct? For example Server1, Server2, Server3 and Server4 all have a copy of the DNS zones stored on the other servers? Does this not begin to effect performance at some point?
Hello, You can use "Synchronize" instead of "Write-Only" as the DNS role when configuring clustering on the hosting servers. This will prevent the creation of a DNS zone on your other web servers if the zone already exists (e.g. Customer on Web Server 1 can't create addondomain123.tld if a customer on Web Server 2 has already created addondomain123.tld). Is that the behavior you are looking for? Thank you.0 -
You can use "Synchronize" instead of "Write-Only" as the DNS role when configuring clustering on the hosting servers. This will prevent the creation of a DNS zone on your other web servers if the zone already exists (e.g. Customer on Web Server 1 can't create addondomain123.tld if a customer on Web Server 2 has already created addondomain123.tld). Is that the behavior you are looking for?
Yes but does this not result in all zones in the DNSOnly cluster being replicated to each of the cPanel servers? (i.e. every server has a copy of every zone) - or have I misunderstood this mode? Thank you!0 -
Yes but does this not result in all zones in the DNSOnly cluster being replicated to each of the cPanel servers? (i.e. every server has a copy of every zone) - or have I misunderstood this mode?
No, that won't happen as long as the DNS role configured in WHM of the DNS-Only server is set as "Standalone" for the hosting servers. Thank you.0 -
No, that won't happen as long as the DNS role configured in WHM of the DNS-Only server is set as "Standalone" for the hosting servers. Thank you.
Hi, Thanks for your help. I followed these steps but as thought, all DNS zones in the cluster are now in the hosting server's DNS Zone Editor page. The zones aren't actually present at /var/named but if you edit one of them (as it's not clear which belong to the current server or not), the zone file appears in the /var/named directory and is then replicated to the cluster. So I really have no clue what's going on, I really can't understand why the cPanel DNS cluster system works like this. I just would like the following setup: NS1 & NS2 Cluster Web1, Web2, Web3, Web4, etc normal hosting servers Zones from Web1 - Web4 are replicated to the cluster. Customers on Web1 - Web4 cannot create new accounts or domains for zones which already exist in the cluster. The only zones which appear on Web1 - Web4 in WHM, or are stored locally, are those which belong to that server. Right now, the last point isn't happening. I've set up as advised ("Standalone" on cluster WHM, "Synchronize" on hosting WHM) but all zones from the cluster are ending up on the hosting server0 -
The only zones which appear on Web1 - Web4 in WHM, or are stored locally, are those which belong to that server. Right now, the last point isn't happening. I've set up as advised ("Standalone" on cluster WHM, "Synchronize" on hosting WHM) but all zones from the cluster are ending up on the hosting server
Hello, That's correct. The current DNS cluster functionality is not designed to be shared between different customers, but is intended for systems where only a single admin (or trusted group of admins) is managing the entire cluster. Thus, the particular functionality you are seeking isn't offered at this time. It's part of the feature request that's open at: Ownership and access control of zones in the dns server. I encourage you to vote for this request and subscribe for updates to be notified upon updates to it's status. In the meantime, using Synchronize as the DNS role for each hosting server will ensure the system checks whether a DNS zone exists in the cluster before it's created. Though, as you noted, it does result in the domain name appearing in the list of zones on all other servers in the cluster. Note: Our feature request website is currently undergoing maintenance. It should resume functioning soon. Thank you.0
Please sign in to leave a comment.
Comments
7 comments