Nameserver Paradox
Feb 29, 2008
I have my own private nameservers configured at Godaddy (Host and IPs configuration) and this same domain is hosted alongside another 30 of my client's site which also use the very same nameservers.
I'd like to move my domain (myserver.com) to a different server (ie: point at ns1/ns2.otherserver.com instead of the current config: ns1/ns2.myserver.com) whilst retaining the private nameserver configuration (Host and IPs configuration) so that my client sites continue to function.
View 5 Replies
ADVERTISEMENT
Nov 5, 2009
We have several VPS's reselling shared hosting, and as we grow our shared hosting operations, I've realized how its almost impossible to have every user, developer or who ever is accessing our shared accounts to properly lock down their scripts eg set proper permissions... But what I don't get is how larger shared hosting providers (which we plan on becoming) fully lock out homedir/User A from being able to access, view or write to homedir/User B's files no matter if User A's executed scripts, processes, protocols is requesting User B's files...
In a shared environment you can't rely on your customers to lock down their stuff and they are trusting you to take reasonable precautions to protect their stuff at the same time... This should be basic security but its almost impossible it seems to achieve in a shared env.
Obviously there are VPS's with completely isolated layers but in a shared env it shouldn't be too big of a request to have one persons stuff not easily visible by another person no matter if SSH is being used or a script of any kind.. bottomline... think of a hotel ... a "shared environment"... one guest can't just go in someone else's room easily. The hotel owner ensures that guests rooms are not available for other guests to access, this is a reasonable policy and the hotel owner would be in deep s**t if other guests had access to other guests rooms....
Here are the reasons why I think "secure shared hosting" is essentially a paradox...
1. False sense of security - SuPHP, Suexec, open_basedir..
Problem is even if you're using SuPHP or open_basedir or other security practices, someone on that server could still possibly "view" other users files which could include database config files and other files that you wouldn't want someone to read/access. These files could include xml, dat, txt etc any other file that a user might not want another user in another homedir to access that isn't protected by SuPHP or SuExec...
2. People often say.. well its your users responsibility "Rely on your end users to choose proper permissions for their files"... This is like relying on your hotel guests to deadbolt their door instead of having an autolock on their door when they close it.
I'm sure your clients would expect you to "section off" their account reasonably from another user however these doesn't seem possible at least with Apache that requires "nobody" to have to access files... And the problem is you can't rely on your users.. Besides, most open source scripts (WP, Joomla, Magento) and people here in this forum recommend 644/755 permissions as being the ideal permissions for most files/folders however if a user makes all of their files 644/755 other users can still possibly access those files.. You still would be giving world-readable access... Many people still use PHP as an Apache DSO, so under normal circumstances where scripts are installed in pub_html a user is FORCED to use world-readable permissions on their config files for their apps to run. For instance with our cPanel install, when we provision accounts in WHM, it creates .htaccess files with 644 permissions .. well why would it do this if .htaccess shouldnt be read by other users .. same goes with xml files, or other non-php/cgi files outside or inside the pub_html directories of a users homedir/ that shouldnt be viewable by world users...
Bottomline, until "world" readable/writable/executable permissions completely are ignored in a users homedir/ for not just PHP/CGI but for any file I think shared hosting security no matter what patches you have added to Apache or your system (Suhosin ,SuPHP etc) ... is a paradox... It shouldn't even be possible in any home dir no matter how responsible/irresponsible a user is for one user to be able to view another users stuff. The whole point and reason panels such as WHM or any panel uses the /home dir is to separate that users files/mail/etc from another users.. So, logically, there's no reason why a script would need access to anothers home dir/ knowing its a shared environment and on a shared hosting env it shouldn't be allowed to go outside of that users /home/ dir ...
POSSIBLE SOLUTION:
So I think a server admin should be able to enable a "mod_shared host" lets say in WHM or something that will get rid of global permissions eg there will only be 64 not 644 for any file in /home/<user>/... If someone chmods something to anything in Y ... XXY ... Y is completely ignored and set to 0...
If the server admin wants to override such settings, there could be an override feature but by default, just as PHP open_basedir restrictions settings in WHM work for PHP, the same should go for all files/scripts part of a home dir (any extension), under normal shared hosting shouldn't be accessible by any method (FTP, SSH, any apache module/process - CGI, Java etc) regardless of DSO, SuPHP...
Until then... How could large shared hosting providers sleep at night knowing that they are not protecting everything in their users home directories? This should be a simple and reasonable request that a user would expect when signing up for Shared hosting... Obviously there are other possible security leaks, breaches can occur but this should be basic security...
Shared hosting shouldn't be like open kindergarten cubbies with a curtain protecting the contents, instead, anyone signing up for shared hosting would expect their host to at least have a high school locker with a pad lock ....
Or am I missing something? Is there a solution already for this reasonable security practice of protecting users from each other user without referring them to a VPS or a dedicated? How do the big shared hosting operations have a large shared environments with hundreds of users on a box NOT allowing others to view/access other peoples stuff?
I've asked people on cPanel forums as well as our hosting provider, everyone has mixed responses and no real "answer" so I wanted to get your thoughts...
View 2 Replies
View Related
Apr 4, 2008
1) I use DNSMadeEasy for a couple of my important domains so I can utilize their failover service.
2) I use my own nameservers for everyone else.
At my register (GoDaddy) I've added host entries to my domain (let's call it host.com) for ALL of my nameservers: DNSMadeEasy and mine. For example here are my host entries:
1) nsdme0.host.com = 55.55.55.55 (DNSMadeEasy)
2) nsdme1.host.com = 56.55.55.55 (DNSMadeEasy)
3) nsdme2.host.com = 57.55.55.55 (DNSMadeEasy)
4) nsdme3.host.com = 58.55.55.55 (DNSMadeEasy)
5) nsdme4.host.com = 59.55.55.55 (DNSMadeEasy)
6) ns1.host.com = 60.55.55.55 (mine)
7) ns2.host.com = 61.55.55.55 (mine)
At the register I've then configured host.com to use the first five nameservers for itself, the DNSMadeEasy nameservers.
For less critical sites that I host I simply point them to ns1.host.com and ns2.host.com, my nameservers.
Now, here's the twist. If I use dig to look up www.host.com I get:
[root@lax1 ~]# dig +trace www.host.com
; <<>> DiG 9.3.3rc2 <<>> +trace www.host.com
;; global options: printcmd
. 220048 IN NS D.ROOT-SERVERS.NET.
...........................................
. 220048 IN NS K.ROOT-SERVERS.NET.
;; Received 228 bytes from 66.63.160.2#53(66.63.160.2) in 1 ms
net. 172800 IN NS J.GTLD-SERVERS.net.
...........................................
net. 172800 IN NS G.GTLD-SERVERS.net.
;; Received 497 bytes from 128.8.10.90#53(D.ROOT-SERVERS.NET) in 74 ms
host.com. 172800 IN NS nsdme0.host.com.
host.com. 172800 IN NS nsdme1.host.com.
host.com. 172800 IN NS nsdme2.host.com.
host.com. 172800 IN NS nsdme3.host.com.
host.com. 172800 IN NS nsdme4.host.com.
;; Received 225 bytes from 192.48.79.30#53(J.GTLD-SERVERS.net) in 125 ms
www.host.com. 1800 IN CNAME host.com.
host.com. 75 IN A 60.55.55.55
host.com. 86400 IN NS nsdme2.host.com.
host.com. 86400 IN NS nsdme1.host.com.
host.com. 86400 IN NS nsdme5.host.com.
host.com. 86400 IN NS nsdme0.host.com.
host.com. 86400 IN NS nsdme4.host.com.
host.com. 86400 IN NS nsdme3.host.com.
;; Received 276 bytes from 123.123.123.123#53(nsdme0.host.com) in 68 ms
BUT, if I lookup the nameserver (ns1.host.com) I get:
Code:
[root@lax1 ~]# dig +trace ns1.host.com
; <<>> DiG 9.3.3rc2 <<>> +trace ns1.host.com
;; global options: printcmd
. 218964 IN NS M.ROOT-SERVERS.NET.
...........................................
. 218964 IN NS K.ROOT-SERVERS.NET.
;; Received 228 bytes from 66.63.160.2#53(66.63.160.2) in 1 ms
net. 172800 IN NS H.GTLD-SERVERS.net.
...........................................
net. 172800 IN NS G.GTLD-SERVERS.net.
;; Received 497 bytes from 202.12.27.33#53(M.ROOT-SERVERS.NET) in 115 ms
ns1.host.com. 172800 IN A 60.55.55.55
host.com. 172800 IN NS nsdme0.host.com.
host.com. 172800 IN NS nsdme1.host.com.
host.com. 172800 IN NS nsdme2.host.com.
host.com. 172800 IN NS nsdme3.host.com.
host.com. 172800 IN NS nsdme4.host.com.
;; Received 241 bytes from 192.54.112.30#53(H.GTLD-SERVERS.net) in 151 ms
What I've realized is that the actual IP addresses for nameserver host entries come from a higher level server than my own, in this case H.GTLD-SERVERS.net. I guess this makes sense but I just hadn't realized it before. It looks like I don't even need to have record entries in my DNS records for the host nameservers.
Now for the question. Can I:
1) Remove my custom host nameserver entries from my register.
2) Add entries in my DNSMadeEasy records to specify the location of ns1.host.com and ns2.host.com.
3) Use the failover provided by DNSMadeEasy to also fail-over my DNS entries for my nameservers?
I know this would require one more hop if it works but it would allow me to provide failover ability to fifty domains without having to purchase the extra domains at DNSMadeEasy.
View 2 Replies
View Related
Jun 30, 2009
I have a domain hosted at godaddy.com and I decided to go with VPS hosting elsewhere. I have changed the nameservers to [url]and [url]at godaddy. I set up the reseller account in WHM but the nameservers point to something other than [url]I am trying to change them to the correct nameservers by using the "Nameserver IP Assigment" tool but it is taking literally forever. Is this normal?
Should I have to wait until it assigns an IP address to use the correct nameserver?
View 5 Replies
View Related
Aug 20, 2009
I just moved my site from a shared host to a VPS with PhotonVPS.
I forwarded the name servers at my registrar, GoDaddy.
However, when I look at my INTODNS report, I am getting all sorts of nameserver errors:
[url]
Is this normal while the changes propogate? Or did I mess something up, because I also cannot access my VPS cpanel now.
View 1 Replies
View Related
Jun 20, 2009
For some reason in WHM (root) (Fresh install) I'm trying to add a name server into ":2086/scripts2/listassignednsips" area and it just loads.... Never errors or anything just loads and loads for 30 minutes and never adds it. I have already add the IP's to the server. (6 IP's)
View 2 Replies
View Related
May 22, 2009
Have you come across this problem where you change the NameServer IP in '/etc/nameserverips' but the change does not reflect , instead it reverts to the old IP?
Doing the following fixed the issue for me.
Disable whois lookups for the nameserver ip manager via in WHM>Tweak Settings
View 3 Replies
View Related
Jul 21, 2008
when i set this namesever on other domain.
this message was show..
NameServer ns1.gempakbox.net is not a valid Nameserver
NameServer ns2.gempakbox.net is not a valid Nameserver
View 3 Replies
View Related
May 19, 2008
on setting up DNS server with my server. i dont know what to setup on dns zone files for my new server.
i have
registered xyz.com with godaddy.
i have 2 ip addresses (1.3.5.7 and 2.4.6.8)
my server hostname is server.xyz.com
and i am running bind.
i want to run my own name servers ns1.xyz.com and ns2.xyz.com
what to do next?
View 5 Replies
View Related
Jun 15, 2008
Say a person has a domain called mydomain.com
and this domain mydomain.com is hosted from a nameserver called ns1.mydomain.com and ns2.mydomain.com
will this mean that:
the person who own mydomain.com owned his/her own webhost server?
and is that what is being called dedicated server? where I already did some research that would mean the whole server is owned by the 1 person/domain only?
I have been asking question to myself quite sometime now.. and hoping that this forum could help me in understanding this matter.
View 10 Replies
View Related
Oct 6, 2007
I just took out a VPS hosting plan with Hostican, but I'm a bit confused about whether I followed their instructions properly... please be patient
Their instructions said this:
Quote:
Please note that on our network a VPS is like your own private space on the network to work from. This is why we provide your account with two dedicated IP addresses that you will need to use to register your name servers with. Please view the below name servers and IP addresses that you should use to register them.
ns1.mydomain.com <==> xx.xx.xx.xx
ns2.mydomain.com <==> xx.xx.xx.xx
Now all my domains are registered with 1&1, who don't provide an option for creating private nameservers in their control panel. So, I created two subdomains (ns1 and ns2.mydomain.com) and then created A records for ns1 and ns2, pointing to the IPs supplied by Hostican. Then I changed the nameserver for my domains to ns1 and ns2.mydomain.com
After a couple of days, this seems to have worked - domains point to new VPS webspace and emails working. I'm worried whether I did this properly though, or whether I'm going to get problems in future with reverse dns and stuff?
View 7 Replies
View Related
Mar 25, 2007
My dating site sends an email notification to the user when they receive a message on the site. Many of the notify emails arent going to their destination.
In exim, I keep seeing this message:
failed for
550-unrouteable
mail domain "ns1.mydomain.com"
550 Sender verify failed
View 3 Replies
View Related
Jan 3, 2007
I did ping the nameservers,
ns1.mydomain.com [130.74.135.102]
ns2.mydomain.com [66.21.114.11]
And this is when I added a new domain in Cpanel.
Using nameservers with the following IPs: 66.21.113.11,66.21.114.11 Bind reconfiguring on serverprovider using rndc
Created DNS entry for mydomain.com
Should it really be 2 different nameserver IPs?
View 4 Replies
View Related
Nov 4, 2007
I just got a VPS, (unmanaged...eh), and I seem to be having a problem with nameservers.
The current IP for the VPS is: [url]
Its set as the shared IP in WHM, so everything is pointing to that. I asked my host if the nameservers ns1.thehobbylounge.com and ns2.thehobbylounge.com should work (that is the domain for the account I am running under WHM/cPanel), and I was told that this was correct.
However my registrar gives me a validation error when I put in those nameservers for my domain.
I tried to follow these steps: [url]
But they seem to be already done...I think thats if your server isn't setup at all.
View 5 Replies
View Related
Aug 9, 2007
I'm setting up a dedicated server at a co-location and they keep asking me to provide 2 nameservers, such as:
ns1.yourdomain.com
ns2.yourdomain.com
But they won't explain any further than that. Do I make names up or are these the nameservers associated with my domain name at godaddy.com?
View 2 Replies
View Related
Jul 17, 2007
I installed DA, and setup my ip 11.22.33.44 = ns1.mydomain.com, 11.22.33.45 = ns2.mydomain.com and mydomain.com (host) = 11.22.33.46.
I went to registrar create NS : ns1.mydomain.com points to 11.22.33.44 and ns2.mydomain.com points to 11.22.33.45.
What else do i have to do here to get my NS working properly?
View 6 Replies
View Related
Apr 10, 2007
is it possible 2 name server on one ip
for example
ns1.xxx.com = 216.246.56.150
ns2.xxx.com = 216.246.56.150
is it possible
also i can not send to or recive from hotmail
but with yahoo and gmail it is fine i can send and recive
also how can i be sure the RDNS is setup
View 8 Replies
View Related
Oct 20, 2007
can't seem to figure out how the whole nameserver/DNS thing works.
My VPS is registered under a domain, say mydomain.com. So my nameservers on the VPS are registered under ns1.mydomain.com and ns2.mydomain.com, both assigned to the two IP addresses for my VPS.
The problem is, I'm trying to figure out how to get mydomain.com to actually point to my VPS from my registrar. If I type in ns1.mydomain.com and ns2.mydomain.com, it's just pointing to itself so it doesn't work.
View 1 Replies
View Related
Oct 30, 2007
I has a reseller plan and I was using one of my domains as nameserver. I mean ziafat.com was my nameserver and one of my sites.
Now I transfered to a VPS plan. I want to use my domain as nameserver and one of my sites. I changed domain manage page like this:
ns1.ziafat.com
ns2.ziafat.com
on the bottom of page I clicked this:
If you want to create or modify a nameserver which is based on ziafat.com click here.
and entered ns1.ziafat.com and ns2.ziafat.com and two IPs of my VPS plan.
Now all sites hosted on my new VPS opening currectly just ziafat.com (priemery and nameserver) domain opening as a blank site!
I saw server technical created a reseller account with ziafatco username and all of my accounts are under ownership of that.
View 2 Replies
View Related
Aug 11, 2007
I'm uploading my files to this new server and will switch over to it later.. I alredy know how to change the Nameserver at registrar...
My question is that how I should name the Nameserver on this new server?
Because my old server has the name of following Nameserver;
---------------------
NS1.MYSITE.COM
NS2.MYSITE.COM
---------------------
And my new server has exactly same name as this!!
I went throught WHM and I need to assign IP address to this Nameserver on the new server, and what will happen if I assign this IP address to the same Nameserver as in old server?
In this case,
1) Should I change the name of Nameserver to something else, such as following?
---------------------
NS3.MYSITE.COM
NS4.MYSITE.COM
---------------------
2) Or should I use IP address instead of using this English name?
3) Or should I wait until all the files are uploaded and assign this IP address to this Nameserver on the new box? I wonder what will happen if I do this, because there would be 2 different IP address to the same Nameserver in this earth!
View 11 Replies
View Related
Nov 8, 2007
I have just gotten a dedicated server this month.
CentOS with DirectAdmin (thanks to WHT for recommending this).
My problem is, I cant seem to "make" a nameserver and get it to work?
I have attached some .jpg. screenprints which I hope will help resolve my problem.
I hope you will look at the pictures and tell me what I am doing wrong.
I have followed the guide in DirectAdmin forum for creating a nameserver, but I still got problem. (I have not been able to post in there forum, cause I have not gotten a activate mail yet, so while I wait for that, I hope you will help me.)
I have waited a couple of days for the dns nameserver to update, but it is still not working.
View 5 Replies
View Related
Sep 23, 2007
I was with VPS Host A. When I wanted to have my domain name on the VPS from Host A, I simply entered the primary & secondary nameserver names at my registrars site and it was done.
Host A's service was poor, so I've started with VPS Host B. they created nameserver names for me at Host B's DNS for my VPS.
When I went to my Registrars site to entered these nameserver names, I was instructed to create an A record and a subdomain for each nameserver name.
I don't understand why it was simple with the first set of nameserver settings but not the 2nd ones.
The domain name for my first vps is different than my second vps.
The nameserver names from Host A didn't include the doamin name, for example Host A's were ns1.computer.com and ns2.computer.com and the nameserver names from Host B were ns1.mydomain.com and ns2.mydomain.com.
Could it be that it wasn't easy the second time because the nameserver names included my domain name?
View 1 Replies
View Related
Mar 19, 2007
check that my nameserver settings are correct for the following (some registrars do not allow me to change the DNS on some domains as it reports an error):
NS1.ZAGGS.COM
NS2.ZAGGS.COM
NS3.ZAGGS.COM
View 9 Replies
View Related
Jul 26, 2007
I'm trying to add a new nameserver in WHM. But it won't let me choose the IP it will use. It just assign some IP.
How should I do to change the IP to the one I want to use?
View 2 Replies
View Related
Aug 29, 2007
My new host give me 1 ip to register for both (ns1 & ns2) nameserver. Is that correct?
Ex-host always gave me 2 ip's.
View 6 Replies
View Related
Apr 1, 2009
i have recive this mail every day that my named has stop:
nameserver failed @ Wed Apr 1 22:10:21 2009. A restart was attempted automagically.
Service Check Method: [check command]
Cmd Service Check Raw Output: Fixed ownership on /etc/named.conf
Fixed ownership on /etc/rndc.key
Fixed ownership on /etc/rndc.conf
View 6 Replies
View Related
Apr 4, 2009
My provider just gave 1 IP and to be use as shared IP for every accounts created in the server. I also assigned that IP for my nameserver ns1.domain.com at my registrar.
I was instructed also by my provider to use the next IP for the second nameserver which I also created at my registrar and created dns zone at the whm. All of the domains using that two IPs are working but I dont know why when I ping the second dns its not working. from Intodns.com its also showing nameserver 2 as an error..
My question is, do I need to add the second IP on the server/whm? you see when I go to WHM and click Show IP Address Usage I only see the first IP shared to all other domains. Somehow I'm expecting to see the second IP on the screen.
Anyone can enlighten me? the server I got should have been a full management but my provider is somehow responding so slow.
View 4 Replies
View Related
Oct 2, 2008
I have a dedicated server with WHM 11.23.2. I am in the process of "attempting" to change the hostname for a group of websites and also the nameservers.
Let's say for practical senses that these were the old details:
Hostname: abc.example.com
Nameservers: ns1.example.com and ns2.example.com
I changed in the following sections of WHM..
Server Configuration -> Basic cPanel/WHM Setup -> Hostname to
123.newsite.com
and then...
Networking Setup -> Hostname to 123.newsite.com
and then...
Server Configuration -> Basic cPanel/WHM Setup -> Primary Nameserver to ns1.newsite.com and then...
Server Configuration -> Basic cPanel/WHM Setup -> Secondary Nameserver to ns2.newsite.com.
Then...
Networking Setup -> Nameserver IPs. I deleted the old ones and created the two new ones: ns1.newsite.com and ns2.newsite.com.
I have double checked that this information is still there. Obviously newsite.com is listed as a domain/account. However, example.com was naturally the first one associated with this server.
I performed a server reboot, apache reset etc.
This was three days ago. I assumed it had all changed over. Until I (stupidly) remembered that I hadn't changed the goDaddy information to point to these new nameservers. I panicked thinking all the sites (six of them) would be down. However, they weren't. When I tried to change the nameserver information for a domain in goDaddy it came back with errors... it would only accept ns1.example.com and ns2.example.com.
So, I did a tracert to the IP address of the server and indeed it comes back as abc.example.com. Every domain is associated with that static IP.
I can't even find anywhere where abc.example.com is listed within the WHM. All the new values are listed... so, where is it pulling this from? I thought the reset of the server (as a graceful reboot) would resolve this issue.. it hasn't. I've rebooted twice and awaited the thirty minutes for everything to get back online. No success.
View 4 Replies
View Related
Aug 11, 2008
Quote:
The zone for the root domain splinteredmedia.net is missing, or could not be read. The ip address will be read from the webserver configuration and a new zone will be created for this subdomain. Bind reconfiguring on smpl using rndc Error reconfiguring bind on smpl: rndc: connect failed: 127.0.0.1#953: connection refused
Created DNS entry for ns1.splinteredmedia.net
Is the error i get when i try to add a entry for one of my nameservers.
I have cPanel on a CentOS 5.1 VPS
I am still pretty new to CentOS
how would i go about adding a zone and if somebody cpuld point me to a place where i can read exactly what it is and how to set it up i would be very grateful
View 7 Replies
View Related
Oct 22, 2008
My server is with cheapvps.
I have just purchased a .info domain just to use for playing about on.. I purchased it from 123-reg.co.uk. I have 3 other domains with them but these are .com, .co.uk and .org.uk domains. All pointing to my VPS nameeservers..
For some reason when i goto add my nameservers to the .info domain it says
Error text: Nameserver ns1.playcontrol.co.uk doesn't exists in the registry
Error text: Nameserver ns2.playcontrol.co.uk doesn't exists in the registry
Ive not encounted this before. My friend purchased a .co.uk domain last night and when i added the nameservers to his it worked fine.
View 6 Replies
View Related
Jan 12, 2008
I have a Vps that I instlled Cpanel with two IP, and I have a domain on anotherr server that I want create two Name server for this new VPS
I create two name server record on domain panel like this :
linux1.mydomain.com [my first IP]
linux2.mydomain.com [my second IP]
then I assigned nameservers to IPs on Cpanel but my name servers can not ping yet and my sites on this VPS can not open!
What should I do for joining the nameservers of my domains and my VPS?
View 8 Replies
View Related