Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 18th August 2007, 05:40
Tommahawk Tommahawk is offline
Member
 
Join Date: May 2007
Posts: 70
Thanks: 0
Thanked 10 Times in 5 Posts
Default Delete Site + DNS

I find that deleting a site does not delete the DNS entry associated with the site.

Is this a bug:
Duplicate zone name. If two zones have the same name (named.conf) it causes DNS restart to fail and creates downtime.
Reply With Quote
Sponsored Links
  #2  
Old 18th August 2007, 10:06
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,015
Thanks: 840
Thanked 5,652 Times in 4,461 Posts
Default

Quote:
I find that deleting a site does not delete the DNS entry associated with the site.
Thats the intended bahaviour. If you delete a website, you do not nescessarily want to dele a dns zone as this dns zone might be used for email on other servers, subdomains on other servers, etc.

Quote:
Is this a bug:
Duplicate zone name. If two zones have the same name (named.conf) it causes DNS restart to fail and creates downtime.
Did you add the zones via the ISPConfig interface or remoting?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 20th August 2007, 02:27
Tommahawk Tommahawk is offline
Member
 
Join Date: May 2007
Posts: 70
Thanks: 0
Thanked 10 Times in 5 Posts
Default

Possibly the issues are like this.

1) If manual entries exist in named.conf they can be duplicated and cause the named server to fail to restart due to the duplication if. (I suggest you analyze these for yourself)

2) A reseller is created he is then able to create websites with the same zone name as manually added zones in named.conf. Via ISPConfig UI and as a Remoting User

3) A public remoting web script that allows user to add websites if the domain matches a manually added zone name in named.conf.

4) If the zone is manually added and a new site subdomain with the same zone name is created via remoting script

The question I see is should the function that checks for duplicate sites in named.conf be extended to include manually added entries and possible should subdomain zone names have the subdomain appended to them. If a server has manual entries and allows resellers I can dos (denial of service) that server.

ISPConfig does check for duplication with entries it creates. What file is the code that does the checking situated. Possibly the easiet solutions is to grep named.conf for the domain name before adding or better regular expression

Last edited by Tommahawk; 20th August 2007 at 03:03.
Reply With Quote
  #4  
Old 20th August 2007, 11:47
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,015
Thanks: 840
Thanked 5,652 Times in 4,461 Posts
Default

There should no manually created zones exist. This is a prerequisite for ISPConfig.

If you want to change the ISPConfig libraries, have a look at the directory /root/ispconfig/scripts/lib/classes/, there you will find the bind configuration class.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 21st August 2007, 01:34
Tommahawk Tommahawk is offline
Member
 
Join Date: May 2007
Posts: 70
Thanks: 0
Thanked 10 Times in 5 Posts
Default

Possible Files:

/home/admispconfig/ispconfig/lib/classes
ispconfig_isp_web.lib.php
Line Approx: 239 Function: web_insert()
Line Approx: 545 Function: web_update() //protects against resellers

ispconfig_web.lib.php
Line Approx: 185 Function: web_insert()


==========================
For ispconfig_isp_web.lib.php - web_insert() & web_update()

////////////////////////////// Named.conf check for manual entries ////////////////////////

if (shell_exec('grep -A 10000 "//// MAKE MANUAL ENTRIES BELOW THIS LINE! ////" /etc/named.conf | grep -c "zone \"'.$web["web_domain"].'\""') > 0) {
if($die_on_error){
$go_api->errorMessage($go_api->lng("error_web_doppelt")." ".$web["web_domain"]." ".$go_api->l ng("angelegt").$go_api->lng("weiter_link"));
} else {
return $go_api->lng("error_web_doppelt")." ".$web["web_domain"]." ".$go_api->lng("angelegt");
}
}

//////////////////////////////////////////////////////////////////////

Only greps after //// MAKE MANUAL ENTRIES BELOW THIS LINE! //// a custom error message should be created wrnig the user that a DNS entry has not been made due to a zone match with the same name created manually, instead of dosing named 10000 should be EOF equiv


For ispconfig_web.lib.php

if (shell_exec('grep -c "zone \"'.$params["web_domain"].'\"" /etc/named.conf') == 1) $this->errorMessage .= "Parameter: web_domain is required.\r\n";

Last edited by Tommahawk; 22nd August 2007 at 04:17.
Reply With Quote
  #6  
Old 21st August 2007, 03:02
Tommahawk Tommahawk is offline
Member
 
Join Date: May 2007
Posts: 70
Thanks: 0
Thanked 10 Times in 5 Posts
Default

The above will grep named.conf ->
1) when creating a new site
2) with remoting framework.

It will not guard against resellers and admins changing a site because it must differentiate between ISPConfig created entries and manually created entries. Perhaps a unix guru could forumulate a command to cat lines past "Add manual entries" then pipe the output to grep or similar

You ought to think about creating a custom error against this potential security hole. Even just to safeguard against possible DNS dos.


Worked it out: Returns positive non-zero or 0 true or false Except need EOF instead of 10000

grep -A 10000 "//// MAKE MANUAL ENTRIES BELOW THIS LINE! ////" /etc/named.conf | grep -c "zone \"'.$params["web_domain"].'\"

You should then be able to notify the user of a possible vulnerbility or even tag entries in ISPConfig that do not have a DNS record due to this case.

Last edited by Tommahawk; 22nd August 2007 at 03:38.
Reply With Quote
  #7  
Old 21st August 2007, 06:14
mlz mlz is offline
Senior Member
 
Join Date: Dec 2006
Posts: 189
Thanks: 16
Thanked 9 Times in 9 Posts
Default

In my mind, you should not be manually adding DNS, but should be doing so in the DNS manager. If there is a shortcoming in using the manager (other then it's reliance on Bind) then perhaps we should bring it to the light of day and get it resolved.

I've never needed to do any manual editing of DNS, and I have a rather diverse group of clients using the server. My one fear is rather close to being realized, in that I'm about due for a second server, so I'm trying to grok a way to make things seemless and keep using ISPConfig.
Reply With Quote
The Following User Says Thank You to mlz For This Useful Post:
till (21st August 2007)
  #8  
Old 22nd August 2007, 04:34
Tommahawk Tommahawk is offline
Member
 
Join Date: May 2007
Posts: 70
Thanks: 0
Thanked 10 Times in 5 Posts
Default

Either way the potential for the vulnerbility exists and the fix I will post does not impact adversely it just warns the user with an error. Something like "you should not create manual zone entries in named.conf" or create the site but tag the site if no DNS entry is created. This is better than blindly restarting bind without a return value. DNS fails to restart and your hosting server goes offline. Think about it, the patch is an improvement.

Quote:
Originally Posted by mlz
In my mind, you should not be manually adding DNS, but should be doing so in the DNS manager. If there is a shortcoming in using the manager (other then it's reliance on Bind) then perhaps we should bring it to the light of day and get it resolved.

I've never needed to do any manual editing of DNS, and I have a rather diverse group of clients using the server. My one fear is rather close to being realized, in that I'm about due for a second server, so I'm trying to grok a way to make things seemless and keep using ISPConfig.
-----------------------------------------------------------------------------------------
/home/admispconfig/ispconfig/lib/classes
ispconfig_isp_web.lib.php
Line Approx: 240 Function: web_insert()
Line Approx: 545 Function: web_update() //protects against resellers changing domains

////////////////////////////// Named.conf check for manual entries ////////////////////////

if (shell_exec('grep -A 10000 "//// MAKE MANUAL ENTRIES BELOW THIS LINE! ////" /etc/named.conf | grep -c "zone \"'.$web["web_domain"].'\""') > 0) {
if($die_on_error){
$go_api->errorMessage($go_api->lng("error_web_doppelt")." ".$web["web_domain"]." ".$go_api->l ng("angelegt").$go_api->lng("weiter_link"));
} else {
return $go_api->lng("error_web_doppelt")." ".$web["web_domain"]." ".$go_api->lng("angelegt");
}
}

//////////////////////////////////////////////////////////////////////

ispconfig_web.lib.php
Line Approx: 185 Function: web_add()
Line Approx: ### Function: web_update()

if (shell_exec('grep -A 10000 "//// MAKE MANUAL ENTRIES BELOW THIS LINE! ////" /etc/named.conf | grep -c "zone \"'.$web["web_domain"].'\""') > 0) $this->errorMessage .= "Parameter: web_domain is required.\r\n";


Only greps after //// MAKE MANUAL ENTRIES BELOW THIS LINE! ////
protect against against 2 zones with same name 1 manual / 1 ISPConfig generated causes bind to fail to restart.
The 10000 should be EOF may also be useful elsewhere in ISPConfig, such as two virtual hosts with the same name etc. Probably more effective in the insert DNS functions in both files

Last edited by Tommahawk; 22nd August 2007 at 05:19.
Reply With Quote
  #9  
Old 22nd August 2007, 10:06
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,015
Thanks: 840
Thanked 5,652 Times in 4,461 Posts
Default

I added this to the bugtracker as a possible todo list item. But your scripts do not prevent the addition of duplicate DNS records, you just prevent that someone adds a website where already a dns record exists as the functions you used were not called when you create a dns record in dns-manager.

Additionally, I manage many servers and never had to add a DNS zone manually as the ISPConfig DNS-Manager has everything you need in the daily work as mlz pointed out. It seems as you do not use the dns manager and just use the dns auto create function if the website management part, which of course did not allow much fine tuning of the records.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #10  
Old 23rd August 2007, 07:30
Tommahawk Tommahawk is offline
Member
 
Join Date: May 2007
Posts: 70
Thanks: 0
Thanked 10 Times in 5 Posts
 
Default

One would have manual entries if one did not or could not import websites when installing ISPConfig or has websites not required to be administered through ISPConfig.

The action I desire is to not have the website not created if their is an identical zone name existing in named.conf, the restart causes bind to fail. Where should my code be added so I can return false on such as incident?

I thought
ISPConfig_isp_web.php ->
function web_insert
function web_update

but the site seems to be still created? Any ideas thanks in advance
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
DNS Configuration Problems VMartins Installation/Configuration 10 24th July 2007 15:40
Creating a new site for an exisiting DNS domain pjdevries Installation/Configuration 6 6th June 2007 21:21
Unable send receive emails vassilis3 Installation/Configuration 15 19th May 2007 15:34
unsuccessful site creation, site not listed, will not delete ronee Installation/Configuration 10 26th October 2006 11:30
can't delete a site KenMcGinnis Installation/Configuration 2 14th August 2005 16:02


All times are GMT +2. The time now is 02:02.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.