A customer uses the following setup:
3 external dns servers setup to slave domains from a single unmanaged directadmin server.
In his /etc/resolv.conf he specifies the 3 his own external dns servers.
He uses his server to sell hostingaccounts to his own customers. His customers have hosting packages where they can add a number of domeins.
When a customer adds a domein, the zone will propagate to his dns servers.
Now user A has a website 'websiteA.com' doing curl call's to 'websiteB.com' which is hosted somewhere else.
Then there is user B who adds 'websiteB.com' to his account. The zone is created and propagates to the dns slaves. This only makes this websiteB.com resolvable by using his DNS slaves. This is no problem for external user because the fake 'websiteB.com' can not change name servers. But... as his own server does reference his own dns slaves, all calls to websiteB.com originating from his own server will end up at the fake website.
This could be solved by having the real websiteB.com only using SSL but websiteB.com is not managed by this customer. Another solution, though a little less secure is NOT using his own dns slaves in his /etc/resolv.conf. But this again is only part of the solution because it slows things down a lot when registering or transferring websites (you'll have to wait for a nameserver change before you can test the site using your own dns) and a dns call to the local nameserver for websiteB.com might cache the dns response anyway.
Any ideas on how to prevent these issues?
3 external dns servers setup to slave domains from a single unmanaged directadmin server.
In his /etc/resolv.conf he specifies the 3 his own external dns servers.
He uses his server to sell hostingaccounts to his own customers. His customers have hosting packages where they can add a number of domeins.
When a customer adds a domein, the zone will propagate to his dns servers.
Now user A has a website 'websiteA.com' doing curl call's to 'websiteB.com' which is hosted somewhere else.
Then there is user B who adds 'websiteB.com' to his account. The zone is created and propagates to the dns slaves. This only makes this websiteB.com resolvable by using his DNS slaves. This is no problem for external user because the fake 'websiteB.com' can not change name servers. But... as his own server does reference his own dns slaves, all calls to websiteB.com originating from his own server will end up at the fake website.
This could be solved by having the real websiteB.com only using SSL but websiteB.com is not managed by this customer. Another solution, though a little less secure is NOT using his own dns slaves in his /etc/resolv.conf. But this again is only part of the solution because it slows things down a lot when registering or transferring websites (you'll have to wait for a nameserver change before you can test the site using your own dns) and a dns call to the local nameserver for websiteB.com might cache the dns response anyway.
Any ideas on how to prevent these issues?
