Summary: use views in bind to provide a caching-only nameserver and a authoritative-only nameserver. The local host only uses the caching-only nameserver.
These are the problems I'm trying to solve:
A: Your customer wants to host his main website with you, but does email hosting and DNS hosting himself (or outsourced to someone else).
Now what happens when you send mail to this customer, using the smtp server running on the same DA box?
Of course you're smart enouph to untick the box "Use this server to handle my emails." under MX records in DA, because if you didn't, mail would be delivered locally and probably bounce.
The problem here is that you need to enter the value of the current MX record. What if your customer changes his MX records? Next time you send him an email (and you send your email through your own DA box), exim will try to deliver to the wrong IP! (and it'll probably bounce).
You might say: ask the customer to notify you when he changes DNS, so you can copy the records over. (doesn't that sound silly?). In any case, this doesn't work when he has both DNS and Email outsourced to another company.
B: There's also a security issue here. Suppose an evil customer adds a domain called gmail.com. Now what happens when you send your next love letter to someone @gmail.com? Yeah that's right, they end up at the evil customer.
Solution:
Some control panels ignore problem A (they assume if you host the website, you also host DNS), and for problem B, they just put a list of popular domains in the control panel against which they check when adding a new domain. Sure that works for yahoo, gmail and others, but not if someone selectively wants to play man-in-the-middle for a specific not-as-big-as-google customer.
The real solution(tm) is to make sure that /etc/resolv.conf points to a caching-only nameserver. A customer who adds a domain in the control panel should have no effect at all on this caching-only nameserver.
Luckily that's quite easy to achieve. Modify your /etc/bind/named.conf to reflect these changes:
Now change /usr/local/directadmin/conf/directadmin.conf:
(If you already have some domains currently hosted, you might need to move those manually to the new config file, named-da.conf)
These are the problems I'm trying to solve:
A: Your customer wants to host his main website with you, but does email hosting and DNS hosting himself (or outsourced to someone else).
Now what happens when you send mail to this customer, using the smtp server running on the same DA box?
Of course you're smart enouph to untick the box "Use this server to handle my emails." under MX records in DA, because if you didn't, mail would be delivered locally and probably bounce.
The problem here is that you need to enter the value of the current MX record. What if your customer changes his MX records? Next time you send him an email (and you send your email through your own DA box), exim will try to deliver to the wrong IP! (and it'll probably bounce).
You might say: ask the customer to notify you when he changes DNS, so you can copy the records over. (doesn't that sound silly?). In any case, this doesn't work when he has both DNS and Email outsourced to another company.
B: There's also a security issue here. Suppose an evil customer adds a domain called gmail.com. Now what happens when you send your next love letter to someone @gmail.com? Yeah that's right, they end up at the evil customer.
Solution:
Some control panels ignore problem A (they assume if you host the website, you also host DNS), and for problem B, they just put a list of popular domains in the control panel against which they check when adding a new domain. Sure that works for yahoo, gmail and others, but not if someone selectively wants to play man-in-the-middle for a specific not-as-big-as-google customer.
The real solution(tm) is to make sure that /etc/resolv.conf points to a caching-only nameserver. A customer who adds a domain in the control panel should have no effect at all on this caching-only nameserver.
Luckily that's quite easy to achieve. Modify your /etc/bind/named.conf to reflect these changes:
Code:
view "resolver" {
match-clients { 127.0.0.0/8; };
match-destinations { 127.0.0.0/8; };
match-recursive-only yes;
allow-recursion { 127.0.0.0/8; };
};
view "auth" {
recursion no;
additional-from-auth no;
additional-from-cache no;
include "/etc/bind/named-da.conf";
};
Now change /usr/local/directadmin/conf/directadmin.conf:
Code:
namedconfig=/etc/bind/named-da.conf
(If you already have some domains currently hosted, you might need to move those manually to the new config file, named-da.conf)