Enable/disable services for specific users

O

ostendo

Verified User
Joined
Dec 6, 2006
Messages
67
Hi all,

Could it be possible to enable/disable certain services for certain users? You can now allow/disallow FTP and SSH access for example, but one of my clients does not want to use my DNS-service, but prefers to use an external one.
That's fine ofcourse, but I'd prefer that my named doesn't include that zone at all. (I now commented out the specific zone in /etc/named.conf)
Is it possible to integrate this into Directadmin? So that I can say "I want to have http and ftp for this domain, but don't configure named for this domain and don't configure Exim/dovecot for this domain.."?

Bart
 
You shouldn't attempt to remove DNS for a domain from the server; DirectAdmin uses the presence of DNS for a domain to test whether or not the domain is hosted on the server.

You can remove access to services by creating your own skin, but in the case of DNS you can just remove DNS management at the admin level (for the reseller) or at the reseller level (for the user).

It shouldn't make any difference at all if zone files are on your server because you should NOT be using your local (on the same server) nameserver to host resolving DNS for the server. If you are, then you should probably get the IP#s of resolving DNS servers from your upstream and use them.

Jeff
 
jlasman said:
You shouldn't attempt to remove DNS for a domain from the server; DirectAdmin uses the presence of DNS for a domain to test whether or not the domain is hosted on the server.
Click to expand...

That sounds to me a little bit like it's the wrong way around. DA should use a smart way to test the presence of a domain on my server. If I, as a client of DA, want to not use DNS for a domain, that should be possible, right? And the most simple way at the moment is by commenting out the zonefile in /etc/named.conf. The only problem is, at a full config-files rewrite, it probably gets overwritten..

You can remove access to services by creating your own skin, but in the case of DNS you can just remove DNS management at the admin level (for the reseller) or at the reseller level (for the user).
Click to expand...
If I want to disable it for all my users, yes, but I just want it deleted for one user and it doesn't have to be done by them, so creating (and updating time after time) a skin isn't worth the effort imo.. By the way: it doesn't solve my problem.

It shouldn't make any difference at all if zone files are on your server because you should NOT be using your local (on the same server) nameserver to host resolving DNS for the server. If you are, then you should probably get the IP#s of resolving DNS servers from your upstream and use them.

Jeff
Click to expand...

Is that true? I should not have 127.0.0.1 in my /etc/resolv.conf? Why not? That is way faster than using an external DNS server for every DNS request I have to make.. (My /etc/resolv.conf consists of 2 upstream DNS servers and 127.0.0.1)
 
You should not use 127.0.0.1 in your /etc/resolv.conf file because you shouldn't be using your local server for both authoritative and cacheing DNS. Why not? Because it's dangerous.

While this post is about the djbdns nameserver, the points are quite valid for BIND as well.

Jeff
 
ostendo said:
Hi all,

Could it be possible to enable/disable certain services for certain users? You can now allow/disallow FTP and SSH access for example, but one of my clients does not want to use my DNS-service, but prefers to use an external one.
That's fine ofcourse, but I'd prefer that my named doesn't include that zone at all. (I now commented out the specific zone in /etc/named.conf)
Is it possible to integrate this into Directadmin? So that I can say "I want to have http and ftp for this domain, but don't configure named for this domain and don't configure Exim/dovecot for this domain.."?

Bart
Click to expand...

I've been asking for this feature for quite some time to no avail:
http://www.directadmin.com/forum/showthread.php?t=19907
http://www.directadmin.com/forum/showthread.php?t=16598

For us, managing hundreds of domains without being able to keep a track of what domains actually use our DNS service has been a nightmare.
I guess there are not enough people feeling our pain just yet :)
 
jlasman said:
You should not use 127.0.0.1 in your /etc/resolv.conf file because you shouldn't be using your local server for both authoritative and cacheing DNS. Why not? Because it's dangerous.

While this post is about the djbdns nameserver, the points are quite valid for BIND as well.
Click to expand...
Actually, if you allow recursive DNS queries for the localhost only, it should be OK. I mean, it doesn't create any additional vulnerability: if the server is compromised - it doesn't matter and if the server is not yet compromised, the attacker doesn't have an access to the trafic on localhost interface.

"Security and Reliability" concerns in the article you provided consider a different case where DNS cache service is offered to external users.
 
Well, yes and no.

For example, if your nameserver is ns1.example.net, and you allow recursive lookups ONLY for localhost (127.0.0.1), then as soon as you lookup (again for example) www.earthlink.net from your own server, then the IP# for www.earthlink.net will be in your DNS cache, and then any other server can get it from your nameserver. Try it.

Of course whether or not this is an issue will depend on how much you believe in security by obscurity.

I stand by my original point.

Jeff
 
You must log in or register to reply here.
Back
Top