How do I setup proper NS & DNS construction and settings?

[ContextGeek]

Currently running a VPS with AlmaLinux + DirectAdmin. I want to know the following:

Can I install the DA on a domain (server.domain1.com) that serves as the foundation for all the domain services like wp install, ssl config, whmcs, etc. but use domain2.com as the public front from where I will sell services (using whmcs) and allow people access to DA as user on server.domain1.com, but send e-mails and other stuff from domain2.com or theirdomain.com ?

How would this be configured in my NS, DNS info and SSH settings?

I have 4 IP addresses at my disposal and thought about creating ns1.domain2.com + ns2.domain2.com for my own products (hosted on several domains) and have ns11.domain2.com + ns22.domain2.com for the domains of clients.

Would this work in combination with the above server/DA setup idea? And how/where do I configure this in DA?

Any suggestion to create a similar setup that is better in regards to security and workflow are welcome.

 

[Richard G]

Short answer. No. Or at least I most certainly wouldn't do it like that.

You have to use proper naming and examples when using examples.
Because server.domain1.com is not a domain, it's a FQDN hostname, you don't use hostnames for users, that's not a good practice.

If you mean that you can use server.domain1.com as hostname and for nameservers either ns1.server.domain1.com or (maybe better/easier) ns1.domain1.com then yes you can.

You can also use domain1.com to have WHMCS running and user's can visit WHMCS and order their stuff and use theirdomain.com or whatever domain is wanted, for the customers.

A panel like DA (and others) is made so users can have their own domain like theirdomain.com and send e-mail and present their website from there.

I have 4 IP addresses at my disposal and thought about creating ns1.domain2.com + ns2.domain2.com for my own products (hosted on several domains)

Yes although domain1.com is already your admin domain, I would use ns1.domain1.com and ns2.domain1.com as nameservers but that's your own choice.
It's possible to create other nameservers for your clients, you just add the nameservers to your domain1.com or domain2.com and then setup ns11.domainX.com and ns12.domainX.com as nameservers in reseller level and all clients will get those nameservers when created.

If you post messages, take care you don't create such odd facebook url links.

 

[ContextGeek]

Short answer. No. Or at least I most certainly wouldn't do it like that.

You have to use proper naming and examples when using examples.
Because server.domain1.com is not a domain, it's a FQDN hostname, you don't use hostnames for users, that's not a good practice.

If you mean that you can use server.domain1.com as hostname and for nameservers either ns1.server.domain1.com or (maybe better/easier) ns1.domain1.com then yes you can.

You can also use domain1.com to have WHMCS running and user's can visit WHMCS and order their stuff and use theirdomain.com or whatever domain is wanted, for the customers.

A panel like DA (and others) is made so users can have their own domain like theirdomain.com and send e-mail and present their website from there.


Yes although domain1.com is already your admin domain, I would use ns1.domain1.com and ns2.domain1.com as nameservers but that's your own choice.
It's possible to create other nameservers for your clients, you just add the nameservers to your domain1.com or domain2.com and then setup ns11.domainX.com and ns12.domainX.com as nameservers in reseller level and all clients will get those nameservers when created.

If you post messages, take care you don't create such odd facebook url links.

Thanks Richard for explaining in depth and apologies for the odd fb links.
Not used to proper terminology as I am learning to diy, but I see why it is good practice using them.

I was inspired by a web hoster company that has the following setup:

company.com = general website with info
my.company.com = order system and customer account + billing (here I want to use whmcs)
server.uniquename.com = where they host the DA with customer access
ns1.company.com + ns2.company.com = this is used as company.com domain hostname and for all e-mails of customers
ns1.uniquename.com + ns2.uniquename.com = the domain nameserver for all hosted domains of customers

Now if I understand your explanation correctly and using the above info:
- I could use server.uniquename.com to host DA
- have ns1.uniquename.com + ns2.uniquename.com as the domain nameservers for my clients that I can setup in the reseller area (using 2 unique ip addresses)
- have ns1.company.com + ns2.company.com as my company domain nameservers (using 2 other unique ip addresses)
- have company.com as main domain and my.company.com as whmcs customer area

I think this setup is not necessarily easy but I have the idea that it is beneficial security wise and keeping a clear separation between company and customer.

Did I miss anything in regards to what you explained?

 

[Richard G]

my.company.com = order system and customer account + billing (here I want to use whmcs)

This is a subdomain, that is possible to do that.

server.uniquename.com = where they host the DA with customer access

That is also possible if only used for access the DA interface. I was under the impression that you wanted users to be able to do all kind of stuff here. But just to be sure, this would be the main hostname. Normally you access this via https://server.uniquename.com:2222 but every client can also use his own domain for that like https://userdomain.com:2222 because that is default.
You can change it in the config so they will always get to https://server.uniquename.com:2222 for DA panel access.
There is also a way to proxy the :2222 behind the name, but that would need custom adjustments, which I don't know out of my head. I never use those.

Did I miss anything in regards to what you explained?

I don't think so. Seems you got it correct.

As for security, in Directadmin an account has permission over all domains and subdomains present.
So domain.com and my.domain.com wouldn't make any difference security wise.
However, you can also use domain.com and create my.domain.com (as domain name) under another reseller name. Then you would really have some permissions differences. But I don't know if that is really better or wise to do with WHMCS.

Maybe some other people here can tell you a bit more about how they use WHMCS with DA.

 

[ContextGeek]

I was under the impression that you wanted users to be able to do all kind of stuff here.

Honestly I want a setup where customers have little to no access to the DA. Due to our conversation and the idea I have for my service (managed WP), I am wondering if they even need access to DA. They would only need to access their website (WP). All other things like SSL certificates, DNS settings and other technical aspects will be arranged by me if not automated or serviced by a third party.

On the other hand I can imagine some customers wanting to have the ability to arrange these things themselves:

but every client can also use his own domain for that like https://userdomain.com:2222 because that is default.

I didn't know this. That would also be a great alternative to giving clients access to the DA without giving them the main hostname. I'll ponder this option as well.

There is also a way to proxy the :2222 behind the name, but that would need custom adjustments, which I don't know out of my head. I never use those.

The fact that I don't understand what this even means is a clear sign I shouldn't use it either ? and have some more homework to do.

However, you can also use domain.com and create my.domain.com (as domain name) under another reseller name. Then you would really have some permissions differences. But I don't know if that is really better or wise to do with WHMCS.

I think that in my situation another reseller account wouldn't be useful, maybe if I had a support team and need better control over the permission settings per company user group, but for the WHMCS administration I'm not sure if it would bring any benefit. I will check the forum to see if there are any posts on DA+ WHMCS.

As for security, in Directadmin an account has permission over all domains and subdomains present.

With "an account" you mean the admin/reseller account(s)? A user (customer account) doesn't have access to all domains and subdomains that they haven't registered themselves, I hope?

Thanks for the help Richard!

 

[Richard G]

With "an account" you mean the admin/reseller account(s)?

With "an account" I mean any account. So yes. Also a user account. But no, they only have access to domains present in their own account.
However, always be sure that Default Open BaseDir for new domains as well as Default Safe Mode for new domains is set to on. It's in the php settings under Administrator somewhere in DA.
I think they are on by default, but it's best to always doublecheck.

They can't access domains which are not in their accounts.

All other things like SSL certificates, DNS settings and other technical aspects will be arranged by me if not automated or serviced by a third party.

Yes well.. if you want to do it like this you just don't give them their passwords.
However, they might need access to DA to setup e-mail addresses and passwords or certain FTP access accounts for if they want webdevs to do work on their website or install custom themes or whatever.

You can just disable DNS access via the package and some other things can also set so they can't access them. Most customers I have don't even bother using DA, only if they wat an new mail address. As for the rest they know they can write me and I fix it for them.
As far as DA goes... not websites, I don't do design.

 

[ContextGeek]

However, always be sure that Default Open BaseDir for new domains as well as Default Safe Mode for new domains is set to on. It's in the php settings under Administrator somewhere in DA.

Thanks for the heads up and I will make sure to check these settings.

They can't access domains which are not in their accounts.

Needed this clarification. Thnx.

Yes well.. if you want to do it like this you just don't give them their passwords.

? not sure if this would work in the reality of doing business.

However, they might need access to DA to setup e-mail addresses and passwords or certain FTP access accounts for if they want webdevs to do work on their website or install custom themes or whatever.

I completely forgot about these basic needs of any website owner. I am thinking about managed WP as full service product where I do all these things for my customer, but even then a customer might need/want to be able to setup all things you point out.

You can just disable DNS access via the package and some other things can also set so they can't access them.

I will check these settings per package to have a good balance in wants and needs, so they can have their password

As far as DA goes... not websites, I don't do design.

I have been creating wp websites for ages (not sure if I dare to call it designing), but setting up and managing DA as an admin is new for me. I just feel it is the next logical step in the service I want to offer.

Priority is laying a great foundation on which to grow.

 

[Richard G]

? not sure if this would work in the reality of doing business.

Most likely not, unless you give totally managed accounts.

but even then a customer might need/want to be able to setup all things you point out.

Yes correct. And don't forget the fact that if they have access to wp-admin, they are always able to mess things up too. So it might be a good idea to provide them with a managed WP with some kind of maintenance subscribtion which they can take if they want your help if they mess things up. Or if they want you to make changes. Just an idea.

I will check these settings per package to have a good balance

Not all things can be managed in a package. But if you encounter things you want to disable, there are other ways to do that. And now my memory leak is coming up again, and I forgot what it's called. Some kind of "never" or "no" options somewhere.... pfff.. memory error. Sorry... but we will find that back in the future if you need such option.

There are always several people here on the forum who can help with questions.

 

[ContextGeek]

So it might be a good idea to provide them with a managed WP with some kind of maintenance subscribtion which they can take if they want your help if they mess things up. Or if they want you to make changes. Just an idea.

That's a great idea that is inline with what I have in mind!

But if you encounter things you want to disable, there are other ways to do that.

If things turn up that I need to have disabled I will check the forum and find a way.

There are always several people here on the forum who can help with questions.

That's wonderful and I appreciate your help already!

Going to re-install the AlmaLinux + DA on my VPS with the previously mentioned setup. Looking forward to get it up and running as desired ?

 

[ContextGeek]

company.com = general website with info
my.company.com = order system and customer account + billing (here I want to use whmcs)
server.uniquename.com = where they host the DA with customer access
ns1.company.com + ns2.company.com = this is used as company.com domain hostname and for all e-mails of customers
ns1.uniquename.com + ns2.uniquename.com = the domain nameserver for all hosted domains of customers

Wel this setup didn't work as planned . I get a "DNS_PROBE_FINISHED_NXDOMAIN" error message on companyname.nl
and the server.uniquename.nl is still referring to the ip:2222 and browsing to the uniquename.com I get the landing page where I bought the vps.

I feel I have sat everything correct in the DNS of DirectAdmin and on the DNS of the VPS client area. Although I set the TTL to 1 minute. I probably need to wait 24 hours. DNS checker tools is showing 3 DNS servers that propagated globally, but the rest is not.

Is it really going to take 24 hours before I can figure out if something went wrong?

 

[Richard G]

Nameservers always take round 4 hours to resolve here in the Netherlands and can take a bit longer for over the world.

Did you create a seperate DNS entry in DNS administration being server.uniquename.nl too? I presume your uniquename.com domain itself is also residing on the server.
Or write me a pm in Dutch, since you're Dutch that maybe easier and then you can give real names so I can do better checks.

 

[ContextGeek]

Nameservers always take round 4 hours to resolve here in the Netherlands and can take a bit longer for over the world.

Did you create a seperate DNS entry in DNS administration being server.uniquename.nl too? I presume your uniquename.com domain itself is also residing on the server.
Or write me a pm in Dutch, since you're Dutch that maybe easier and then you can give real names so I can do better checks.

I'll send you an pm.

 

[Richard G]

Yep, that's fine with me.