Users create "not-their" subdomains - how to prevent it?

eSiK

eSiK

Verified User
Joined
May 10, 2006
Messages
38
Location
Warsaw, Poland
There is one annoying thing in DA....

Users are able to create any subdomain they want (even if the main domain is not their)...

For e.g. my main domain is nuh.pl and one client has adresik.net
When those domains are parked in DA, every DA user of my server is able to create subdomains of those domains! It is a bit silly in my opinion... What if someone doesn't want to exchange his subdomains with others? If he wants them only to himself ?!?

Do you know maybe how to change it (fix it)? So all subdomains can be used only by their domain owners?!

I am looking forward for you responses :)

Best greetings,
eSiK
 
Last edited:
Bottom line is I don't think theres a way of preventing this.

It's a 'bug' in BIND rather than Direct Admin - BIND says it's a 'feature'

We run 'logwatch' that notifies us daily of any amendments to the zonefiles - and we check them on a daily basis.

Rob
 
I don't think so - it's been covered on the forums in a few threads over the last 18 months or so.

Rob
 
Yeah we had a long discussion about it but no input from the JBMC guys.

My opinion is that it should be stopped. I know it can be done as other panels do it. However some admins do not want to change it.
 
The way to stop it is to enforce rules as to who can create domains.

Some have suggested disallowing the creation of subdomains except by the user who owns the domain.

The problem is that one user may have several accounts on the server, for example, for multiple IP#s (or actually many other reasons, including sign-up software limitations). And of course then as soon as one user on your server created, for example, example.co.uk on your server no one else could create any domain ending in co.uk.

But I've already published my feelings on this problem on these forums, and the reasons why I believe there's no solution that will work.

I've also asked anyone else with an idea that would work to present the idea. I'm still waiting for a reply to that.

The right way to solve the problem is to enforce ns records as a requirement for DNS domain authority inheritance. That's the way DNS is supposed to work, that's the way BIND documentation says BIND works. However, it's NOT the way BIND works, and that's the problem.

Jeff
 
Thanks for your replies... I just thought that maybe in near future this problem will be solved ;)

DA uses mysql right? In my opinion he should keep in his database (or even in seperate txt file) details about whose domains is whose and who has got rights to them.

Or going even further... there should be new option (control panel), which would allow/disallow specified users to use certain domains ;)

Don't you think so guys? :)

Kind regards.
 
jlasman said:
The problem is that one user may have several accounts on the server, for example, for multiple IP#s
Click to expand...

[RANT]
I should not say it again but I am because this is a silly one to me. An account should be able to have as many IPs as I (as the admin) want to give it. I do not understand the one IP per account thing since an account can have more than one domain. [/RANT]
 
eSiK said:
Thanks for your replies... I just thought that maybe in near future this problem will be solved ;)

DA uses mysql right? In my opinion he should keep in his database (or even in seperate txt file) details about whose domains is whose and who has got rights to them.
Click to expand...
One of the beautiful things about DA is it's not dependent on data bases, which can become corrupt or which can go down.

Sure, but I've explained many times why it can't be done. If you know how it can be done and still giving each user the ability to do what he is rightfully allowed to do, please write it up. But don't just ask us to limit our customers so they can't (for example) create any example.co.uk type domains because it looks like a subdomain.
Or going even further... there should be new option (control panel), which would allow/disallow specified users to use certain domains
Click to expand...
I look forward to your complete analysis of what should and shouldn't be allowed. I've tried and cannot. Lots of other admins through the years have tried and cannot.

And don't just say that CPanel does it right. Explain exactly what CPanel does, and how it works to limit what needs to be limited but no more.

Jeff
 
DamnSkippy said:
I should not say it again but I am because this is a silly one to me. An account should be able to have as many IPs as I (as the admin) want to give it. I do not understand the one IP per account thing since an account can have more than one domain.
Click to expand...
You can say it all you want. And DA can add it for you, for everyone. But it doesn't change my original point; there are many other reasons why you might want to have different accounts for different subdomains. Requiring a user to put all subdomains of a main domain in the same account is an unreasonable limit. If you disagree explain how you can tell if example.co.uk is a subdomain or not (and not just for that example; while you're at it how can you tell if jeff.abandoned.us is a subdomain or not [it's not... abandoned.us sells domains under it]).

Jeff
 
The difficult part for me is that DA isn't in charge of what a domain extension is, eg .com, .net, or .co.uk. With many extensions... they have 2 part, eg: .co.uk. This is a problem because DA will have no way of knowing if domain.co.uk is a subdomain or not. Ignore the fact that it's obviously not a subdomain, but point being DA does not (and will not) keep a huge list of all possible domain extensions. So domain.co.uk is not a subdomain, but sub.domain.com is... what's the difference? they both have 2 dots, to DA, they're the same.

So, the problem is if DA prevent subdomain domain creation, then domain.co.uk will have zero way of being added.. it's considered a subdmain to DA (if such a feature existed).

There is a file called:
/etc/virtual/domainowners that has a list of all domains and that domains owner.
It is in theory possible to go through all domains in that file, and do a string comparision on the end of the attempted new domain.
Eg, domain.com is in /etc/virtual/domain owners.
domain.com is a substring of sub.domain.com. Ok, fine red flag there... Howver.. say a smart user decided to add a domain called "co.uk" ... yes it's a valid domain under the usual checks. So now co.uk exists in /etc/virtual/domainowners BUT co.uk is a substring of domain.co.uk so it will not work.

As Jeff mentioned, there is no easy solution.

The only way is to create a huge listings of all possible domain extensions.. but new ones get added so often it would become a very huge mess very quickly.

John
 
jlasman said:
You can say it all you want. And DA can add it for you, for everyone. But it doesn't change my original point; there are many other reasons why you might want to have different accounts for different subdomains. Requiring a user to put all subdomains of a main domain in the same account is an unreasonable limit. If you disagree explain how you can tell if example.co.uk is a subdomain or not (and not just for that example; while you're at it how can you tell if jeff.abandoned.us is a subdomain or not [it's not... abandoned.us sells domains under it]).

Jeff
Click to expand...

Sorry Jeff I must not have been clear. I was only addressing the one IP per account in what I said. I stated my opinion on the domains thing before. I think our opinion differs some on that but I agree that it is a hard one to "fix".
 
Last edited:
Hmm, since yall keep a list of who owns a domain... Would it be possible to add a drop down list of that accounts domains when they go to add a sub domain?

But then again that would not work for everyone for reasons that have been pointed out. That means that it would have to be an option on the admin side to allow sub domains that are not in the current account. That would give the admin the ability to have it one way or the other.

As for some domains appearing to be a sub domain such as .co.uk. They would not be added as a sub domain so that check would not happen. That of course could get around the other check I guess.

Dang don't you hate it when you type a bunch and it seems for not ;)

I will go ahead and post, maybe it will spark an idea.
 
hmm... so there is no possibility to add some kind of new DA option, where one will be able to decide which domain/subdomain will be shared and which not?
For e.g when I change domain.net to "not-shared", then nobody (except the owner, where domain.net is parkerd) will have rights to create *.domain.net domains on their occounts?

I really do not know how it works on other administrator tools and if there even is that kind of option... so I can not say if it works or not...

What do you thinkg about it?
 
If any other control panel has it then they have to limit subdomains to the same user who has the original domain. Not good for me; ymmv.

Jeff
 
You must log in or register to reply here.
Back
Top