DNS Cluster on individual VPS host

[MoreDakka]

Hello,

This pertains to the security of the DNS cluster.
Here is how we have our current hosting setup, it's pretty basic.

WHMCS controlling the creation and deletion of domains
3 cPanel/WHM webhosting servers
5 cPanel DNSOnly Cluster servers

When a client buys web hosting service all works prefect, WHMCS tells WHM to create the account, client accesses the account, the domain they have selected/created is added to our DNSOnly Cluster. All is well with that.

However, we are starting to get into the VPS hosting side with cPanel/WHM. The clients would have root access to the system so they can install their custom software. I've been asked to see if we can have our VPS clients access the DNSOnly cluster with their WHM so they don't have to access two different systems. Is there a safe way to allow the VPS hosted cPanel/WHM to access out 5 DNSOnly servers? My worry is accidental or not creating a domain on their server that already exists on our cluster, overwriting the DNS records, or even something worse.

Is this a safe play or should we just create a DNS plan for our VPS clients and they need to access through our WHMCS/cPanel/WHM ?

THanks!

 

[ResellerWiz]

Your best bet would be to create new DNSOnly servers specifically for those clients.

 

[cPRex]

Hey there! This is a great question, and a unique scenario.

If the domain already existed in the cluster I wouldn't expect the account creation to work at all since that would cause a conflict cPanel can detect. There is a key setup between the web server and cluster, and the server owner would also have the option to disconnect from the cluster at any time. That would be the most dangerous scenario in my mind, since they could accidentally kill the entire cluster setup if they aren't aware how that is configured.

I would think the safest option would be to create a DNS cluster just for those users, and then make them aware they should not disable it.

 

[MoreDakka]

Is there a suggested method if we want to only use our 5 NS servers?
We have resellers that we want to upgrade to VPS hosting who have 30-50 domains which would be a very large pain to migrate all of the NS records to new NS servers. We've run into that before migrating between platforms and sometimes that can take years to get some clients to make such a simple change.
So, give root access without giving root access to WHM. Or password protect the DNS Clustering area or something like that?

 

[cPRex]

There really isn't a way to do that. You'd just have to instruct them not to change anything in the WHM >> DNS Cluster area.

 

[cPRex]

I suppose you could technically create a reseller account that has nearly all privileges on the server except the cluster functions - they would then access WHM as that user instead of root, and they'd still be able to do everything else on the machine.

 

[MoreDakka]

Thanks Rex, we'll try that route as it seems to be the safest pass.