I find that deleting a site does not delete the DNS entry associated with the site. Is this a bug: Duplicate zone name. If two zones have the same name (named.conf) it causes DNS restart to fail and creates downtime.
Thats the intended bahaviour. If you delete a website, you do not nescessarily want to dele a dns zone as this dns zone might be used for email on other servers, subdomains on other servers, etc. Did you add the zones via the ISPConfig interface or remoting?
Possibly the issues are like this. 1) If manual entries exist in named.conf they can be duplicated and cause the named server to fail to restart due to the duplication if. (I suggest you analyze these for yourself) 2) A reseller is created he is then able to create websites with the same zone name as manually added zones in named.conf. Via ISPConfig UI and as a Remoting User 3) A public remoting web script that allows user to add websites if the domain matches a manually added zone name in named.conf. 4) If the zone is manually added and a new site subdomain with the same zone name is created via remoting script The question I see is should the function that checks for duplicate sites in named.conf be extended to include manually added entries and possible should subdomain zone names have the subdomain appended to them. If a server has manual entries and allows resellers I can dos (denial of service) that server. ISPConfig does check for duplication with entries it creates. What file is the code that does the checking situated. Possibly the easiet solutions is to grep named.conf for the domain name before adding or better regular expression
There should no manually created zones exist. This is a prerequisite for ISPConfig. If you want to change the ISPConfig libraries, have a look at the directory /root/ispconfig/scripts/lib/classes/, there you will find the bind configuration class.
Possible Files: /home/admispconfig/ispconfig/lib/classes ispconfig_isp_web.lib.php Line Approx: 239 Function: web_insert() Line Approx: 545 Function: web_update() //protects against resellers ispconfig_web.lib.php Line Approx: 185 Function: web_insert() ========================== For ispconfig_isp_web.lib.php - web_insert() & web_update() ////////////////////////////// Named.conf check for manual entries //////////////////////// if (shell_exec('grep -A 10000 "//// MAKE MANUAL ENTRIES BELOW THIS LINE! ////" /etc/named.conf | grep -c "zone \"'.$web["web_domain"].'\""') > 0) { if($die_on_error){ $go_api->errorMessage($go_api->lng("error_web_doppelt")." ".$web["web_domain"]." ".$go_api->l ng("angelegt").$go_api->lng("weiter_link")); } else { return $go_api->lng("error_web_doppelt")." ".$web["web_domain"]." ".$go_api->lng("angelegt"); } } ////////////////////////////////////////////////////////////////////// Only greps after //// MAKE MANUAL ENTRIES BELOW THIS LINE! //// a custom error message should be created wrnig the user that a DNS entry has not been made due to a zone match with the same name created manually, instead of dosing named 10000 should be EOF equiv For ispconfig_web.lib.php if (shell_exec('grep -c "zone \"'.$params["web_domain"].'\"" /etc/named.conf') == 1) $this->errorMessage .= "Parameter: web_domain is required.\r\n";
The above will grep named.conf -> 1) when creating a new site 2) with remoting framework. It will not guard against resellers and admins changing a site because it must differentiate between ISPConfig created entries and manually created entries. Perhaps a unix guru could forumulate a command to cat lines past "Add manual entries" then pipe the output to grep or similar You ought to think about creating a custom error against this potential security hole. Even just to safeguard against possible DNS dos. Worked it out: Returns positive non-zero or 0 true or false Except need EOF instead of 10000 grep -A 10000 "//// MAKE MANUAL ENTRIES BELOW THIS LINE! ////" /etc/named.conf | grep -c "zone \"'.$params["web_domain"].'\" You should then be able to notify the user of a possible vulnerbility or even tag entries in ISPConfig that do not have a DNS record due to this case.
In my mind, you should not be manually adding DNS, but should be doing so in the DNS manager. If there is a shortcoming in using the manager (other then it's reliance on Bind) then perhaps we should bring it to the light of day and get it resolved. I've never needed to do any manual editing of DNS, and I have a rather diverse group of clients using the server. My one fear is rather close to being realized, in that I'm about due for a second server, so I'm trying to grok a way to make things seemless and keep using ISPConfig.
Either way the potential for the vulnerbility exists and the fix I will post does not impact adversely it just warns the user with an error. Something like "you should not create manual zone entries in named.conf" or create the site but tag the site if no DNS entry is created. This is better than blindly restarting bind without a return value. DNS fails to restart and your hosting server goes offline. Think about it, the patch is an improvement. ----------------------------------------------------------------------------------------- /home/admispconfig/ispconfig/lib/classes ispconfig_isp_web.lib.php Line Approx: 240 Function: web_insert() Line Approx: 545 Function: web_update() //protects against resellers changing domains ////////////////////////////// Named.conf check for manual entries //////////////////////// if (shell_exec('grep -A 10000 "//// MAKE MANUAL ENTRIES BELOW THIS LINE! ////" /etc/named.conf | grep -c "zone \"'.$web["web_domain"].'\""') > 0) { if($die_on_error){ $go_api->errorMessage($go_api->lng("error_web_doppelt")." ".$web["web_domain"]." ".$go_api->l ng("angelegt").$go_api->lng("weiter_link")); } else { return $go_api->lng("error_web_doppelt")." ".$web["web_domain"]." ".$go_api->lng("angelegt"); } } ////////////////////////////////////////////////////////////////////// ispconfig_web.lib.php Line Approx: 185 Function: web_add() Line Approx: ### Function: web_update() if (shell_exec('grep -A 10000 "//// MAKE MANUAL ENTRIES BELOW THIS LINE! ////" /etc/named.conf | grep -c "zone \"'.$web["web_domain"].'\""') > 0) $this->errorMessage .= "Parameter: web_domain is required.\r\n"; Only greps after //// MAKE MANUAL ENTRIES BELOW THIS LINE! //// protect against against 2 zones with same name 1 manual / 1 ISPConfig generated causes bind to fail to restart. The 10000 should be EOF may also be useful elsewhere in ISPConfig, such as two virtual hosts with the same name etc. Probably more effective in the insert DNS functions in both files
I added this to the bugtracker as a possible todo list item. But your scripts do not prevent the addition of duplicate DNS records, you just prevent that someone adds a website where already a dns record exists as the functions you used were not called when you create a dns record in dns-manager. Additionally, I manage many servers and never had to add a DNS zone manually as the ISPConfig DNS-Manager has everything you need in the daily work as mlz pointed out. It seems as you do not use the dns manager and just use the dns auto create function if the website management part, which of course did not allow much fine tuning of the records.
One would have manual entries if one did not or could not import websites when installing ISPConfig or has websites not required to be administered through ISPConfig. The action I desire is to not have the website not created if their is an identical zone name existing in named.conf, the restart causes bind to fail. Where should my code be added so I can return false on such as incident? I thought ISPConfig_isp_web.php -> function web_insert function web_update but the site seems to be still created? Any ideas thanks in advance
It seems as you mix up the DNS Manager and ISP manager parts. Both parts are independant. You can esily have the DNS records in ISPConfig for websites that are not created or managed in ISPConfig. maybe you should have a look first at the existing functions, as they offer everything that is needed, before you want to change them. You mix up websites and dns. Websites are created in apache and only in apache and dns records are created only in bind. The library of the dns manager is named isp_isp_dns.
What does //// MAKE MANUAL ENTRIES BELOW THIS LINE! //// in named.conf mean? It means create manually added zones after this line. I don't want ISPConfig sending my production server offline which is what happened last week. I want ISPConfig to check named.conf for an existing zone name before restarting. Some servers have a mock start to check if the config files are ok. Don't act like I do not know what I am doing I have a Ph.d in Information Technology and atleast I try and solve the issue. You can't assume success of a function in programming you need return values. I hope someone will know where I can place my code and return false and abort creation of the website to the user if an identical zone name is found in named.conf, that is all I need to know then I can move on.
You can do this but you should not do this! It looks as you have not read my post above. But you can also unplug the power cable of your server even if you should not do this while the server is running. It is not recommended to have any manual entries in the named.conf, even if you might be able to create some. I told you this already twice. Solution: Delete all your manual entries you made in named.conf and recrete them in the ISPConfig dns-manager. As you should have read during ISPConfig install, ISPConfig should always be installed on a empty system. If you dont follow the warnings and refuse to read what is posted here in the thread, I can not help you.
/home/admispconfig/ispconfig/lib/classes/ispconfig_isp_web.lib.php in the insert and update functions. Be aware that the record in the database is already created when the functions are called, so you will have to delete the record and the corresponding isp_nodes record, if you want to prevent the creation of the site. /home/admispconfig/ispconfig/lib/classes/ispconfig_isp_dns.lib.php In the insert and update functions to prevent the creation of DNS-Records trough the dns manager.
