Is it possible to restrict direct access to a Secondary DNS server?

SYSTEM INFORMATION
OS type and version AlmaLinux 9.3
Webmin version 2.105
Virtualmin version 7.10.0

I would like to offer slave secondary DNS servers for my VPS clients. I understand there is no reason why multiple masters can’t access the same slaves as long as there are no zone conflicts. However, how can I restrict direct access to the Webmin panel by the VPS clients. By default they can log into the associated servers via Webmin > Webmin Servers Index.

I understand I could put the access to Port 10000 in a trusted zone on the slaves. I was just wondering if there’s a better or more elegant way.

I don’t think there’s a safe way to do that with Webmin, unfortunately. Because the master has to be managed by the user, and the master has to be able to log in to the slaves to create new zones automatically, and Webmin doesn’t have ACL support in the remote APIs, I think the masters will have root support on the slave, which isn’t reasonable for an untrusted user, like a hosting customer.

But, it’s a very reasonable thing to do. I think the lack of ACLs in APIs is one of the bigger pain points for larger scale hosting with Virtualmin. If I ever have more free time, I’d like to address some of that, somehow, at least for the most common things one would want to safely delegate via the API.

That said, Cloudmin Pro can currently solve this problem (in a different way, by not hosting the master on the Virtualmin servers, as with cloud DNS providers). Cloudmin Pro can provide DNS services to Virtualmin, and in that case DNS wouldn’t be hosted on the Virtualmin server but the user could manage the records on the remote DNS servers via the Cloudmin Services connection. (But, Cloudmin is also pretty neglected at the moment, I’m in the middle of updating the installer to support newer distros and simplify things.)

Hi Joe. This is very interesting. Setting aside the security issues, one of the things that seems to be missing from Webmin is the ability to automatically setup/register servers via script during installation, then set them up as Cluster Slave Servers. Can this be accomplished in conjunction with Cloudmin Pro?

Kind of, but it’s done differently with Cloudmin Pro. Virtualmin doesn’t have admin access to any DNS server when using Cloudmin Services (a feature of Cloudmin Pro). There is no master DNS server on the Virtualmin server, it outsources all DNS to Cloudmin. The user can still manage their records (as with Virtualmin), but the connection is not a Webmin root connection as happens when setup in Webmin Servers Index.

What I mean is, you can accomplish your goal, but the way you describe it isn’t what happens with Cloudmin Services; it isn’t setting up Cluster Slave Servers in Webmin. It just manages all zones and Virtualmin can ask for new zones and records to be created (again, in a similar manner to cloud name servers, where you obviously don’t have root access to the Google or Amazon or whatever DNS servers).

Well, I assume you still have to configure the external cloud dns servers somehow, right? How else would Virtualmin ask for new zone and records to be created? it would be nice if that connection could be setup for the client automatically during the install/setup process.

You do that on the Cloudmin server.

I just explained it. Virtualmin makes API requests (via Cloudmin’s API, which is not a root-level API) to create zones and records.

As I said, it is not the same as Webmin’s slave DNS feature when seen from the perspective of Virtualmin. It is the same from the perspective of the Cloudmin server, but your Virtualmin users do not have root access on the Cloudmin server.

The Cloudmin docs seem to have gone missing during the new website migration Ilia just did, but the old ones for the Services feature are here: Cloudmin Services | Virtualmin

Joe, thank you for the additional info and link.

Maybe I just need to see it in action and it will all make sense. I guess I’m confused about the part where you said that Virtualmin makes the API requests. I assume this is Virtualmin on the Client System (the client’s VPS).

My understanding from what I read, is that the Cloudmin server (ie. Master System) sits between the Client System and the Host System, and the Client System still needs to be “setup to connect to the services API with the login and password of a Cloudmin system owner.”

I assume there will be some setting where you put the URL of the Cloudmin server, and the credentials to make the connection. Is my assumption incorrect? Again, I haven’t seen the interface.

I decided to purchase a license for Cloudmin Pro so I could see what this in action but I forgot you mentioned you were working on updating the installer to support new distros. Hopefully you’ll be supporting AlmaLinux 9 soon. In the meantime I’ll check it out with a Centos 7 installation.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.