Safe way to safely host someone's DNS using Webmin

I was looking at the interface. To me the logical path seemed to add a server and add a user with access to the DNS module. The problem is they get full access to the module. So, what would be the best way to do this?

I do it via webmin clustering but this may not suit all. The people I help with webmin (dns and other things) are happy to add their servers to my cluster which makes dns easy along with some maintenance tasks that they don’t understand or don’t want to understand

I want to allow zone transfers, period. Either in or out.

You can’t to that. Webmin clustering always grants a dangerous amount of access in one direction or the other.

You can create a secondary (slave) zone manually, and as long as the primary (master) has granted transfer privileges and is notifying the secondary, the secondary will stay in sync.

There probably are tools for managing that kind of relationship with a lower level of trust, but I don’t know what they are.

Also, beware that this is a pretty big security risk, even without granting the user any Webmin access. There is no requirement that a secondary remain a secondary, and with DNS, all sorts of MITM attacks become trivial. Also, spam. SPF, DMARC, and DKIM rely on DNS and can be compromised by control of DNS.

I like the community spirit behind the “let’s share DNS” idea, but I can’t recommend it. It’s very dangerous. You have to protect your DNS as though all other services depend on it, because they do.

This is something the company I was originally with did. I guess those were simpler times. So, rent a $3.50 per month instance from Amazon and sleep well? :wink:

Or pay $1/month per zone for Route 53 and manage it in Amazon’s cloud DNS infrastructure. It’s impossible to beat for performance and distribution, and Virtualmin can manage zones in Route 53 (I’m pretty sure Route 53 is the only cloud DNS option in GPL, Pro also has Google Cloud DNS and…maybe a couple others?).

But, yeah, you shouldn’t really trust DNS to randos, even randos we like here on the forum. We considered launching a DNS hosting service (to be automatically managed by Virtualmin) a decade or more back, but then all the cloud providers were doing it, and registrars started adding APIs, and we just went that direction. We can’t offer the kind of service Route 53 offers for $1/month per zone. You have to implement anycast to do it well, and we don’t have that kind of capital or infrastructure. We could maybe make it simpler for Virtualmin users, but not a lot simpler.

1 Like

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.