Paper Lantern for cPanel accounts is being retired this year. Find out more »
cPanel & WHM Version 102 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

DNS Cluster: setup reverse trust from CLI or API

5GN Support shared this idea 10 months ago
Not Planned

As a System Administrator, I would like to have the ability to enable DNS reverse trust from CLI or API, so that allows me to fully automate cPanel servers deployments without any manual steps.

In our setup, this is the only outstanding manual step we have to perform on each newly deployed cPanel server.

Replies (4)


This was also an issue for me.

With many WHM servers and DNSONLY servers inside a VPC upgrading the fleet is very tedious b/c Reverse Trust cannot be established with the DNSONLY machines.

This is b/c when WHM requests the reverse relationship, it sends its private IP address to the DNSONLY machine - which will not work b/c the DNSONLY machine cannot communicate with the WHM server over private IP.

This is an oversight in cPanel functionality as it should not be using private IP addresses to establish this connection. It should always use Public IP addresses to allow NAT setups to work.

I spent a while on this and here's what I found.

There is an official cPanel Case (CPANEL-36284) and article for a manual fix. However this is not ideal and I needed to automate and rely on a solution going forward.

I ended up using a iptables rule that would let you direct the traffic from private to public:

iptables -t nat -A OUTPUT -p tcp -d $private --dport 2087 -j DNAT --to-destination $public
You would replace $private with the private IP and $public with the Public IP address.



Going to mark this not planned as it's not on our current roadmap. We will update this in the future when we have more information on when it will be roadmapped.

Dustin Scherer (he/him) | Product Owner | @dustinscherer


As of now, creating the DNS cluster connection will not work without this step. I wouldn't say this is a feature... more like a regression.


Yep, it also appears that we aren't able to edit the failure threshold settings or I presume re-enable the nameservers without logging into WHM on each server.

Leave a Comment
Attach a file