Plesk for Windows
Plesk for Linux
kb: how-to
ABT: Group B
Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
Is it possible to create a subdomain with a different system user than the subscription?
By default, all subdomains and domains under the same subscription share the same system user and main directory.
Answer
Yes, it's possible. Instead of creating a subdomain out of a domain from Plesk, it can be accomplished by creating a new separate subscription with the subdomain name:
-
Go to Subscriptions > Create New Subscription.
-
Specify a subdomain name as the name of the new subscription. For example:
-
Click OK.
Note: after creating subdomain as a subscription, it is required to register the name one.example.com
on the Registrar side.
Comments
5 comments
Hi Julian,
Is there any benefit in terms of security to have a subdomain in a different subscription?
I am asking this because I was wondering if a website gets hacked, would be the hacker able to access the subdomain if it is created inside the same subscription rather than in a different one?
Regards,
Jorge
Hello @Jorge,
In case of using separate subscriptions, each domain will have it's own system user. In one subscription there's the same system user for all subdomains.
As a result, if all subdomains are in the same subscription, gaining access to subscription user will provide access to all subdomains, which may be considered as less secure.
However, the common practice is to have subdomains in the same subscription.
The following steps are usually sufficient:
https://support.plesk.com/hc/en-us/articles/115000626925-How-to-secure-a-Plesk-server
Well, this article is lacking two pieces of information:
- This way of adding a subdomain counts as a domain addition regarding your Plesk license.
- You need to manually disable the subdomain's DNS zone, then add the subdomain to your domain's DNS zone.
@Robin Labadie I'm agree with the first point, it should be noted. Regarding the second one - it is not required, the separate zone file will be created in bind, just check it - fully resolvable.
Lev Iurev
I've just tested again and I think I've found the reason why it doesn't work in some cases. Upon testing, DNS resolution was working from a server but not another.
It's because my domain has DNSSEC enabled (classic method, within Plesk and my registrar), and this method breaks DNSSEC for the said subdomain. Therefore, client DNS servers (the ones used to query) that verify DNSSEC keys will show a failure, and others will just work normally.
So it could be noted that if this method is applied on a domain that uses DNSSEC, it is still required to disable the newly created (sub)domain's DNS zone and manually add the corresponding to the main DNS zone. :)
Please sign in to leave a comment.