11

I've never understood what happens behind the scenes when I go to my registrar and enter in my name server's information.

Can someone elaborate on what happens when an update is made, and how it is consistently applied to the Whois result?

  • How secure is this process?
  • Can any registrar update my name server's root?
  • What security provisions are in place?
AviD
  • 72,138
  • 22
  • 136
  • 218
makerofthings7
  • 50,090
  • 54
  • 250
  • 536

2 Answers2

8

Your registrar has the right to manage a subzone of the DNS namespace. For ccTLDs (country-code top level domain, for example .us) this is mostly one, for gTLDS (global TLDs like .com) there are multiple.

If you tell your registrar your own DNS, the registrar will define a new subzone for the domain, and delegate the DNS resolution. Everytime the information in the DNS is updated, it polls the DNS above it that the information has changed. This will mostly be the registrars DNS. The registrar in turn will forward this information to the different root DNSs.

Now to your questions:

  • How secure is this process?

This process isn't very secure, since the system wasn't designed with security in mind. It basically trusts that whatever information it is given is correct. So if a rogue registrar wants to take over a domain, it just has to make sure the root servers have the bogus information and not the correct one. This information can easily be spoofed. Normally a registrar should check for this, and only update records for their own subzone.

Even worse are the responses, since, when the root server receives information, every DNS accepts every answer they get. Which means it isn't that hard to redirect, for example, Google to a bogus IP. This is why DNSSEC was invented, so responses can be cryptographically signed.

  • Can any registrar update my name server's root?

Do you mean that any registrar can pretend to be your DNSs master server? Every DNS should be able to poll data from your DNS, but that shouldn't be a problem (minus the spoofing mentioned above).

  • What security provisions are in place?

Trust, if you can call that a security provision. :) If you don't believe in trust, the rollout of DNSSEC is currently underway. It doesn't solve all problems DNS has, but at least a few. It mainly allows DNS responses to be signed, so it isn't that easy anymore to spoof the corresponding IP. It is, as far as I'm aware, still possible to poison the cache of the individual DNSs.

Andreas Arnold
  • 2,353
  • 19
  • 19
  • 2
    Lots of points plainly wrong here (both-answer and the question itself). Rogue registrar can NOT take over domain. Root servers have nothing to do with registrars at all. Whois have nothing to do with DNS servers at all. With DNSSEC it's not possible to poison cache. – Sandman4 Jun 24 '12 at 12:07
1

It depends on the registrar. Each offers a custom API, and the documentation for it is usually behind a login page for resellers.

So really the answer to how secure it is and what provisions are in place is "It depends". However only the registrar that controls the domain can update the root name servers.

blowdart
  • 859
  • 4
  • 5