0

I'm trying to understand how DNS work and there is something I cannot understad. Let's say I buy the domain example.com and want to use amazingdns as my name server. So in the name registrar I configure the corresponding name servers, lets say ns1.amazingdns.com and ns2.amazingdns.com. Then I configure in amazingdns the record A for example.com, and everything is working.

So, I don't understand why another person couldn't enter in amazingdns and create another record A also for example.com. I don't understand why it would't work. Where is the "connection" that says that example.com is my domain?

Pedro Brost
  • 101
  • 2
  • "So, I don't understand why another person couldn't enter in amazingdns and create another record A also for example.com" If your DNS provider does not do proper user management and authentication and authorization checks, then, yes, technically, as it controls the content of your zone it can put whatever it wants here. There is nothing specific to DNS here: you offload some management to a third party and hence you are at its mercy for correct management. Bad things can happen as well because of bugs, incompetence, social engineering attacks, etc. – Patrick Mevzek Jun 04 '20 at 17:07

2 Answers2

3

Your DNS provider (amazingdns.com) should not, ever, allow two users to create the same zone in their system.

Go ahead and try it, I guarantee it will tell you that the zone name is already in use.

If you find a DNS provider that does allow you to create a zone that someone else has already created, find a new DNS provider for yourself.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • Are you saying that amazingdns.com will allow you to create records for domains owned by other amazingdns clients and enter them in the same nameservers handling your zone? If so, don't use them. Only people related to/authorised by the domain owner should be able to modify a zone. – davidgo Jun 04 '20 at 02:58
  • Ok nice, I now understand how the dns provider cannot allow to define two equals zones, but I still dont know how they check that the first person who configured the zone is the owner of the domain – Pedro Brost Jun 04 '20 at 13:52
  • @PedroBrost "how they check that the first person who configured the zone is the owner of the domain" It does not matter which zone you install on which nameserver... until the parent is updated to point to those nameservers with the proper delegation. Anyone can go to any DNS provider and set up any zone here. It will have no effect, noone will use this until the parent is configured with `NS` records pointing to this provider. So only the owner of the domain for this zone, through the sponsoring registrar, can make the change happen at the registry. – Patrick Mevzek Jun 04 '20 at 17:10
1

Your domain registrar has access to the DNS database of the domain registry (in the case of a .com domain, that’s Verisign), and when you register the domain they create authoritative name server (NS) records in the database for that domain listing the authoritative DNS servers that you have asked for.

People doing DNS lookups for your domain will query the NS records with the registry and then go to your DNS servers.

It’s up to you to ensure that you use a DNS provider who won’t let someone else create records for your domain on their DNS servers.

Mike Scott
  • 7,903
  • 29
  • 26
  • Thank you! But how the DNS provider know if the record created belongs to that person?. If there is no way, I could for example check what are the name servers for example.com and enter there, create a new record for example.com and there would be two in the same name server – Pedro Brost Jun 03 '20 at 20:50
  • Yes, but who would CARE? See, example.com delegated to a specific set of name servers as per the entries in the central registry for .com - so whatever you enter on your DNS server is something noone cares about. That really is similar to phone numbers - there is a central database and you can whine about you having a difernt number as you want, the phone system does not care. – TomTom Jun 03 '20 at 21:53
  • @PedroBrost You can’t just create a DNS record of your own on someone else’s name servers (except by hacking them if there’s a problem with their security). – Mike Scott Jun 04 '20 at 05:11
  • 1
    Your first paragraph is wrong. The registrar sends the nameserver list to the registry, using typically EPP. The registry publishes in its zonefile `NS` records for those, there are no `SOA` record at that level. The `SOA` record exists only in the child zone. As such the second paragraph is also wrong. In day to day operations the `SOA` record is almost never requested because not needed. What is needed, to find out delegations, are `NS` records. – Patrick Mevzek Jun 04 '20 at 17:06
  • @PatrickMevzek Thanks for the correction; I have edited the answer. – Mike Scott Jun 04 '20 at 18:44