I'm trying to understand how DNS works in a shared hosting environment. I went to my registrar and set my name servers to my host's ns1.foo.com and ns2.foo.com. I'm using a cloud hosting provider who has a web portal where I can set my DNS entries. However I am confused by the lack of security. when I entered in the entries for my domain there was never any step to prove that I actually own that domain. What is to stop somebody else on the same hosting service (a nasty neighbor) from writing over my DNS entries and pointing my traffic to their server instead?
-
You ought to take this up with your provider. You're unlikely to get any solid answer from SF. – ThatGraemeGuy May 18 '10 at 10:34
-
Surely you had to login to your provider's portal before you could change those entries? – Alnitak May 18 '10 at 10:50
4 Answers
There's never any "proof" that you own a particular domain at a DNS level, the idea is that you need to point your registrars nameservers to servers that you trust, and that DNS server is trusted because you've said it can be trusted by pointing your DNS entries at it.
As a test, I have two seperate accounts with DNS Made Easy. I took a domain from one account, and tried to add it to my other account to see what happens. The management tool stopped me in my tracks, saying that the domain was already hosted in another account.
So, the only way someone could hijack my DNS, would be to have created records for my domain before I did. Seeing as you (should always) create your DNS records before updating your nameservers, you'll be able to tell if someone is trying to hijack your DNS records before pointing your nameservers to the service.
So, in theory, if someone knew you were planning to move your DNS to a shared host, and they got there before you did, then yes, they could create records on your behalf. But then YOU wouldn't be able to create the records, and you'd have to be pretty dense to point your NS to your DNS provider a) before setting up your DNS records, and b) after you've received a message saying someone else already has.
- 68,316
- 31
- 175
- 255
-
Thank you for the detailed description and for running that test. That made it very clear. – bluehex May 18 '10 at 15:59
-
"There's never any "proof" that you own a particular domain at a DNS level," And yet CA do DNS-01 validation for DV certificates issuance nowadays exactly to make you prove you own a particular domain, just by inserting a specifically record in the DNS. – Patrick Mevzek Aug 22 '19 at 14:52
Surely, the registrar requires you to login before allowing you to change DNS entries. Since they are the ones who leaksed you the name in the first place, they know that you have authority to set the name servers.
Your hosting provider, who runs ns*.foo.com, really doesn't care if you have authority for that domain or not. If you don't have authority, then they won't actually be the name server of record - so no harm done. I can setup google.com on my own name server, but if no one queries my name server for it, it doesn't matter.
- 1,117
- 6
- 13
It depends, normaly they use an API to control each domain info. Here in Portugal it calls EPP Protocol.
The security of the site can be high or low, it depends how the web site programmer writes the code.
- 105
- 1
- 2
- 7
There is an alternate way, you can use Domain Registrars Nameservers instead of setting shared servers NS. Only thing you need to change at Domain Registrar end is the A record. A record is IP address of shared server where your domain is actually hosted.Your hosting company will take care of DNS configuration at their end. Just change the A record thats it .
- 75
- 1
- 7