How to prevent sub-domain 'hijacking' on the same DNS server?

Question

I'm trying to understand how (or if) a DNS server differentiates between a sub-domain setup as a zone and one setup as a record within a domain zone on the same server.

Say I were to create a DNS zone on a DNS server for a domain e.g. example.com.

What is to stop someone from creating another zone, test.example.com, on the same server and 'hijacking' that sub-domain of the domain?

When a DNS request is made to the name server for test.example.com, will the DNS server return:

The main A record of the test.example.com zone or
The test.example.com A record in the example.com zone

(and if the A record for test.example.com doesn't exist in example.com will it return no such record or continue onto the zone of test.example.com)

Is there any way of preventing the sub-domain zone from responding without moving the domains to their own unique name server? How do the likes of ZoneEdit and Amazon's Route53 handle this?

(If a sub-domain was hosted on a separate server the master zone for example.com would have to delegate the sub-domain to that separate server, correct? (as per this Technet article).)

All DNS wants is the response to its request. It will follow the chain of delegation on down until it reaches the A record. — NickW, Jan 07 '14 at 17:19
@NickW If the request reaches the example.com zone first, and that zone doesn't delegate the test.example.com sub-domain, will it return a 'No record found' (as per TomTom's answer) or search for the zone on the server? — Skyrail, Jan 07 '14 at 17:33
It's the server's decision, if it doesn't know where to go (as per your non-delegation example) then it will return "no record found". I really cannot think of any examples where you could do that sort of thing (as a DNS admin), unless you're talking about restricted views. — NickW, Jan 07 '14 at 17:58
I'm not sure why you've tagged this powerdns. Can you elaborate? — ZaphodB, Feb 21 '14 at 22:54
@ZaphodB Because although I was interested in the general concept answer, PowerDNS and bind are the servers I'm working with so if anyone had any specific knowledge on them it'd be more than welcome. — Skyrail, Feb 23 '14 at 08:14

score 0 · Answer 1 · answered Jan 07 '14 at 17:19

0

Not sure about bind, but windows DNS goes up down (example.com is evaluated first) and as the zone does not redelegate test.example.com - that is the end (i.e. test.example.com never gets asked).

answered Jan 07 '14 at 17:19

TomTom

50,857
7
52
134

Thanks, that's how I anticipated it working but It'd be interesting to know how other servers handle it, and whether it's noted in an RFC somewhere. – Skyrail Jan 07 '14 at 17:43

score 0 · Answer 2 · answered Jan 07 '14 at 17:35

"What is to stop someone from creating another zone, test.example.com, on the same server and 'hijacking' that sub-domain of the domain?"

Well, if they can do that, they can also just alter the original zone file; in general if someone has access to your DNS server they can change the DNS to be whatever they want.

"When a DNS request is made to the name server for test.example.com, will the DNS server return:

The main A record of the test.example.com zone or
The test.example.com A record in the example.com zone"

As always, the answer is "It Depends On How You've Set It Up". If the server is authoritative for example.com, and hasn't delegated test.example.com, it will respond however it's configured to respond; from the protocol's standpoint there's not a difference in the zone test.example.com having an @ A record and the zone example.com having a test A record. If you're asking what happens if there are collisions (eg, you've defined test.example.com in the example.com zone file and your nefarious interloper has defined a test.example.com zone file, well, again, he'd have to be able to write named.conf to get BIND to read it to begin with, at which point he could just do whatever he wanted to anyways). IIRC Windows DNS will refuse to load collisions, and BIND will run with whatever it loaded last (I may have that backwards, though). But in either case, for someone to get his zone definition into a running nameserver, he has to have enough access that he can do whatever he wants to your DNS anyways.

"Well, if they can do that, they can also just alter the original zone file" - but what about in the case of ZoneEdit, if I get allocated the same nameserver as someone else, what's to stop me adding a zone record for a sub-domain on their domain? Or is that for ZoneEdit to handle in their interface (if their DNS server handles it like BIND does?) — Skyrail, Jan 07 '14 at 17:41
Last time I used zoneedit they verified domain ownership as part of the signup process. Not sure what they do now, but yes, notionally that's ZoneEdit's responsibility. — Bandrami, Jan 07 '14 at 17:50
They check for the uniqueness of domains, but not sub-domains (so I can create a zone from the sub-domain test.zoneedit.com for example.) As BIND will (supposedly) use the sub-domain zone over the sub-domain record the only way to stop another user hijacking a sub-domain is to control at time of editing, right? — Skyrail, Jan 08 '14 at 10:21
That's a good question, and I don't know zoneedit well enough to answer... I'll see if I can dig anything up. — Bandrami, Jan 08 '14 at 11:13

score 0 · Answer 3 · answered Jan 07 '14 at 18:02

Such control would need to be external to BIND as BIND itself does not have such access controls.

I'm looking for the official docs, but I believe bind matches the most specific zone as defined in named.conf.

So zones will be processed in the most to least specific order. If you had unique zones for each of:

host.sub.domain.com
sub.domain.com
domain.com

Then a lookup for a.host.sub.domain.com would be used preferentially over the other zones.

So to answer your question, you would need to build such security into a zone editor or restrict access so that users can only edit their own zone files.

I work on cPanel/WHM systems and they use zone files for each sub-domain. The WHM panel enforces the security required to prevent a user from hi-jacking another users zone.

It's was more of a general question but getting an insight into how each of the different DNS servers works is good knowledge. Although I'm still looking for an authoritative source for any of them. Windows DNS seems to work the other way according to TomTom. And even if the users have seperate zone files, if they're all on the same nameserver the 'hole' still exists right as the server will parse all of them on the same level, right? — Skyrail, Jan 08 '14 at 10:15

How to prevent sub-domain 'hijacking' on the same DNS server?

3 Answers3