49

When I register a new domain, I send it to my hosting provider by assigning it its domain name servers in the registar's settings. For example, with Digital Ocean, I input the following:

ns1.digitalocean.com
ns2.digitalocean.com
ns3.digitalocean.com

I then add the domain settings in the A record of my server. It just occurred to me that anyone else on the same hosting provider can add an A record with a domain I own.

Is there anything preventing this from occurring? if 2 different servers that use the same domain name server try to assign a domain to themselves through the A records, where would the domain actually resolve when you enter it in the browser? what prevents domain name collisions on the same DNS server?

Wesley
  • 32,320
  • 9
  • 80
  • 116
Eran Galperin
  • 629
  • 1
  • 5
  • 8
  • 7
    Digital Ocean prevents it, for one thing. Just _try_ entering an A record for a domain _you_ don't own. – Michael Hampton Dec 19 '15 at 06:32
  • 4
    The question is, how do they know who owns the domain? is it first come, first serve? so whoever adds the A record first, can use the domain? – Eran Galperin Dec 19 '15 at 06:38
  • 16
    @EranGalperin Hello! I'm a DigitalOcean employee. The first person to add a domain to their account can set records for it, but we do have a procedure to establish ownership in case of conflicts. – Jacob Dec 20 '15 at 02:37
  • 1
    Issues like this are why the bigger DNS providers (like Network Solutions) are also DNS registrars. They can handle both steps at once, and ensure that things are in sync. – Barmar Dec 23 '15 at 05:03
  • As @Barmar said above most registrars also provide DNS hosting, which avoids the problem you described, even though the scenario seems unlikely and trivial to resolve. – Fred Thomsen Dec 28 '15 at 02:02

4 Answers4

62

Never you mind the comments section below, and never you mind the previous answers in the edit history. After about an hour of some conversation with friends (thank you @joeQwerty, @Iain, and @JourneymanGeek), and some jovial hacking around we got to the bottom of both your question and the situation on the whole. Sorry for brusqueness and misunderstanding the situation completely at first.

Let's step through the process:

  1. You buy wesleyisaderp.com at, let's say, NameCheap.com.
  2. Namecheap as your registrar will be where you populate your NS records. Let's say you actually want to host the DNS zone on Digital Ocean.
  3. You point your shiny new domain's NS records to ns1.digitalocean.com and ns2.digitalocean.com.
  4. However, let's say I was able to determine that you had registered that domain, and furthermore that you had changed your NS records to Digital Ocean's. Then I beat you to a Digital Ocean account and added the zone wesleyisaderp.com to my own.
  5. You try to add the zone in *your* account but Digital Ocean says that the zone already exists in their system! Oh noes!
  6. I CNAME wesleyisaderp.com to wesleyisbetterthanyou.com.
  7. Hilarity ensues.

Some friends and I just played this exact scenario out, and yes it works. If @JoeQwerty buys a domain and points it to the Digital Ocean nameservers, but I already had that zone added to my account, then I am the zone master and can do with it what I want.

However consider that someone would have to first add the zone to their DNS account, and then you'd have to point your NS records to the name servers of that same host for anything nefarious to happen. Furthermore, as the domain owner, you can switch NS records any time you want and move the resolution away from the bad zone host.

The likelihood of this happening is a bit low to say the least. It is said that, statistically, you can shuffle a deck of 52 playing cards and get an ordering that no other human has ever gotten, and no other human ever will. I think the same reasoning exists here. The likelihood of someone exploiting this is so very low, and there are better shortcuts in existence, that it probably won't happen in the wild by accident.

Furthermore, if you own a domain at a registrar and it someone happens to have made a zone on a provider like Digital Ocean that you collide with, I'm sure if you provide proof of ownership, they'd ask the person who made the zone in their account to remove it since there's no reason for it to exist as they're not the domain name owner.

But what about A records

The first person to have a zone on, for instance Digital Ocean, will be the one that controls it. You cannot have multiple identical zones on the same DNS infrastructure. So for example, using the silly names above, if I have wesleyisaderp.com as a zone on Digital Ocean, no one else on Digital Ocean's DNS infrastructure can add it to their account.

Here's the fun part: I actually really have added wesleyisaderp.com to my Digital Ocean account! Go ahead and try to add it into yours. It won't hurt anything.

So as a result, you can't add an A record to wesleyisaderp.com. It's all mine.

But what about...

As @Iain pointed out below, my point #4 above is actually too verbose. I don't have to wait or plot or scheme at all. I can just make thousands of zones in an account and then sit back and wait. Technically. If I make thousands of domains, and then wait for them to get registered, and then hope they use the DNS hosts that I've set my zones on... maybe I can do something kinda bad? Maybe? But probably not?

Apologies to Digital Ocean & NameCheap

Note that Digital Ocean and NameCheap are not unique, and have nothing to do with this scenario. This is normal behavior. They are blameless on all fronts. I just used them since that was the example given, and they're very well known brands.

Wesley
  • 32,320
  • 9
  • 80
  • 116
  • If the attacker has DNS control, and you made the admin contact email on the domain itself, couldn't they immediately execute a domain transfer and approve it via email, depending on the registrar enabling this kind of feature? – Andrew Domaszek Dec 19 '15 at 08:26
  • @AndrewDomaszek A zone transfer would be pointless since the "attacker" already has the zone on one particular DNS infrastructure, but perhaps if the registrar had an email address on that domain as a primary contact then the registrar could be social engineered to transfer ownership, but there's a lot of variables and what-ifs that would make it improbable. – Wesley Dec 19 '15 at 08:30
  • In this scenario, namecheap is at fault if they allow you to point the NS records at digitalocean's name servers before DO is serving the SOA and NS records for the domain. In order for the change to be made at namecheap, the user (or someone) should have already set up the account at DO, and if it's someone else, the user should discover it when they go to do this. If they don't know this, there could be a problem. – mc0e Dec 19 '15 at 10:22
  • @Wesley I was really dissapointed when I found that [there's nothing at wesleyisaderp.com](http://wesleyisaderp.com). – cat Dec 19 '15 at 12:32
  • @mc0e I don't know of any registrar that looks for an SOA record before allowing you to use name servers. – Wesley Dec 19 '15 at 18:24
  • 2
    I suppose if you really want to mess with somebody, you could set up e.g. an `A` and a `MX` RR with really long TTLs, pointing to a host you control, and hammer common public DNS servers (like Google's, maybe?). A variant of cache poisoning... – user Dec 19 '15 at 19:48
  • 4
    It's also trivial to show domain ownership by being able to change which ns servers are pointed to so even if someone did it, could be cleared up relatively quickly if their customer service is good. – JamesRyan Dec 19 '15 at 23:30
  • 3
    @JamesRyan TXT records are used to prove ownership in cases like this. – user9517 Dec 19 '15 at 23:40
  • 2
    @Iain no they can't be. If someone else has control of the NS, they would have control of the TXT records! – JamesRyan Dec 19 '15 at 23:47
  • 4
    @Wesley This is correct. We have a procedure in place to handle cases of zone conflicts with our DNS service. – Jacob Dec 20 '15 at 02:41
  • 7
    A weird situation where this might be more likely is where the domain was _previously_ registered and in use at Digital Ocean, and then lapsed/wasn't renewed but the zone not deleted from digitalocean. Someone later snaps it up as a 'new' domain (unaware that it was previously owned), then tries to create the zone at Digital Ocean. This could only be prevented if the DNS host periodically purges zones for which it is no longer the nameserver. (without the aforementioned conflict resolution methods) – Ashley Dec 22 '15 at 23:54
32

In addition to Wesley's excellent answer, I'd like to add that there is already a solution to prevent this. It's called DNSSEC.

The basics are this:

  • You register your domain (I'll go with the eminent name wesleyisaderp.com here, just because.)
  • You register your name servers with your registrar, usually via a web interface that you authenticate to with a username/password combo.
  • You also create a public/private key pair, and you upload your public key to your registrar in the form of a DNSKEY record. (That is how the registrar can set up the chain of trust to the root servers for the top level domain - in this case, the root servers for .com.) Again, you upload this when you're logged in with your own username/password combo, so it is connected to your domain(s) and not to someone else's.
  • You go to the nameserver, you enter your records and you sign the resulting zone file with your private key. Or, if you've got a web interface to your DNS hosting service, you upload the private key to them so they can sign the zone file to them.
  • When Wesley so rudely tries to hijack your domain and CNAME it to wesleyisbetterthanyou.com, his records won't be accepted by the .com root domain servers because they aren't signed with the right key. If your DNS hosting provider is clever, they will check that right off the bat and won't even allow him to try to add records to that domain unless he's got the right private key.
  • When you enter your own records, they will be signed by the right key, so they will work.
  • You can now sit back and laugh at Wesley.

(In the original case, the one that Wesley describes, the main error would be that Digital Ocean did not verify ownership of a domain before allowing someone to set up DNS records for it. Unfortunately, they're not alone in this; I know of at least one Swedish registrar with the same issues.)

Jenny D
  • 27,358
  • 21
  • 74
  • 110
  • 1
    Curious, how would any non-DNSSEC DNS zone hosting provider verify ownership before allowing a zone to be created? I also tried this using Amazon Route53 and I can create any zone I want. – Wesley Dec 19 '15 at 18:26
  • They probably wont, it would require deferred trial and error checking. Just guessing, delete-on-error could still be possible with some (smoke-screen) ux tricks. – Sampo Sarrala - codidact.org Dec 19 '15 at 22:56
  • @Wesley I haven't considered the mechanics. But at the least, some kind of check on the whois record, or the same kind of checks that the cheap SSL certificate sellers have would work. If they can do it, why can't hosting companies? – Jenny D Dec 20 '15 at 07:59
  • 1
    @JennyD Convenience, mostly! This type of domain hijacking is rare enough and detectable enough that it's easier to fix it when it happens than to make every legitimate user jump through hoops to prevent it. –  Dec 20 '15 at 22:20
  • @duskwuff When convenience and security conflict, convenience usually wins... I agree that domain hijacking is likely to be rare - but what about simple mistakes, without evil intent? IMAO, it is reckless of DNS hosters to not do any form of checks. – Jenny D Dec 21 '15 at 06:02
6

You'll be fine so long as you claim ownership of the domain at DigitalOcean (i.e. associate it with your account) before you tell the registrar to use their name servers.

If someone has associated your domain with their account already you'll find out before the DigitalOcean nameservers become authoritative. And if that happens, talk to DigitalOcean about getting that person booted out of their account.

In line with best practice, {ns1,ns2,ns3}.DigitalOcean.com do not act as recursive resolvers for domains hosted elsewhere. If they did, and if servers hosted by DigitalOcean used those servers as general purpose resolvers, then there would be a much bigger problem. For all that this is well known to be bad practice, it's probably not that hard to find hosting providers who get it wrong, which opens up possibilities for abuse.

mc0e
  • 5,786
  • 17
  • 31
  • So if DigitalOcean is not yet authoritative for the domain and multiple potential customers both claim to own the domain, how would DigitalOcean know which of the potential customers is telling the truth? Are they going to give the first one access to create records and a deadline to update NS records in order to prove control over the domain? Or are they going to give each of the potential customers a different subset of authoritative servers to put in the NS records? – kasperd Dec 21 '15 at 11:42
  • 2
    @kasperd the legitimate owners an point the NS records wherever they want and then configure for example a TXT record that proves they are the owners because it contains unique information that the Service provider gives them. Admittedly a bit of a palaver but for the rare occasions that this might happen it's somewhat easier than having everyone prove ownership before bringing them onboard. – user9517 Dec 21 '15 at 12:47
  • @kasperd Often the whois record identifies the legitimate owner, though people sometimes do have reason to obscure that information. In any case, if you tell DO to associate the domain with your account so you can make it authoritative, DO presumably give the impostor a timeline to either update the registrar, or relinquish the domain association at DO. The legitimate owner might have to wait a little, that's all. – mc0e Dec 21 '15 at 13:22
0

I think this issue means that no one should use such nameservers (such as Digital Ocean's) as their resolvers, since anyone can make a nameserver for an existing domain on them. The battle for control of the domain is irrelevant as domain ownership can be proved easily, but the fact that someone can for example direct any existing domain that is NOT hosted on Digital Ocean already, to anywhere they want.

Bottom line: do not trust the DNS servers of any hosting service that does not require a proof of domain ownership (easily and quickly done for instance by the method that was suggested above: by adding a TXT record with a certain value on the domain first, this is what Microsoft O365 and Google do for instance).