1

I am developing a free DNS service and I can't totally solve the situation when two or more customers try to add the same domain (nearly at the same time).

Here are a few solutions to handle this situation, but none of them seems to be good or viable.


Solution 1:

Use different pairs of name server for each customer

Creating multiple and distinct ns's (like ns1, ns2.. ns49, ns50, ns51..) allows me to use different pairs of servers with different customers trying to add same domain.

The real owner will use only his pair in domain registrar (ie: ns8 and ns9) so only his records will be accepted and propagated to the whole internet.

The problem with Solution 1:

It is vulnerable to a mass attack

If a malicious person create a really big number of accounts, it would be impossible to have an equivalent number of pairs, if all of these accounts try to add the same domain.


Solution 2:

Only allow one user account to use a domain

If one user already added a specific domain and correctly configured it in his domain registrar, no other account will be able to add the same domain.

The problem with Solution 2:

Grace time

It can take hours to validate an added domain (please, correct me If I am wrong). It would require me to give a "grace time" to allow each recently added domain to stay "unverified" until we can validate it through the respective domain registrar.

Also, during this grace time, no other account would be able to add the same domain unless we use solution 1 ( but remember #1 has a vulnerability ).


How free (or paid) DSN services solve this problem? What are their approaches (since any user apparently can add whatever domain it wants without restrictions) ?

Edit: about the duplicate

There is a slight difference between my question and Era's one. I am the provider and not the customer. And Era's question only points to the problem from the customer's eyes.

Also, even @Jacob from DigitalOcean stated that they do a "first come, first serve" approach which I am trying to avoid and is the reason for my question to exist.

Paulo Coghi
  • 588
  • 1
  • 11
  • 22
  • Possible duplicate of [Can someone using the same DNS server as me hijack my domains?](http://serverfault.com/questions/744147/can-someone-using-the-same-dns-server-as-me-hijack-my-domains) – user9517 Jan 14 '16 at 22:33
  • Thanks for the note, @lain . But it seems that the answers to that question is the motivation to mine. I am the provider and, as such, I want to avoid approaches like the mentioned by Jacob and Wesley – Paulo Coghi Jan 15 '16 at 00:25

1 Answers1

1

Solution 1 can work for authentication a users control of a domain. In your question, you seem to have imposed some restrictions on yourself, maybe due to some misunderstandings or maybe because you want it to work without authenticating the users control of the domain.

  • You shouldn't use just two DNS servers. Two is the minimum, but I would go higher than that. The exact number of DNS servers to use is a matter of opinion. I feel four is a good choice. With a larger number of DNS servers used by each domain, you will have more possible combinations.
  • The NS records are as you already observed pointing to names. It is possible to have multiple of those names pointing to the same IP addresses, which means you have no shortage of names.
  • Your service need both IPv4 and IPv6. With IPv6 you have no shortage of IP addresses either. It is entirely possible to have each server listen on enough IPv6 addresses that you can have a unique IP address for each of your users.

Any of the three observations above should fill in the gaps in your proposed solution 1 to make it work, assuming that you do authenticate the user's control of the domain.

If you want a solution that works without the user first authenticating their control of the domain, I can only suggest that you rely on IPv6.

A hybrid solution could likely provide a smooth flow for the users. I would design it as follows:

  • Assign a /64 address space to each of your DNS servers.
  • Assign a 64 bit interface identifier to each user.
  • Assign 3 hostnames to each DNS sever plus user combination (one v4-only, one v6-only, and one dual-stack). The hostname could for example look like kasperd-ns1-ds.example.com.

A user can create any zone name they like. It will immediately be made available on that user's IPv6 addresses.

Serving a specific zone on the IPv4 addresses (which are necessarily shared among users) will work on a first-come basis. But any later user can authenticate control over the domain by pointing the NS records of the domain to any of the hostnames you assigned to that user. Authenticated control of the domain beats the first-come principle.

kasperd
  • 29,894
  • 16
  • 72
  • 122
  • The problem that solution 1 tries to solve is to avoid DNS conflict between legitimate users and the others. If I use the same group of DNS servers (2, 4 or any number) with different users using the same domain, a non-legitimate user would be allowed to create DNS zones for domains he/she hasn't. – Paulo Coghi Jan 15 '16 at 18:28
  • @PauloCoghi In that case I did not completely understand the question, and you did not completely understand my answer. I'll improve my answer to make it more clear how it could work. – kasperd Jan 15 '16 at 18:30
  • I think I understand better you answer now. – Paulo Coghi Jan 15 '16 at 18:44
  • Your suggestion is brilliant, because I can create multiple groups of nameservers based on the same initial four servers (for example) and authenticate the legitimate user by the group used in domain registrar! – Paulo Coghi Jan 15 '16 at 18:49
  • And, yes, with this method there is no shortage. Now I get your idea. – Paulo Coghi Jan 15 '16 at 18:51