13

In a domain name registrar you have the option to set name servers as such: ns1.example.com, etc. and you don't have to specify the IP address of the name servers.

Well, what if I create a set of name servers and have them set as someone else's domain?

What is stopping the domain name from resolving to the lookalike DNS servers I just created ?

example:

Say you have a domain​, peanuthead.com. You go to digital ocean and create two name servers with BInd9: ns1.peanuthead.com and ns2.peanuthead.com. you go back to your registrar and set your name servers to ns1.peanuthead.com and ns2.peanuthead.com. this means when you go to peanuthead.com it will query thoes dns servers.

What if someone randomly creates two name servers that you created, ns1.peanuthead.com and ns2.peanuthead.com? what stops the domain peanuthead.com from querying those name servers created by someone else?

Michael
  • 385
  • 1
  • 9
  • Definitely a good addition to the reading killmark array: An oldish (2000?) page by the author of tinydns, [Daniel J. Bernstein](https://en.wikipedia.org/wiki/Daniel_J._Bernstein): "[Notes on the Domain Name System: Trusted Servers](https://cr.yp.to/djbdns/notes.html)". The author explains a problem with out-of-bailiwick nameservers, which are used quite often nowadays: _"Are the www.w3.org administrators aware that their DNS service relies on beer.pilsnet.sunet.se and 200 other obscure computers around the world?"_. (Does DNSSec solve this? Not sure, probably not) – David Tonhofer May 23 '17 at 21:01
  • Please see my edit which addresses your additional questions. – EEAA May 24 '17 at 01:03
  • Someone *does* have to specify the IP address of the name servers though. They get resolved just like every other server. Probably your registrar puts its own servers' IP addresses there. – user253751 May 24 '17 at 02:19

2 Answers2

24

Well, what if I create a set of name servers and have them set as someone else's domain?

You can stand up a DNS server and have it serve requests for whatever domain you'd like. That would be a completely pointless exercise, though, because requests for those domains would never hit your server.

What is stopping the domain name from resolving to the lookalike DNS servers I just created ?

Well, as you pointed out, nameserver records are set at the domain registrar. If they're set properly, requests for your domain will only ever be referred to those servers.

What if someone randomly creates two name servers that you created, ns1.peanuthead.com and ns2.peanuthead.com?

You seem to be quite confused. If you are in control of example.com, only you and you alone can create DNS records in that domain. Sure, anyone else can configure their DNS server to be authoritative for that domain, but again, that's pointless as queries for example.com will only ever be directed to the specified nameservers.

What what stops the domain peanuthead.com from querying those name servers created by someone else?

This question is nonsensical, as no one else can create records in your domain, and no one but you can edit the nameserver records at your registrar.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • Well if you can get into another nameserver that people use, lets say `ns1.google.com` and you put an A record there for `ns1.competitor.com => ` wouldn't that basically.. be a succesful hijack? – Gizmo May 23 '17 at 18:50
  • @Gizmo Not sure what you're suggesting. Anyone who owns a domain can create a nameserver under that domain referencing (almost) any IP they want, but that won't affect the behavior of that IP. –  May 23 '17 at 18:52
  • I was suggesting that a malicious or hacked registrar would announce existing domains (e.g. the nameservers) as if it were their own, telling all the users that trust them that the location of ns1.competitor.com is 2.2.2.2 (of which real ip is 1.1.1.1). – Gizmo May 23 '17 at 18:55
  • 3
    @Gizmo When a resolver wants to look up something in `competitor.com`, it starts from the root servers and works its way down the hierarchy. It will never go to `ns1.google.com` if the delegations don't point there. – Barmar May 23 '17 at 19:43
  • 2
    @Gizmo If you've hacked into a company's name servers, then you've already won. Having them point to _another_ nameserver you control is pointless indirection. – gardenhead May 23 '17 at 22:16
  • @Gizmo: This is commonly done by sleazy ISP's. If you mistype a URL, e.g. `ogogle.com` they will claim the site exists, and redirect to some ad-filled page. Since they claim this is "helpful" they get away with it. Falsifying real URL's would be viewed as _really_ sleazy. – MSalters May 23 '17 at 22:49
  • 5
    @MSalters NXDOMAIN hijacking, while annoying, is a completely different topic than what's being discussed here. – EEAA May 24 '17 at 01:08
0

I think this is the main cause of confusion:

In a domain name registrar you have the option to set name servers as such: ns1.example.com, etc. and you don't have to specify the IP address of the name servers.

That is only true if you have already specified the ip address of the name server somewhere else (perhaps with another registrar). Setting your dns server to a domain name instead of IP address makes the assumption that you've set up the domain name of your server correctly.

Some registrars even disallow recursive dns references where the dns server is a subdomain of the domain the dns server is managing. Some allow it but also allows you to register the IP address of the dns servers so that their root servers can know where to start dns lookup. Then there are some who can't be bothered to validate your settings and allow you to create broken and non-working domain setups.

slebetman
  • 163
  • 6
  • To be more precise you need (and must) specify IP addresses of hosts only if they are in-bailiwick which means in the zone and used by the domain name on which they reside themselves. This is needed to create proper glue records at the registry to enable resolution for this very specific domain (and in turn for all other domains in the zone using the same nameservers). In all other cases IP addresses are not needed, and are either just dropped or refused. Nameservers like that are registered only once by the registrar sponsoring the underlying domain name. – Patrick Mevzek May 25 '17 at 16:22
  • And outside (of the zone) nameservers are registered only once and without IP addresses, by the first registrar needing them. The registration is either done specifically for registries managing nameservers as objects (like in gTLDs) and through operations on the underlying domain names if they are attributes. – Patrick Mevzek May 25 '17 at 16:22