0

Is it bad practice to register a domain for future use and not assosiate any DNS records with it.

For example say I purchase hello.com and goodbye.com and set the nameservers to my AWS R53 nameservers in my registar. But then in Route53 i do not have any DNS records set. Do you always need to have at least some kind of placeholder DNS records?

jonholdridge4
  • 3
  • 1
  • 1
    I don't see a problem there. Since the domain name is registered by you, its your choice if you wish to associate any DNS records with it. It's perfectly fine if you wish keep it for future without any DNS records. โ€“ Harijith R Aug 29 '19 at 09:27
  • 1
    you always have SOA (Start of Authority) record, so basically its can be your placeholder if you want โ€“ vx3r Aug 29 '19 at 09:42
  • It should be also possible NOT to define nameservers at all at the registrar (this may be subject to registrar and domain registry policies). In this case you "own" the domain but it is completely invisible on the Internet. โ€“ Tomek Aug 29 '19 at 11:47

1 Answers1

1

No, it isn't bad practice not to have any records, but there is a big difference between an empty hosted zone and not having a hosted zone configured at all in Route 53 but pretending that you do, by assigning Route 53 nameservers to a domain without a matching hosted zone in Route 53.

Route 53 has 2,048 nameservers. (Technically more than that, due to anycast, but there are 2048 unique nameserver names associated with Route 53.) Each time you create a hosted zone, it is assigned to 4 of these servers, which must be configured with your registrar so that queries are delivered to the correct 4 servers -- the other 2,044 Route 53 servers will reject queries for your domain, if they arrive, but they won't unless you misconfigure the authoritative servers with your registrar.

If you delete that hosted zone and leave the registrar pointing to those 4 servers, then your domain can theoretically be hijacked. Someone would only need to create, delete, create, delete... a hosted zone for your domain not more than 512 (2048 รท 4) times in Route 53 before they would end up with a hosted zone on at least one of your originally-assigned nameservers -- which you abandoned.

If you do not delete the hosted zone, this is impossible, because the nameservers will not be assigned to a new hosted zone for the same domain if you still have yours.

This is not a security vulnerability in Route 53. It's a malicious user taking advantage of a misconfiguration created by the domain owner, pointing their authoritative nameserver settings to machines that aren't in fact authoritative. It wouldn't work very reliably, but it would definitely be bad practice to set yourself up for such a scenario. A malicious user could easily identify a domain with such a misconfiguration because Route 53 will actively refuse to handle DNS queries it receives for unexpected domains, returning a reply message to that effect, rather than returning an error like NXDOMAIN as it would for a valid configuration without any actual records in the hosted zone.

Michael - sqlbot
  • 21,988
  • 1
  • 57
  • 81