4

I am hosting my website on Linode and am also using their DNS/naming servers. (ns1.linode.com etc.)

It occurred to me that I never have had to authenticate that the domain is mine when I added it to the domain to the DNS manager, or at any other point. I now wonder whether it would be possible for other Linode users to 'hijack' my domain by simply adding the same domain zone and pointing it to their own server. I wouldn't know how Linode could determine which are the real/authentic records.

How can I be sure this doesn't happen?

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
Jongsma
  • 143
  • 3
  • 1
    You'd have to ask Linode, but I'd bet they do a check to see if the domain already exists in their DNS infrastructure when you create a zone in their manager. – ceejayoz Dec 12 '12 at 21:07
  • 1
    This is no different to someone setting up a DNS server with any domain they wish. – John Gardeniers Dec 12 '12 at 22:28

2 Answers2

2

In most scenarios the DNS host and the web hosting provider are not the same thing. However, as you point out it is possible for them to provide both services. I'll cover both scenarios for future readers:

Separate Host and Registrar/DNS Host

In this scenario it's not possible for the domain to be hijacked as the user would have to be able to make changes to the name server that hosts the DNS to point it to a different IP address. With this in mind no verification is needed, if a user uses your domain name when signing up for a shared hosting service the host could care less because the domain will never be routed but the credit card hosting the server will most certainly be billed!

Combined Host

This is a little trickier as you have to rely on the hosting provider to sort it all out. Most of the web-based control panel systems will compare the domain name entered when you sign-up, if the domain is already hosted it will not let you continue. But as ceejayoz points out above, this really comes down to a per-provider question. The chances are relatively small that this could happen though given the basic security use case.

Brent Pabst
  • 6,069
  • 2
  • 24
  • 36
  • 2
    The technical term for this is delegation. You control who your zone is delegated to from your registrar. Or through the use of glue records. Any nameserver can technically have a zone in it's configuration. However a resolver will ultimately get the answer from the delegated nameservers. You can bypass this normal behavior using dig with the @ option. DNSSEC is optional but does provides validation that the answers came from the delegated nameservers for a zone. – 3dinfluence Dec 12 '12 at 22:17
  • Addition: Look at the output of `dig yourdomain +trace` to get an overview of the "delegation chain" down to your domains authoritative nameserver. It should become obvious why it doesn't matter at all if someone else registers your domain on those lower levels. – Karma Fusebox Dec 12 '12 at 22:24
2

I have two linode accounts. I just tried out your theory. Turns out that Linode is smart enough that it doesn't let you add a domain name in their DNS Manager if they already have that domain in their database. So, no two accounts can add the same domain name in their DNS Manager.

enter image description here

Idlecool
  • 234
  • 3
  • 9