0

I am new to Google Cloud DNS service. While still trying to understand the features of this service, a question popped up that though Google doesn't allow a user to create duplicate DNS A records, but how does it ensures that any other user or same user for other project is also not able to create a duplicate record?

For example. My DNS record

mywebsite.example.com may point to I.P 192.168.0.1

What will happen if another user who is also using Google cloud DNS service, creates a similar record for his project with either a different i.p address or different domain address?

For example:

mywebsite.example.com --> 192.168.0.2

or

diffwebsite.example.com --> 192.168.0.1

How will DNS lookup resolve in either case since the domain (example.com) is registered with a common registrar? Please help.

ABJ
  • 91
  • 5

2 Answers2

0

There is always one entity (person, organization, something like that) that controls a zone in DNS. If Google has control of example.org (do not use mydomain.org as your example, it is a perfectly valid existing domain that belongs to someone else), Google can fill it with whatever information they want. If they want to let their customers add exactly one A record per name in it, that's a choice they can make. It's up to Google to make sure that they don't allow creation of records that cause problems for their customers.

If you own example.org, you can put whatever you feel like in it. If you chose to have 42 A record for a name, you can. Someone looking up that name will pick one of the records more or less at random. Nobody will police what IP addresses you put in your A records. You can have records containing absolutely any IP address at all. Nobody will police what names in the zone you create (within technical constraints). You can have an entire dictionary of foul language, if you want.

If someone you have no relationship with owns example.org, you have no influence on what names and records exist in that zone. It would not be a very good idea to rely on anything in it.

Possibly something here answers your question. Possibly not. Your question is a bit confused, to be honest.

Calle Dybedahl
  • 5,228
  • 2
  • 18
  • 22
  • Hi Calle, Thanks for answering to my query. I didn't check earlier if mydomain.com was a valid domain and so quoted it unknowingly. Have updated my query now with example.com. Thanks for informing me about that. To elaborate further, I am worried about this: If someone with malicious intent to hack my site uses Google DNS service and creates his own DNS config where mywebsite.example.com --> 192.168.0.2, how will Google ensure that the DNS lookup for mywebsite.example.com still resolves to 192.168.0.1 (the one which I have setup being the owner of domain example.com) and not to 192.168.0.2? – ABJ Jan 10 '17 at 09:57
  • If you are the owner of `example.com` it's not possible for anyone else to create or modify `mywebsite.example.com` without your consent. If you're letting Google handle the domain for you, it's up to Google's access control systems to prevent their other customers from modifying your data. – Calle Dybedahl Jan 10 '17 at 10:46
  • Yes Calle, no one will be able to create mywebsite.example.com without my consent, but can setup a DNS A record to point mywebsite.example.com to a different I.P. address and re-route the traffic to steal the user information. I am looking for an answer to how Google or my domain registrar will be able to avoid this and ensure that the users are directed to I.P. address configured by the domain owner and not by any impersonator? – ABJ Jan 11 '17 at 03:16
  • Create _or modify_. I'm sorry, I have no idea how to put this more simply. Whoever controls the zone can add, change or remove records. Nobody else can. If you want to know exactly why, read up on how DNS works. – Calle Dybedahl Jan 11 '17 at 06:13
  • Not sure why you have voted down my question. But It seems I can create 2 A records for a host url, pointing to 2 different I.P. addresses under two different zones. And Google doesn't puts any restriction to it. – ABJ Jan 19 '17 at 03:18
0

I believe the key here is the difference between a 'Registrar' and a DNS. In Registrar you set the DNS to be publicly used on the rest of the internet for your domain. You can do this only when you are the owner of that domain. DNS is the translator from a domain name to an IP.

Having in account this concepts, you can have two situations:

1) You are a domain owner: You will have your domain setup on 'Registrar' and your site will be accessible from the internet. If you use it on a Cloud DNS zone you will be able also to use all the provided features. No one will be able to modify that information to redirect traffic to other IP but the owner itself.

2) You are not the domain owner: You can configure zones using domains that might be owned by other person, but they will not be publicly accessible by domain name, this zones will only work on internal bases.

Every Cloud DNS resource lives within a Google Cloud Platform project, therefore the possible overlapping of domains is controlled internally by Google Cloud on a Project permission bases, meaning that even if someone has a zone using a domain exactly as yours, it won't be able to modify it as it doesn't have access to your project, and if you are the domain owner the traffic will only go to the name servers ( not Cloud DNS) defined on Registrar that will redirect the requests to the right IP.

Watacroft
  • 322
  • 2
  • 11