Can someone using the same DNS server as me hijack my domains?

Solution 1:

Never you mind the comments section below, and never you mind the previous answers in the edit history. After about an hour of some conversation with friends (thank you @joeQwerty, @Iain, and @JourneymanGeek), and some jovial hacking around we got to the bottom of both your question and the situation on the whole. Sorry for brusqueness and misunderstanding the situation completely at first.

Let's step through the process:

  1. You buy wesleyisaderp.com at, let's say, NameCheap.com.
  2. Namecheap as your registrar will be where you populate your NS records. Let's say you actually want to host the DNS zone on Digital Ocean.
  3. You point your shiny new domain's NS records to ns1.digitalocean.com and ns2.digitalocean.com.
  4. However, let's say I was able to determine that you had registered that domain, and furthermore that you had changed your NS records to Digital Ocean's. Then I beat you to a Digital Ocean account and added the zone wesleyisaderp.com to my own.
  5. You try to add the zone in *your* account but Digital Ocean says that the zone already exists in their system! Oh noes!
  6. I CNAME wesleyisaderp.com to wesleyisbetterthanyou.com.
  7. Hilarity ensues.

Some friends and I just played this exact scenario out, and yes it works. If @JoeQwerty buys a domain and points it to the Digital Ocean nameservers, but I already had that zone added to my account, then I am the zone master and can do with it what I want.

However consider that someone would have to first add the zone to their DNS account, and then you'd have to point your NS records to the name servers of that same host for anything nefarious to happen. Furthermore, as the domain owner, you can switch NS records any time you want and move the resolution away from the bad zone host.

The likelihood of this happening is a bit low to say the least. It is said that, statistically, you can shuffle a deck of 52 playing cards and get an ordering that no other human has ever gotten, and no other human ever will. I think the same reasoning exists here. The likelihood of someone exploiting this is so very low, and there are better shortcuts in existence, that it probably won't happen in the wild by accident.

Furthermore, if you own a domain at a registrar and it someone happens to have made a zone on a provider like Digital Ocean that you collide with, I'm sure if you provide proof of ownership, they'd ask the person who made the zone in their account to remove it since there's no reason for it to exist as they're not the domain name owner.

But what about A records

The first person to have a zone on, for instance Digital Ocean, will be the one that controls it. You cannot have multiple identical zones on the same DNS infrastructure. So for example, using the silly names above, if I have wesleyisaderp.com as a zone on Digital Ocean, no one else on Digital Ocean's DNS infrastructure can add it to their account.

Here's the fun part: I actually really have added wesleyisaderp.com to my Digital Ocean account! Go ahead and try to add it into yours. It won't hurt anything.

So as a result, you can't add an A record to wesleyisaderp.com. It's all mine.

But what about...

As @Iain pointed out below, my point #4 above is actually too verbose. I don't have to wait or plot or scheme at all. I can just make thousands of zones in an account and then sit back and wait. Technically. If I make thousands of domains, and then wait for them to get registered, and then hope they use the DNS hosts that I've set my zones on... maybe I can do something kinda bad? Maybe? But probably not?

Apologies to Digital Ocean & NameCheap

Note that Digital Ocean and NameCheap are not unique, and have nothing to do with this scenario. This is normal behavior. They are blameless on all fronts. I just used them since that was the example given, and they're very well known brands.

Solution 2:

In addition to Wesley's excellent answer, I'd like to add that there is already a solution to prevent this. It's called DNSSEC.

The basics are this:

  • You register your domain (I'll go with the eminent name wesleyisaderp.com here, just because.)
  • You register your name servers with your registrar, usually via a web interface that you authenticate to with a username/password combo.
  • You also create a public/private key pair, and you upload your public key to your registrar in the form of a DNSKEY record. (That is how the registrar can set up the chain of trust to the root servers for the top level domain - in this case, the root servers for .com.) Again, you upload this when you're logged in with your own username/password combo, so it is connected to your domain(s) and not to someone else's.
  • You go to the nameserver, you enter your records and you sign the resulting zone file with your private key. Or, if you've got a web interface to your DNS hosting service, you upload the private key to them so they can sign the zone file to them.
  • When Wesley so rudely tries to hijack your domain and CNAME it to wesleyisbetterthanyou.com, his records won't be accepted by the .com root domain servers because they aren't signed with the right key. If your DNS hosting provider is clever, they will check that right off the bat and won't even allow him to try to add records to that domain unless he's got the right private key.
  • When you enter your own records, they will be signed by the right key, so they will work.
  • You can now sit back and laugh at Wesley.

(In the original case, the one that Wesley describes, the main error would be that Digital Ocean did not verify ownership of a domain before allowing someone to set up DNS records for it. Unfortunately, they're not alone in this; I know of at least one Swedish registrar with the same issues.)


Solution 3:

You'll be fine so long as you claim ownership of the domain at DigitalOcean (i.e. associate it with your account) before you tell the registrar to use their name servers.

If someone has associated your domain with their account already you'll find out before the DigitalOcean nameservers become authoritative. And if that happens, talk to DigitalOcean about getting that person booted out of their account.

In line with best practice, {ns1,ns2,ns3}.DigitalOcean.com do not act as recursive resolvers for domains hosted elsewhere. If they did, and if servers hosted by DigitalOcean used those servers as general purpose resolvers, then there would be a much bigger problem. For all that this is well known to be bad practice, it's probably not that hard to find hosting providers who get it wrong, which opens up possibilities for abuse.