Whats to stop someone from setting an A record for my domain?

security domain-name-system

I am probably completely wrong but what seems as the standard way to point a domain to a site is very insecure.

Say your domain is regestered with Company A and your site is hosted through Company B.

The steps to set it all up are usually:

  • Login to Company A and set the DNS record for my-domain.com to point to ns1.company-b.com and ns2.company-b.com
  • Login to Company B and add my-domain.com to your account and set up an A record.

But how does Company B know that you are authorized to set up an A record? Just because the domain is using their DNS server? Isn't it possible that someone else who is a customer of Company B is really the owner of the domain and they are the ones that pointed it to Company B's DNS servers -- And since you are also a customer of Company B you can just hijack the domain?

This may not be possible, if so, what is preventing something like this from happening?


Solution 1:

In theory, you are correct. In practice, this isn't really a security issue because you have control over what the domain uses as authoritative name servers. So, say I have set up records for your domain at Company B. You go to set up records and their interface won't allow you to (because a DNS server can't have multiple zone files active for the same domain), or you notice records are already set up. You immediately go to company A again and set your authoritative name servers to point somewhere else, then you talk to company B. Company B knows you are the one who owns the domain, not the other customer, because A) your information is in the WHOIS database associated with the domain and B) you can demonstrate control over the domain via setting the authoritative name servers. Likely, they then proceed to suspend the other customer for their nefarious deeds.

This isn't something you should spend a lot of time worrying about.

Solution 2:

You should do the steps in the other order. Set things up at company B and confirm that you have added the domain to your account before you point the nameservers over. That way, the attack window is zero. But even if you don't do that, it's still a very narrow window and easily solved by calling company B (or just pointing the nameservers away).

Related

Is there a way to completely disable outbound opportunistic TLS support in SendMail?
How to configure bind9 to be a local DNS only with no internet access?
File Permissions created by Apache
Purpose of the x509 certificate in metadata files on the IdP side (SSO structure)
If account is disabled while logged in can it remain logged in?
ssmtp - Mail command not found
Does adding more drives to a RAID 10 Array increase performance?
Could SpinRite possibly be messing up my laptop hard drives?
Mount shared folder (vbox) as another user
Sorting large binary files
Rsync Remote to Remote [duplicate]
Storage Architecture