Whats to stop someone from setting an A record for my domain?

I am probably completely wrong but what seems as the standard way to point a domain to a site is very insecure.

Say your domain is regestered with Company A and your site is hosted through Company B.

The steps to set it all up are usually:

  • Login to Company A and set the DNS record for my-domain.com to point to ns1.company-b.com and ns2.company-b.com
  • Login to Company B and add my-domain.com to your account and set up an A record.

But how does Company B know that you are authorized to set up an A record? Just because the domain is using their DNS server? Isn't it possible that someone else who is a customer of Company B is really the owner of the domain and they are the ones that pointed it to Company B's DNS servers -- And since you are also a customer of Company B you can just hijack the domain?

This may not be possible, if so, what is preventing something like this from happening?


Solution 1:

In theory, you are correct. In practice, this isn't really a security issue because you have control over what the domain uses as authoritative name servers. So, say I have set up records for your domain at Company B. You go to set up records and their interface won't allow you to (because a DNS server can't have multiple zone files active for the same domain), or you notice records are already set up. You immediately go to company A again and set your authoritative name servers to point somewhere else, then you talk to company B. Company B knows you are the one who owns the domain, not the other customer, because A) your information is in the WHOIS database associated with the domain and B) you can demonstrate control over the domain via setting the authoritative name servers. Likely, they then proceed to suspend the other customer for their nefarious deeds.

This isn't something you should spend a lot of time worrying about.

Solution 2:

You should do the steps in the other order. Set things up at company B and confirm that you have added the domain to your account before you point the nameservers over. That way, the attack window is zero. But even if you don't do that, it's still a very narrow window and easily solved by calling company B (or just pointing the nameservers away).