View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Using Linode's DNS Manger
Log in to Ask a Question

Using Linode's DNS Manger

networking

I'm using Linode's DNS manager, mainly because I think its cool how it's integrated into the Linode iPhone app. After I set the authoritative name servers from my registrar to Linode's DNS servers, and logged into the Linode DNS manager, I noticed there was no prompt of any sort to ensure that the domain I was listing with Linode's DNS servers was actually mine.

So in other words, after I pointed mydomain.com to Linode's DNS servers, Linode's DNS manager just let me point mydomain.com to my Linode server ip.

What would prevent a person from taking control of someone else's domain whose NS is set to linode? In other words, couldn't some person set notmydomain.com, if the NS was set to Linode's DNS servers, to point to their own ip?

Thanks.

7 Replies

@changstrom:

In other words, couldn't some person set notmydomain.com, if the NS was set to Linode's DNS servers, to point to their own ip?
Yes. But only if the owner of notmydomain.com hadn't already created a zone in the Linode DNS Manager, which would be fairly silly. You can create any domain you want in the Linode DNS Manager as long as it isn't already in there. I'm not encouraging you to, just pointing out that you can. We can't verify ownership of a domain in any consistent way, as that doesn't scale and there's a billion cases where it wouldn't work.

If someone were to add jedsmith.org to, say, ZoneEdit or some other DNS provider, they could certainly add it and populate it with records – however, when someone types "jedsmith.org" in their browser, the domain name system (and my registrar) says who is really the guy to ask about jedsmith.org. You could still get the bad records if you used dig to ask directly, but not in the general case. Were I ever to sign up with ZoneEdit, I would have to file a ticket with them and prove ownership before I could use their service, I guess.

So, ns1.linode.com is probably authoritative for all kinds of domains that aren't pointed at it, either through the passage of time (and people forgetting to delete zones when they move the domain) or genuine malice, which would be pretty pointless in the grand scheme.

If a domain is pointed at ns1.linode.com and friends, a responsible domain operator should have the zone populated beforehand. If someone has created your domain in our system already, before you point the domain at our nameservers file a ticket and we'll look into it. It's all in where the domain is pointed, and you cannot create duplicate zones in the Linode Manager (which is what I think you might be getting at).

I had prepared a post about how I wasn't really sure what your reply meant, and then I noticed you had edited it, haha. Makes perfect sense now that you mention that a duplicate entry cannot be made. Thanks for the quick response.

Pretty much I can see two problem cases:

1) A client points their resolv.conf directly to ns#.linode.com. As I understand it, this is a misconfiguration (the linode nameservers aren't recursive so anyone doing this won't get good information!) so isn't worth considering.

2) Someone adds myowndomain.com before I add it myself, thus preventing me from using linode DNS manager. In this case, as Jed says, it can be worked out by raising a trouble ticket and chatting with linode staff.

So, in practical day-to-day usage of DNS there's no real problem. #2 may be a problem, but until linode staff get enough tickets that it becomes worth their while (or until someone gets bored enough to work out a better implementation… never deny the power of a bored geek ;-)) the "raise a ticket" solution works.

Yes, situation 2 was what I was concerned about, but Jed's post clears that up. :)

@changstrom:

I had prepared a post about how I wasn't really sure what your reply meant, and then I noticed you had edited it, haha. Makes perfect sense now that you mention that a duplicate entry cannot be made. Thanks for the quick response.
Yeah, I answered from a different vein initially because I read your question differently. Sorry about that.

@sweh:

1) A client points their resolv.conf directly to ns#.linode.com. As I understand it, this is a misconfiguration (the linode nameservers aren't recursive so anyone doing this won't get good information!) so isn't worth considering.
Hey, you could resolve anything Linode is authoritative for. The ultimate Linode walled garden?

@jed:

Hey, you could resolve anything Linode is authoritative for. The ultimate Linode walled garden?
Hush now; you'll give Apple ideas… iPhoneOS 4 only using Apple DNS servers and proxies…

@sweh:

@jed:

Hey, you could resolve anything Linode is authoritative for. The ultimate Linode walled garden?
Hush now; you'll give Apple ideas… iPhoneOS 4 only using Apple DNS servers and proxies…
$formerdayjob did that when I worked there, except they did it to prevent you from browsing when you hadn't paid (everything resolved to "lol you're overdue!"). That didn't last as a viable solution, partly due to my incredible talent at changing the resolver in Windows for a stunned management.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct