How do name servers ensure that the server claiming to host a domain is actually operated by that domain?

Question

I recently started using linode to host my site. Prior to using linode, I normally used hosting offered by my domain registrar. In those cases, i thought I understood how DNS worked, because the registrar automatically updated your DNS records to point to the server hosing the site.

When following linodes guide, to setting up a website: https://www.linode.com/docs/websites/hosting-a-website

Their instructions tell you to set the DNS servers as:

ns1.linode.com ns2.linode.com ns3.linode.com ...

But the point I am making is, that ANYONE can open an account on linode, and fill in the same DNS settings! So now anyone trying to access your website, could be directed to someone else who wants to pretend to be your site!

Am I correct in understanding how DNS works ? I know that the only way to ensure (from a visitors perspective) that a site being visited is actually the domain intended is to install a certificate (https) etc. But based on the above instructions, it seems almost trivial to pretend to be someone else, if they also use linode.

Answer 1

So what? Someone may use the same DNS servers. But they can't register for the same domain. Once you have registered for example.org, you own that domain and nobody else will be able to register for it.

---

You have registered for example.org and use the following DNS configuration at Linode:

Domain             | Nameserver
-------------------+---------------------
example.org        | ns1.linode.com
example.org        | ns2.linode.com
...                | ...

An "evil hacker" may have registered evil-hacker.com and uses this configuration:

Domain             | Nameserver
-------------------+----------------------
evil-hacker.com    | ns1.linode.com
evil-hacker.com    | ns2.linode.com
...                | ...
example.org        | ns1.linode.com  << Those are the lines that bug you, right?
example.org        | ns2.linode.com

For simplicity's sake let's say that the IP of your site is 1.1.1.1 and the IP of the evil hacker's site is 2.2.2.2. You are worried that because the "hacker" used the same DNS configuration, your site example.org might resolve to 2.2.2.2, right?

This is what happens, when I try to resolve example.org:

1. I connect to the DNS root servers to find out which nameserver is responsible for the org top-level domain.
2. I connect to the nameserver of the org top-level domain and ask it for the IP address of example.org. The org nameserver is managed by your domain registrar. It will look up the information you entered and tells me look at one of the linode nameservers.
3. I connect to ns1.linode.com and ask it for the IP address of example.org. Linode knows which IP your site has and answers me with 1.1.1.1.

In the above process, I will never see evil-hacker.com or 2.2.2.2. Since our evil hacker (hopefully) can't control the DNS root servers, the nameserver of the org top-level domain or the Linode nameservers, all DNS requests for your site will be answered by "trusted" name servers.

However, a hacker might intercept DNS traffic from my particular machine. He might install malware that always resolves example.org to his IP address 2.2.2.2 (e.g. /etc/hosts) or compromise my network router. So using an SSL certificate for your site is still a good idea :).

Answer 2

I am not an expert on DNS so my answer may be mistaken, but I had the same question so looked into this.

I think your understanding is correct, and this seems to be a problem but apparently it happens rarely in practice so hosting providers (including Linode) aren't doing anything about it.

Here is Ryan Quinn from DigitalOcean (another hosting company that has this problem) answering a similar question:

A domain can only exist on one account so any user attempting to add it would not be able to. Cases where a domain already exists or is hijacked are extremely rare (I've seen 3 cases in 2+ years and in each case it was a former owner of the domain who still had records in place). In these rare cases the user can open a support ticket where we will verify the domain whois information against their billing details to verify ownership.

Here is a question on Information Security Stack Exchange that asks the same thing.

In the case of DigitalOcean, I found a post (HackerNews discussion) of someone describing how they took over around 20,000 inactive domain names that pointed to DigitalOcean's nameservers. I haven't found anything similar for Linode, although I imagine basically the same attack is possible (2020 Update: This actually recently happened to someone I know, where their website got taken over by a spammer after they took down their Linode without changing the DNS settings to stop pointing to Linode).

Amazon Route 53 seems to use randomly generated nameservers (rather than Linode/DigitalOcean's constant ns1.linode.com etc.) to make this attack highly unlikely to succeed.

Apparently some other services (Google Apps?) "verify domain ownership by requiring the domain owner to add a TXT record to their domain with a special code."