Linode Forum
https://forum.linode.com/

Using Linode's DNS Manger
https://forum.linode.com/viewtopic.php?f=19&t=5571		 Page 1 of 1
Author:  changstrom [ Tue May 11, 2010 6:55 pm ]
Post subject:  Using Linode's DNS Manger
I'm using Linode's DNS manager, mainly because I think its cool how it's integrated into the Linode iPhone app. After I set the authoritative name servers from my registrar to Linode's DNS servers, and logged into the Linode DNS manager, I noticed there was no prompt of any sort to ensure that the domain I was listing with Linode's DNS servers was actually mine.

So in other words, after I pointed mydomain.com to Linode's DNS servers, Linode's DNS manager just let me point mydomain.com to my Linode server ip.

What would prevent a person from taking control of someone else's domain whose NS is set to linode? In other words, couldn't some person set notmydomain.com, if the NS was set to Linode's DNS servers, to point to their own ip?

Thanks.
Author:  jed [ Tue May 11, 2010 7:10 pm ]
Post subject: 
changstrom wrote:
In other words, couldn't some person set notmydomain.com, if the NS was set to Linode's DNS servers, to point to their own ip?

Yes. But only if the owner of notmydomain.com hadn't already created a zone in the Linode DNS Manager, which would be fairly silly. You can create any domain you want in the Linode DNS Manager as long as it isn't already in there. I'm not encouraging you to, just pointing out that you can. We can't verify ownership of a domain in any consistent way, as that doesn't scale and there's a billion cases where it wouldn't work.

If someone were to add jedsmith.org to, say, ZoneEdit or some other DNS provider, they could certainly add it and populate it with records -- however, when someone types "jedsmith.org" in their browser, the domain name system (and my registrar) says who is really the guy to ask about jedsmith.org. You could still get the bad records if you used dig to ask directly, but not in the general case. Were I ever to sign up with ZoneEdit, I would have to file a ticket with them and prove ownership before I could use their service, I guess.

So, ns1.linode.com is probably authoritative for all kinds of domains that aren't pointed at it, either through the passage of time (and people forgetting to delete zones when they move the domain) or genuine malice, which would be pretty pointless in the grand scheme.

If a domain is pointed at ns1.linode.com and friends, a responsible domain operator should have the zone populated beforehand. If someone has created your domain in our system already, before you point the domain at our nameservers file a ticket and we'll look into it. It's all in where the domain is pointed, and you cannot create duplicate zones in the Linode Manager (which is what I think you might be getting at).
Author:  changstrom [ Tue May 11, 2010 7:35 pm ]
Post subject: 
I had prepared a post about how I wasn't really sure what your reply meant, and then I noticed you had edited it, haha. Makes perfect sense now that you mention that a duplicate entry cannot be made. Thanks for the quick response.
Author:  sweh [ Tue May 11, 2010 7:36 pm ]
Post subject: 
Pretty much I can see two problem cases:

1) A client points their resolv.conf directly to ns#.linode.com. As I understand it, this is a misconfiguration (the linode nameservers aren't recursive so anyone doing this won't get good information!) so isn't worth considering.

2) Someone adds myowndomain.com before I add it myself, thus preventing me from using linode DNS manager. In this case, as Jed says, it can be worked out by raising a trouble ticket and chatting with linode staff.

So, in practical day-to-day usage of DNS there's no real problem. #2 may be a problem, but until linode staff get enough tickets that it becomes worth their while (or until someone gets bored enough to work out a better implementation... never deny the power of a bored geek ;-)) the "raise a ticket" solution works.
Author:  changstrom [ Tue May 11, 2010 7:41 pm ]
Post subject: 
Yes, situation 2 was what I was concerned about, but Jed's post clears that up. :)
Author:  jed [ Tue May 11, 2010 7:43 pm ]
Post subject: 
changstrom wrote:
I had prepared a post about how I wasn't really sure what your reply meant, and then I noticed you had edited it, haha. Makes perfect sense now that you mention that a duplicate entry cannot be made. Thanks for the quick response.

Yeah, I answered from a different vein initially because I read your question differently. Sorry about that.

sweh wrote:
1) A client points their resolv.conf directly to ns#.linode.com. As I understand it, this is a misconfiguration (the linode nameservers aren't recursive so anyone doing this won't get good information!) so isn't worth considering.

Hey, you could resolve anything Linode is authoritative for. The ultimate Linode walled garden?
Author:  sweh [ Tue May 11, 2010 7:45 pm ]
Post subject: 
jed wrote:
Hey, you could resolve anything Linode is authoritative for. The ultimate Linode walled garden?

Hush now; you'll give Apple ideas... iPhoneOS 4 only using Apple DNS servers and proxies...
Author:  jed [ Tue May 11, 2010 7:55 pm ]
Post subject: 
sweh wrote:
jed wrote:
Hey, you could resolve anything Linode is authoritative for. The ultimate Linode walled garden?

Hush now; you'll give Apple ideas... iPhoneOS 4 only using Apple DNS servers and proxies...

$formerdayjob did that when I worked there, except they did it to prevent you from browsing when you hadn't paid (everything resolved to "lol you're overdue!"). That didn't last as a viable solution, partly due to my incredible talent at changing the resolver in Windows for a stunned management.
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/