How to verify ownership of a domain without DNS?

Hello.
I'm planning soon to release an experimental domain nameserver hosting.

However, since people will be able to upload arbitrary zone files (of course scoped to their own domain) i would like to verify that the domain they are adding zones for is indeed their own. Since the entire system is stateless, i cannot proceed through a "do x, then do y, then you're verified forever" process, but need something i can always check also to clean up in case of domain sale/transfer/deletion.

I was thinking hosting a the NS at *.ns1.foxo.me, then having people set their own NS to [base 64 of some pubkey].ns1.foxo.me, but that gives every domain an horrible nameserver and i am not 100% sure that wouldn't cause problems also considering this will differ from the @ IN NS ns1.foxo.me. record.

Another thing was to make DNSSEC mandatory, but i remember from the past this is a pain and many registrars don't have it implemented at all.

So, is this the only way?

«1

Comments

  • NeoonNeoon OGSenpai

    Either a text record if they have an existing DNS running or you send them a email to the email under whois with a key/token.

  • @Neoon said:
    Either a text record if they have an existing DNS running or you send them a email to the email under whois with a key/token.

    Do all gTLD registrars privacy/proxied email addresses in WHOIS always reach the domain owners real email address?

  • Use hosted file for verification.

  • something i can always check also to clean up in case of domain sale/transfer/deletion.

    This rules out any method based on email back-and-forth.

    Simplest way is maybe just do what cloudflare does.

    Koofr Cloud Storage: Lifetime Subscription (1TB) for $119.99 with coupon KOOFR40 [aff link]

  • TheDPTheDP OGSenpai

    @Joseph said: Do all gTLD registrars privacy/proxied email addresses in WHOIS always reach the domain owners real email address?

    It depends on how it's done, by the registrars, but it should.

    Some registrars (e.g., Namecheap) "masks" the email in WHOIS using their privacy protection service, which forwards all emails to the registrant's email address, and some registrars (e.g., Spaceship) have it like a form where you'll have to fill up who (registrant/tech/admin) you want to reach out to.

    "The imitator dooms himself to hopeless mediocrity." — Ralph Waldo Emerson

  • I'm not aware of any other DNS hosting provider requiring this kind of verification. If I subscribed to your service and uploaded a zone file for google.com, what would be the problem?

  • @quicksilver03 said:
    I'm not aware of any other DNS hosting provider requiring this kind of verification. If I subscribed to your service and uploaded a zone file for google.com, what would be the problem?

    Somebody else uploads a zone for Google.com and the nameservers will happily serve it

  • skorousskorous OGSenpai

    @foxone said:

    @quicksilver03 said:
    I'm not aware of any other DNS hosting provider requiring this kind of verification. If I subscribed to your service and uploaded a zone file for google.com, what would be the problem?

    Somebody else uploads a zone for Google.com and the nameservers will happily serve it

    But since you're not authoritative for that zone nobody should ever ask you, should they?

    Thanked by (1)quicksilver03
  • NeoonNeoon OGSenpai

    @foxone said:

    @quicksilver03 said:
    I'm not aware of any other DNS hosting provider requiring this kind of verification. If I subscribed to your service and uploaded a zone file for google.com, what would be the problem?

    Somebody else uploads a zone for Google.com and the nameservers will happily serve it

    Nobody is gonna ask your nameservers and you could do the same that CF does.
    If the nameservers are not longer pointing to yours, you disable the zone.

    Thanked by (1)quicksilver03
  • Cloudflare doesn't activate DNS for your domain until your domain registrar points the two nameservers to Cloudflare. But they'll accept all the DNS entries earlier, and make it immediately active as soon as the registrar points the NS records to them.

    HE.net doesn't even accept setting up DNS service for a domain until after the registrar points the NS records to them. This seems to cause a break in DNS service between the time the registrar's NS records change from your old DNS provider to HE propagates, until you can setup the DNS in HE.

  • skorousskorous OGSenpai

    @Joseph said:
    Cloudflare doesn't activate DNS for your domain until your domain registrar points the two nameservers to Cloudflare. But they'll accept all the DNS entries earlier, and make it immediately active as soon as the registrar points the NS records to them.

    HE.net doesn't even accept setting up DNS service for a domain until after the registrar points the NS records to them. This seems to cause a break in DNS service between the time the registrar's NS records change from your old DNS provider to HE propagates, until you can setup the DNS in HE.

    Add HE in parallel to the existing ones.

  • @skorous said:

    @Joseph said:
    Cloudflare doesn't activate DNS for your domain until your domain registrar points the two nameservers to Cloudflare. But they'll accept all the DNS entries earlier, and make it immediately active as soon as the registrar points the NS records to them.

    HE.net doesn't even accept setting up DNS service for a domain until after the registrar points the NS records to them. This seems to cause a break in DNS service between the time the registrar's NS records change from your old DNS provider to HE propagates, until you can setup the DNS in HE.

    Add HE in parallel to the existing ones.

    That sound like it should work.

    Btw, for some reason Cloudflare refuses to be used in parallel. Whenever I setup a domain for CloudFlare DNS, CloudFlare refuses to activate unless CloudFlare nameservers are the only ones set for the domain.

  • @Joseph said:

    @skorous said:

    @Joseph said:
    Cloudflare doesn't activate DNS for your domain until your domain registrar points the two nameservers to Cloudflare. But they'll accept all the DNS entries earlier, and make it immediately active as soon as the registrar points the NS records to them.

    HE.net doesn't even accept setting up DNS service for a domain until after the registrar points the NS records to them. This seems to cause a break in DNS service between the time the registrar's NS records change from your old DNS provider to HE propagates, until you can setup the DNS in HE.

    Add HE in parallel to the existing ones.

    That sound like it should work.

    Btw, for some reason Cloudflare refuses to be used in parallel. Whenever I setup a domain for CloudFlare DNS, CloudFlare refuses to activate unless CloudFlare nameservers are the only ones set for the domain.

    Yeah that's what cloudflare requires on the root domain unless you spend money on a business or enterprise plan.

  • edited April 2024

    @marcopolio said:

    @Joseph said:

    @skorous said:

    @Joseph said:
    Cloudflare doesn't activate DNS for your domain until your domain registrar points the two nameservers to Cloudflare. But they'll accept all the DNS entries earlier, and make it immediately active as soon as the registrar points the NS records to them.

    HE.net doesn't even accept setting up DNS service for a domain until after the registrar points the NS records to them. This seems to cause a break in DNS service between the time the registrar's NS records change from your old DNS provider to HE propagates, until you can setup the DNS in HE.

    Add HE in parallel to the existing ones.

    That sound like it should work.

    Btw, for some reason Cloudflare refuses to be used in parallel. Whenever I setup a domain for CloudFlare DNS, CloudFlare refuses to activate unless CloudFlare nameservers are the only ones set for the domain.

    Yeah that's what cloudflare requires on the root domain unless you spend money on a business or enterprise plan.

    Would it be an issue on the free plan if I setup the domain with only Cloudflare DNS, but after it is active on Cloudflare I added additional external nameservers in parallel with Cloudflare?

  • @Joseph said:

    @marcopolio said:

    @Joseph said:

    @skorous said:

    @Joseph said:
    Cloudflare doesn't activate DNS for your domain until your domain registrar points the two nameservers to Cloudflare. But they'll accept all the DNS entries earlier, and make it immediately active as soon as the registrar points the NS records to them.

    HE.net doesn't even accept setting up DNS service for a domain until after the registrar points the NS records to them. This seems to cause a break in DNS service between the time the registrar's NS records change from your old DNS provider to HE propagates, until you can setup the DNS in HE.

    Add HE in parallel to the existing ones.

    That sound like it should work.

    Btw, for some reason Cloudflare refuses to be used in parallel. Whenever I setup a domain for CloudFlare DNS, CloudFlare refuses to activate unless CloudFlare nameservers are the only ones set for the domain.

    Yeah that's what cloudflare requires on the root domain unless you spend money on a business or enterprise plan.

    Would it be an issue on the free plan if I setup the domain with only Cloudflare DNS, but after it is active on Cloudflare I added additional external nameservers in parallel with Cloudflare?

    The domain is automatically removed from cloudflare AFAIR but you can test it if you want.

  • @foxone said:

    @quicksilver03 said:
    I'm not aware of any other DNS hosting provider requiring this kind of verification. If I subscribed to your service and uploaded a zone file for google.com, what would be the problem?

    Somebody else uploads a zone for Google.com and the nameservers will happily serve it

    That shouldn't be a problem because, as others have said, no one would actually send request to your NS for a zone not pointed to by any WHOIS record or parent NS.

    You could implement a periodic check which would look at the zones in your NS and then alert the user if a zone is not listed at the domain registrar, but this would flag also a certain number of legitimate, edge use cases (like a zone for home.internal, or office.local).

    I don't think that implementing this kind of verification is useful (I too have a DNS hosting project in the works, and I've considered the issue).

  • AuroraZeroAuroraZero ModeratorHosting ProviderRetired

    Dudes stop making it so difficult for a simple plan implement it like google does and upload a file. Once the file is verified you can use the DNS. Simple, effective and doesn't require too much time spent.

    Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?

  • @Joseph said:
    for some reason Cloudflare refuses to be used in parallel. Whenever I setup a domain for CloudFlare DNS, CloudFlare refuses to activate unless CloudFlare nameservers are the only ones set for the domain.

    @marcopolio said:
    Yeah that's what cloudflare requires

    Cloudflare can't tolerate sharing the data they gather with someone else.
    They need as many requests as possible - all of them.

    StorageAMD EPYC VDS (ref) up to 4TB NVMe & 10TB SAN disk / Big HDD VPS (ref) from $2.42/TB/month

  • @DataRecovery said:

    @Joseph said:
    for some reason Cloudflare refuses to be used in parallel. Whenever I setup a domain for CloudFlare DNS, CloudFlare refuses to activate unless CloudFlare nameservers are the only ones set for the domain.

    @marcopolio said:
    Yeah that's what cloudflare requires

    Cloudflare can't tolerate sharing the data they gather with someone else.
    They need as many requests as possible - all of them.

    Unless you pay them, I guess.

  • edited April 2024

    Is their any technical problem to setup your domain name with two or more separate DNS providers, without coordinating between them or technically telling one about the other?

    In other words, can I setup example.com to use the DNS servers of both HE.net and of NS1, by separately manually entering the same DNS configuration in both HE and in NS1 and having the registrar of example.com point the domain NS records to both those DNS providers?

  • @foxone said:
    I was thinking hosting a the NS at *.ns1.foxo.me, then having people set their own NS to [base 64 of some pubkey].ns1.foxo.me, but that gives every domain an horrible nameserver and i am not 100% sure that wouldn't cause problems also considering this will differ from the @ IN NS ns1.foxo.me. record.

    Horrible nameserver is not really an issue.
    SOA record should match delegation records, not "ns1.".

    Another thing was to make DNSSEC mandatory, but i remember from the past this is a pain and many registrars don't have it implemented at all.

    Even some registry doesn't have DNSSEC.

    No hostname left!

  • skorousskorous OGSenpai

    @Joseph said:
    Is their any technical problem to setup your domain name with two or more separate DNS providers, without coordinating between them or technically telling one about the other?

    In other words, can I setup example.com to use the DNS servers of both HE.net and of NS1, by separately manually entering the same DNS configuration in both HE and in NS1 and having the registrar of example.com point the domain NS records to both those DNS providers?

    Yes. I am currently doing something very similar to that ( Hidden Master ) with BuddyNS and HE.

    Thanked by (2)Joseph quicksilver03
  • @skorous said:

    @Joseph said:
    Is their any technical problem to setup your domain name with two or more separate DNS providers, without coordinating between them or technically telling one about the other?

    In other words, can I setup example.com to use the DNS servers of both HE.net and of NS1, by separately manually entering the same DNS configuration in both HE and in NS1 and having the registrar of example.com point the domain NS records to both those DNS providers?

    Yes. I am currently doing something very similar to that ( Hidden Master ) with BuddyNS and HE.

    Hypothetically, if BuddyNS deleted your configuration (without your knowledge), when Internet users come to your domain if they randomly tried to pull your DNS from BuddyNS first, which is up and running but missing your DNS records, would it then try to get them from HE when BuddyNS responded your domain doesn't exist?

  • @Joseph said:

    @skorous said:

    @Joseph said:
    Is their any technical problem to setup your domain name with two or more separate DNS providers, without coordinating between them or technically telling one about the other?

    In other words, can I setup example.com to use the DNS servers of both HE.net and of NS1, by separately manually entering the same DNS configuration in both HE and in NS1 and having the registrar of example.com point the domain NS records to both those DNS providers?

    Yes. I am currently doing something very similar to that ( Hidden Master ) with BuddyNS and HE.

    Hypothetically, if BuddyNS deleted your configuration (without your knowledge), when Internet users come to your domain if they randomly tried to pull your DNS from BuddyNS first, which is up and running but missing your DNS records, would it then try to get them from HE when BuddyNS responded your domain doesn't exist?

    No, probably not.
    If BuddyNS replies with domain not found, that is still considered a valid reply and the client will accept it.
    If BuddyNS was totally down, like not responding at all, then the client should see it as a fail and try the next server.

    Thanked by (1)Joseph
  • @rcy026 said:

    @Joseph said:

    @skorous said:

    @Joseph said:
    Is their any technical problem to setup your domain name with two or more separate DNS providers, without coordinating between them or technically telling one about the other?

    In other words, can I setup example.com to use the DNS servers of both HE.net and of NS1, by separately manually entering the same DNS configuration in both HE and in NS1 and having the registrar of example.com point the domain NS records to both those DNS providers?

    Yes. I am currently doing something very similar to that ( Hidden Master ) with BuddyNS and HE.

    Hypothetically, if BuddyNS deleted your configuration (without your knowledge), when Internet users come to your domain if they randomly tried to pull your DNS from BuddyNS first, which is up and running but missing your DNS records, would it then try to get them from HE when BuddyNS responded your domain doesn't exist?

    No, probably not.
    If BuddyNS replies with domain not found, that is still considered a valid reply and the client will accept it.
    If BuddyNS was totally down, like not responding at all, then the client should see it as a fail and try the next server.

    If you have four or five NS records for your domain, if a random internet client looks up your domain for the first time, how will it determine which of the four or five DNS servers to check first?

  • AuroraZeroAuroraZero ModeratorHosting ProviderRetired

    @Joseph said:

    @rcy026 said:

    @Joseph said:

    @skorous said:

    @Joseph said:
    Is their any technical problem to setup your domain name with two or more separate DNS providers, without coordinating between them or technically telling one about the other?

    In other words, can I setup example.com to use the DNS servers of both HE.net and of NS1, by separately manually entering the same DNS configuration in both HE and in NS1 and having the registrar of example.com point the domain NS records to both those DNS providers?

    Yes. I am currently doing something very similar to that ( Hidden Master ) with BuddyNS and HE.

    Hypothetically, if BuddyNS deleted your configuration (without your knowledge), when Internet users come to your domain if they randomly tried to pull your DNS from BuddyNS first, which is up and running but missing your DNS records, would it then try to get them from HE when BuddyNS responded your domain doesn't exist?

    No, probably not.
    If BuddyNS replies with domain not found, that is still considered a valid reply and the client will accept it.
    If BuddyNS was totally down, like not responding at all, then the client should see it as a fail and try the next server.

    If you have four or five NS records for your domain, if a random internet client looks up your domain for the first time, how will it determine which of the four or five DNS servers to check first?

    Authoritive nameservers

    Thanked by (1)Joseph

    Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?

  • @AuroraZero said:

    @Joseph said:

    @rcy026 said:

    @Joseph said:

    @skorous said:

    @Joseph said:
    Is their any technical problem to setup your domain name with two or more separate DNS providers, without coordinating between them or technically telling one about the other?

    In other words, can I setup example.com to use the DNS servers of both HE.net and of NS1, by separately manually entering the same DNS configuration in both HE and in NS1 and having the registrar of example.com point the domain NS records to both those DNS providers?

    Yes. I am currently doing something very similar to that ( Hidden Master ) with BuddyNS and HE.

    Hypothetically, if BuddyNS deleted your configuration (without your knowledge), when Internet users come to your domain if they randomly tried to pull your DNS from BuddyNS first, which is up and running but missing your DNS records, would it then try to get them from HE when BuddyNS responded your domain doesn't exist?

    No, probably not.
    If BuddyNS replies with domain not found, that is still considered a valid reply and the client will accept it.
    If BuddyNS was totally down, like not responding at all, then the client should see it as a fail and try the next server.

    If you have four or five NS records for your domain, if a random internet client looks up your domain for the first time, how will it determine which of the four or five DNS servers to check first?

    Authoritive nameservers

    In my example there's multiple authoritive nameservers.

  • edited April 2024

    @Joseph said:
    Is their any technical problem to setup your domain name with two or more separate DNS providers, without coordinating between them or technically telling one about the other?

    Yes, there is a problem.

    If you are using separate providers that do not coordinate the SOA record's serial number, then resolvers will be confused about which "authoritative" server has the correct serial. At the very least, caching will be broken.

    In practice, it is difficult to use multiple DNS providers, because most providers will not allow nameserver records outside their own, for this very reason.

    Hidden Master is something different -- there is a master DNS server that contains the SOA record, and other nameservers do an AXFR from that master, but the master doesn't actually appear in the list of authoritative nameservers. This causes no conflict, because the public nameservers (that actually appear in the zone's NS records) are all pulling it from (coordinated by) the same master.

    Thanked by (2)Joseph quicksilver03
  • @Joseph said:
    If you have four or five NS records for your domain, if a random internet client looks up your domain for the first time, how will it determine which of the four or five DNS servers to check first?

    They are typically chosen at random, but it depends on the resolver. The resolvers try to use a hop-count in a local cache of authoritative servers, and then they use the one with the lowest hop count (i.e., theoretically nearest to them). But often it is just random, because their caches are limited.

    Thanked by (2)Joseph quicksilver03
  • At one of the domains I have the registry won't add any DNS servers until the DNS servers are first setup to recognize the domain. But both HE.net and Cloudflare won't activate the DNS for a domain until it sees the domain is pointing to their DNS servers.

    How do I get around this catch-22?

Sign In or Register to comment.