How to verify ownership of a domain without DNS?
Hello.
I'm planning soon to release an experimental domain nameserver hosting.
However, since people will be able to upload arbitrary zone files (of course scoped to their own domain) i would like to verify that the domain they are adding zones for is indeed their own. Since the entire system is stateless, i cannot proceed through a "do x, then do y, then you're verified forever" process, but need something i can always check also to clean up in case of domain sale/transfer/deletion.
I was thinking hosting a the NS at *.ns1.foxo.me
, then having people set their own NS to [base 64 of some pubkey].ns1.foxo.me
, but that gives every domain an horrible nameserver and i am not 100% sure that wouldn't cause problems also considering this will differ from the @ IN NS ns1.foxo.me.
record.
Another thing was to make DNSSEC mandatory, but i remember from the past this is a pain and many registrars don't have it implemented at all.
So, is this the only way?
Comments
Either a text record if they have an existing DNS running or you send them a email to the email under whois with a key/token.
Free NAT KVM | Free NAT LXC | Bobr
ITS WEDNESDAY MY DUDES
Do all gTLD registrars privacy/proxied email addresses in WHOIS always reach the domain owners real email address?
Use hosted file for verification.
https://microlxc.net/
This rules out any method based on email back-and-forth.
Simplest way is maybe just do what cloudflare does.
Koofr Cloud Storage: Lifetime Subscription (1TB) for $119.99 with coupon KOOFR40 [aff link]
It depends on how it's done, by the registrars, but it should.
Some registrars (e.g., Namecheap) "masks" the email in WHOIS using their privacy protection service, which forwards all emails to the registrant's email address, and some registrars (e.g., Spaceship) have it like a form where you'll have to fill up who (registrant/tech/admin) you want to reach out to.
I'm not aware of any other DNS hosting provider requiring this kind of verification. If I subscribed to your service and uploaded a zone file for google.com, what would be the problem?
Somebody else uploads a zone for Google.com and the nameservers will happily serve it
But since you're not authoritative for that zone nobody should ever ask you, should they?
Nobody is gonna ask your nameservers and you could do the same that CF does.
If the nameservers are not longer pointing to yours, you disable the zone.
Free NAT KVM | Free NAT LXC | Bobr
ITS WEDNESDAY MY DUDES
Cloudflare doesn't activate DNS for your domain until your domain registrar points the two nameservers to Cloudflare. But they'll accept all the DNS entries earlier, and make it immediately active as soon as the registrar points the NS records to them.
HE.net doesn't even accept setting up DNS service for a domain until after the registrar points the NS records to them. This seems to cause a break in DNS service between the time the registrar's NS records change from your old DNS provider to HE propagates, until you can setup the DNS in HE.
Add HE in parallel to the existing ones.
That sound like it should work.
Btw, for some reason Cloudflare refuses to be used in parallel. Whenever I setup a domain for CloudFlare DNS, CloudFlare refuses to activate unless CloudFlare nameservers are the only ones set for the domain.
Yeah that's what cloudflare requires on the root domain unless you spend money on a business or enterprise plan.
Would it be an issue on the free plan if I setup the domain with only Cloudflare DNS, but after it is active on Cloudflare I added additional external nameservers in parallel with Cloudflare?
The domain is automatically removed from cloudflare AFAIR but you can test it if you want.
That shouldn't be a problem because, as others have said, no one would actually send request to your NS for a zone not pointed to by any WHOIS record or parent NS.
You could implement a periodic check which would look at the zones in your NS and then alert the user if a zone is not listed at the domain registrar, but this would flag also a certain number of legitimate, edge use cases (like a zone for
home.internal
, oroffice.local
).I don't think that implementing this kind of verification is useful (I too have a DNS hosting project in the works, and I've considered the issue).
Dudes stop making it so difficult for a simple plan implement it like google does and upload a file. Once the file is verified you can use the DNS. Simple, effective and doesn't require too much time spent.
Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?
Cloudflare can't tolerate sharing the data they gather with someone else.
They need as many requests as possible - all of them.
☰ Storage — AMD EPYC VDS (ref) up to 4TB NVMe & 10TB SAN disk / Big HDD VPS (ref) from $2.42/TB/month
Unless you pay them, I guess.
Is their any technical problem to setup your domain name with two or more separate DNS providers, without coordinating between them or technically telling one about the other?
In other words, can I setup example.com to use the DNS servers of both HE.net and of NS1, by separately manually entering the same DNS configuration in both HE and in NS1 and having the registrar of example.com point the domain NS records to both those DNS providers?
Horrible nameserver is not really an issue.
SOA record should match delegation records, not "ns1.".
Even some registry doesn't have DNSSEC.
No hostname left!
Yes. I am currently doing something very similar to that ( Hidden Master ) with BuddyNS and HE.
Hypothetically, if BuddyNS deleted your configuration (without your knowledge), when Internet users come to your domain if they randomly tried to pull your DNS from BuddyNS first, which is up and running but missing your DNS records, would it then try to get them from HE when BuddyNS responded your domain doesn't exist?
No, probably not.
If BuddyNS replies with domain not found, that is still considered a valid reply and the client will accept it.
If BuddyNS was totally down, like not responding at all, then the client should see it as a fail and try the next server.
If you have four or five NS records for your domain, if a random internet client looks up your domain for the first time, how will it determine which of the four or five DNS servers to check first?
Authoritive nameservers
Free Hosting at YetiNode | Cryptid Security | URL Shortener | LaunchVPS | ExtraVM | Host-C | In the Node, or Out of the Loop?
In my example there's multiple authoritive nameservers.
Yes, there is a problem.
If you are using separate providers that do not coordinate the SOA record's serial number, then resolvers will be confused about which "authoritative" server has the correct serial. At the very least, caching will be broken.
In practice, it is difficult to use multiple DNS providers, because most providers will not allow nameserver records outside their own, for this very reason.
Hidden Master is something different -- there is a master DNS server that contains the SOA record, and other nameservers do an AXFR from that master, but the master doesn't actually appear in the list of authoritative nameservers. This causes no conflict, because the public nameservers (that actually appear in the zone's NS records) are all pulling it from (coordinated by) the same master.
They are typically chosen at random, but it depends on the resolver. The resolvers try to use a hop-count in a local cache of authoritative servers, and then they use the one with the lowest hop count (i.e., theoretically nearest to them). But often it is just random, because their caches are limited.
At one of the domains I have the registry won't add any DNS servers until the DNS servers are first setup to recognize the domain. But both HE.net and Cloudflare won't activate the DNS for a domain until it sees the domain is pointing to their DNS servers.
How do I get around this catch-22?