Can someone poison the DNS records?

Posted January 14, 2015 3.1k views

So I’ve pointed my domain name from my registrar to DigitalOcean’s name servers. Since there is no authentication on DigitalOcean to ensure I own the domain before I make DNS records for it, surely its possible that someone could create records for it and hijack it (albeit briefly) to go to where ever they want?

I presume there is some system in place to stop the duplication of records for a particular domain name but propose they made the records before you. Also, I understand that I could narrow the window of attack by setting up my DNS records first before I point to the name servers. I’m just interested in seeing if it was possible.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer

The DNS system will allow you to create a zone for any domain for which three is not already one in the system. Since our DNS servers are not used directly as resolvers this would not allow poisoning of records unless the domain were already pointed to our nameservers but the user had not set up DNS themselves. We recommend creating your zone before re-pointing your DNS. The primary reason for this is that it reduces downtime.

  • Thanks. If someone were to create a zone for your domain name before you, would this mean you wouldn’t be able to create one (in other words, does DigitalOcean have a system to avoid duplicate records)? If not, how does DigitalOceans DNS servers choose which records to sent upon a query? Chooses the first one it sees? Also, I guess there is a system in place where by you could prove you own the domain name and have DigitalOcean remove the zone that someone else created for your domain, right?

  • Yes. Only one zone for a given domain can be created in the system. We very seldom encounter domain disputes but it is usually a fairly simply matter to compare whois details in order to validate who owns a domain.