Custom domain verification process

Support
, ,
#1

Hello, I’m just getting set up with Netlify and I’ve had a great experience so far, but was curious about the domain verification process.

I’m wondering what exactly happens when the “verify” button is pressed (I checked the docs but still had some questions).

I had previously pointed my nameservers to Netlify in anticipation of delegating my domain to Netlify. Per the instructions for assigning a domain to a site, I needed to confirm I was the owner (the domain was already registered, and owned by me). The previous page says that when using Netlify DNS, configuration is automatic.

The page on adding a domain you own mentions creating a DNS zone. I’m assuming verification checks that the domain nameservers match the DNS zone that a site is assigned. I’m curious if there is anything else going on behind the scenes that’s worth being aware of.

Given this setup, would it be possible for someone to lookup the DNS servers a domain is using (that hasn’t yet been assigned to a site), deleting and recreating the DNS zone until the DNS servers matched the target domain, and then to add that domain to their own site, essentially hijacking it? I’ve since added a custom domain successfully, but I waited to do so to give the DNS changes time to propagate, so I was curious.

The odds of this are probably low, but I’m trying to better understand the magic that Netlify is doing, since the process is different from just adding a CNAME recrod via a registrar.

Thanks!

#2

If you don’t mind, could you kindly give an example? This sounds pretty interesting, but I’m still learning DNS stuff, so an example would really help me understand this better, thanks!

#3

Sure thing, I’ll try to illustrate it with a more concrete details.

Let’s say I register example.com via an external registrar. When I go to delegate my domain to Netlify, Netlify will give me 4 nameservers, saying to “point your domain’s nameservers to Netlify.” After updating the DNS from the registrar, the nameservers may be set to something like this:

dns1.p01.nsone.net
dns2.p01.nsone.net
dns3.p01.nsone.net
dns4.p01.nsone.net

If someone runs whois example.com to check the DNS servers, it seemed to me that if the domain was not yet assigned to a site, that another user could add that domain, assuming they were assigned the same nameservers. And if not, it seemed that they could delete the DNS zone and recreate until they did match.

I’m mainly wondering if there are security measures in place to prevent this that I’m not aware of, or if I’m off-base in my understanding of how this works.

#4

Only one user can add a custom domain. If you added it to you account, no one else can add it to netlify. This also means that if an attacker notices that a user will shift from dynamic to a static site (say through his blog), the attacker can add it to netlify, preventing the owner from migrating to netlify in the future. I’m not sure how netlify handles this.

If I understood correctly, you mean to say that a domain that is not yet associated with a site could have its DNS records set my someone else. Netlify’s UI automatically adds .domain.com at the end of all records, so this poisoning is not possible. I hope this is what you mean, if not, please feel free to correct me!

#5

I’m more so imagining a scenario where the domain is not yet associated with a site, but the DNS records have been updated to use Netlify nameservers by the domain owner. Then an attacker could associate the domain with one of their sites before the domain owner has done so, assuming the nameservers match what Netlify is expecting. This hypothetical situation would depend on someone changing their site’s DNS settings, but not updating Netlify to actually verify ownership of the domain right away.

What exactly do you mean by adding .domain.com to the end of records? I don’t see that happening in any of the domain or site settings.

#6

Hi, @djpowers, if you control the DNS settings for a domain no one can (or at least should not be) able take that control from you.

At Netlify, when you first set up a Netlify DNS zone configuration for a domain, we give you a list of name servers to change to. These changes are made at your domain registrar.

Let’s take a look at how this might play out:

1) You control the DNS (at the domain registrar) and are the first to add the domain to your account.

  • In that scenario, you are the only person that can make the changes at your registrar and at Netlify. The domain is secure.

2) You control the DNS but someone else added the domain to their account first.

  • You still control the DNS at the registrar. When you try to add the domain to your Netlify account, this will fail and explain that someone already did so on another account. We have a process to confirm control of a domain name. With verification we can remove the domain from the other team so you can add it to yours. Because we won’t create duplicate configurations, you would never change your DNS name servers at the registrar. There is no possibility of losing control of your domain. Their Netlify configuration on the wrong team never becomes active because you never change the name servers until we get it working under your Netlify team. You can’t even see the name servers suggested until it the zone is under your account.

3) You do not have control of the domain at the registrar (and the domain wasn’t registered using Netlify).

  • If that is the case, it has nothing to do with Netlify. You lost control of the domain before we ever came into the situation. Nothing you do at Netlify will matter because only the person that controls the domain at the registrar can change the name servers used.

4) You did register the domain using Netlify. (Note: Name.com is the actual registrar for all domains registered using Netlify.)

  • If this is the case, then you registered it and paid for the registration under your own account so still have complete control of the domain. (We can also transfer any domains registered using Netlify to your direct control at Name.com if you want to change to a DNS service other than Netlify’s. Just ask in #admin and we’ll reach out to you to complete the process.)

If there is another scenario which I haven’t covered above, please correct me. I’m open to the possibility that I’m missing something, but I believe I’ve covered all possible scenarios above.

If there are any question about anything in this topic, please let us know and we’ll be happy to answer.

1 Like
#7

Hi @luke, thanks for the very thorough response!

What I was envisioning was a variation of scenario 2, where you (as the controller of the DNS) make the requested DNS nameserver changes, and then someone adds the domain to their account before you’re had a chance to do so (the difference being that the DNS is already updated before someone else adds the domain). I imagine this would only be a problem if the other claimer of the domain was assigned to the same DNS zone, though.

It sounds that in the unlikely event that this were to happen, you (as the domain owner) could simply delete your DNS zone and create a new one, and repeat the process to mitigate any potential problems, adding the domain to your account right away.

Your description makes sense though. I was mainly curious about the “verification” aspect you mentioned.

#8

Hi, @djpowers, when adding a domain under “Account name” > Domains, the “Verify” button does two things:

  • checks to see if the domain is registered and, if not, we offer a way to register it using our service
  • if the domain is registered, check if someone is already using it on a different site or team and show an error if this is the case

It is possible for someone to try to use a domain they don’t control. This would prevent a second person adding the domain to their account because of the error in the second step above.

The error for already claimed domains is actually quite common. A colleague may have tried to use a company domain under a personal account and forgotten to delete the non-working DNS zone. Or someone might have signed up under a different email and already configured their domain there.

Regardless of why it happens, if you do find your domain already configured with our service, we will work with you to verify the control the DNS for this domain. (We do so by asking you to create a TXT record for this purpose - similar to what Google does.) When this is done, we delete the configuration on the other team and you are then able to add it to your own team.

1 Like