The Internet domain-name service (DNS) can be a complicated, convoluted thing to try to understand. Moreover, because people use names and not IP addresses to access websites, it has to be highly secure; someone hijacking a nameserver can damage vastly more sites than someone who merely hijacks a website.
There’s also an issue of credibility, at least for technology companies. If someone performs a
whois search on your domain:
$ whois some-domain-or-other.com
It will show them the primary name servers for that domain. For example, if I perform a
whois techcrunch.com at the command line, it shows me this:
Name Server.......... ns3.wordpress.com Name Server.......... ns1.wordpress.com Name Server.......... ns2.wordpress.com
This lets me know that TechCrunch is hosted by WordPress; if I know of a vulnerability at WordPress, then I can use that information to attack TechCrunch.
If I perform a
whois search on
yahoo.com, however, all I know is that the DNS is handled by Yahoo! I don’t have any information that I can exploit to attack them, and I know that Yahoo! is a big enough company to handle its own DNS.
If you perform a
whois search on
glenc.co, you’ll see this:
Name Server: NS1.XLERB.COM Name Server: NS2.XLERB.COM
What the heck is
XLERB.COM? A further
whois query on that leads to:
Name Servers: ns1.xlerb.com ns2.xlerb.com
XLERB.COM is, it does it’s own DNS, right? Nope; the DNS for
XLERB.COM is actually hosted by Rackspace. Here’s how I did it.
- First, your domain for the name server needs to be hosted by Rackspace. I won’t get into the details of how to do that (they’re available online), but Rackspace DNS is free if you have a cloud account. Since all my servers are hosted by the Rackspace Cloud, I get the DNS service as a bonus.
- When you add a new domain to the Rackspace DNS system (via the control panel, it assigns two default name servers:
ns2.stabletransit.com. What you’re going to do is to find the IP addresses of those two servers and create new
Arecords in your domain that point to the same IP addresses. Use
dig) to find the IP addresses of those two domains.
- Create two
Arecords in your domain that point to those IP addresses. In my case, I used
- Go to your domain registrar (in my case, it was the registrar that handles
XLERB.COM) and look for something like “register nameservers.” You’ll have to dig through the site, and it may be under “Advanced Options” but all of the registrars should have it available.
- Register your new name servers there and use the same IP addresses you used for the
Arecords, above. In my case, this was (again)
NS2.XLERB.COM. This is required so that DNS can get the IP addresses from the top-level domain (TLD) servers and ensure that they’re trusted, and not have to rely on the lower-level name servers, which might have been compromised. However, the records must match at both levels.
- Having registered the name servers at both the DNS provider (Rackspace) and at the registrar, you can now point your domains at them. This is the trivial part; unfortunately, you still have to do it twice. At the registrar for a domain, change the name servers to use your two new name servers; at Rackspace, edit the
NSrecords and change
ns2.stabletransit.comto use your newly-defined name servers.
Voila! Now, someone performing a
whois query on your domain will find your customer name servers, and not the Rackspace ones. For example,
whois unpretentious.org .... Name Server:NS1.XLERB.COM Name Server:NS2.XLERB.COM ...
Note, however, that there are certain risks associated with this; if, for example, Rackspace changes the IP addresses of its name servers, you’ll have to modify both the registrar’s name server records as well as the
A records you defined in your domain.