Configuring GCloud DNS, it is clear that they reuse nameservers across zones. However, I noticed that once GCloud's nameservers are added to the domains NS records in an external provider (Bluehost, GoDaddy, etc), the mapping resolution occurs without ownership validation.
What happens when:
- A domain owner (ex. joe.com) points their own valid NS records to GCloud as a subdomain zone (ex. my.app.joe.com)
- Another GCloud DNS user, not the domain owner, adds *.joe.com to their zone records
Does GCloud DNS allow the other user to hijack traffic at www.joe.com in this case? At what point does GCloud DNS assert the SOA back to the domain owner, given the overlap of Nameserver endpoints?
Update
Just created a new GCloud DNS zone for a domain that I do not own (ex. hijack.domain.com), that is publicly known for using GCloud DNS nameservers (ex. www.domain.com). Was able to CNAME that subdomain to www.mycustomsite.com.
Since zone's can take any form, doesn't this essentially mean someone can just hijack endless zone names on a GCloud DNS user's domain?
Update
3 hours later, the zone creation view in GCloud DNS now has a challenge to verify ownership at https://www.google.com/webmasters/verification
Not sure what happened earlier, but the verification wasn't part of the creation process.
