Do some TLDs return an IP?

[Red Squirrel]

I am writing a program where users need to input a domain name and I need to make sure that it is in fact a valid domain name, and not a sub domain. I am making the assumption that com, net, co.uk, on.ca etc etc do not return an IP address. I am correct with those ones. However, there are thousands of these TLDs out there. Am I right in my assumption that TLDs will never return an IP address?

The only exception I can think of is stuff like ath.cx, no-ip.com etc, but those are not really true TLDs.

 

[JackMDS]

I am not sure what you are really looking for.

TLD returns IP some of them return redirect IP but there is always an IP.

Download this free program and play with it, yuo will what resolves and how.

http://download.cnet.com/FastResolver/3000-2085_4-10806309.html

This is the resolution of

ibm.com, microsoft.com, and no-ip.com

1 204.16.252.112 www.no-ip.com no-ip.com
2 129.42.18.103 redirect.www.ibm.com ibm.com
3 207.46.197.32 microsft.com

If I'll put my no-ip.com sub-domain it would return the IP of the sub-domain.
.

 

[Red Squirrel]

I mean the TLDs, so like com, ca, on.ca etc. On.ca is same structure as a sub domain, but is not, so I'm trying to differentiate that programaticly and thinking if I go by resolving it will do the trick. obviously if it does not resolve it does not mean it is a TLD (could simply be an invalid sub domain) but for my purposes it will do, I just need to make sure that something a user specifies is not an actual domain.

Ex: user specifies microsoft.com. I will chop off the first section before a period, so in this case microsoft. and I will be left with com. If com does not resolve the user's domain is considered valid. If a user specifies sub.microsoft.com then I end up with microsoft.com, which resolves, so I will say sub.microsoft.com is an invalid domain as it is a sub domain.

But if there are TLDs out there that do return an IP, then my method wont work.

I played around with cpanel and it seems the way they check validity is if the user specified domain resolves to the IP of the cpanel server. That's my last resort as I want my control panel to allow users to add domains even if I don't manage the DNS.

 

[Nothinman]

I need to make sure that it is in fact a valid domain name, and not a sub domain.

Sub domains are valid domains.

Ex: user specifies microsoft.com. I will chop off the first section before a period, so in this case microsoft. and I will be left with com. If com does not resolve the user's domain is considered valid. If a user specifies sub.microsoft.com then I end up with microsoft.com, which resolves, so I will say sub.microsoft.com is an invalid domain as it is a sub domain.

Why? sub.microsoft.com could be managed by someone separately from microsoft.com. In fact I'd probably bet that msdn.microsoft.com isn't maintained by the same people that do support.microsoft.com.

I played around with cpanel and it seems the way they check validity is if the user specified domain resolves to the IP of the cpanel server. That's my last resort as I want my control panel to allow users to add domains even if I don't manage the DNS.

So remove the checks completely. There's absolutely no reason to put such arbitrary limitations on your users.

 

[Red Squirrel]

So remove the checks completely. There's absolutely no reason to put such arbitrary limitations on your users.

Not that easy.

When a user puts an addon domain it lets them add sub domains using another part of the program. Users cannot add sub domains for domains they don't own. This would allow a user to "take over" another user's domain.

ex: user1 puts microsoft.com as an addon domain.

user2: decides to put www.microsoft.com as a sub domain.

Currently this does not work as the sub domain interface first checks to make sure that microsoft.com is actually owned by that same user. But if I allow users to put sub domains as domains, then it would bypass this completely. I only want users to be able to input top level domains not sub domains, but I still want to allow them to add domains that have a "sub domain" TLD like on.ca. There's an option where the administrator can add a "Custom TLD" so in an environment where there are multiple users managing different sub domains of a certain domain then that domain can be added to be treated as a TLD.

Just trying to think of all the possibilities for abuse, and prevent them.

 

[Nothinman]

Not that easy.

When a user puts an addon domain it lets them add sub domains using another part of the program. Users cannot add sub domains for domains they don't own. This would allow a user to "take over" another user's domain.

ex: user1 puts microsoft.com as an addon domain.

user2: decides to put www.microsoft.com as a sub domain.

Which is possible now internally. All I have to do is create the microsoft.com domain in my internal DNS server. For it to work on the Internet I would still need access to the microsoft.com DNS servers to point www.microsoft.com to my IP.

But if I allow users to put sub domains as domains, then it would bypass this completely.

I.e. it's a bad requirement.

Just trying to think of all the possibilities for abuse, and prevent them.

There's no potential for abuse that isn't already available by other means. I can create a web server that thinks it's www.microsoft.com right now but it doesn't mean dick if I can't change their domain to point to my web server.

At the very best you could add a warning to say "This domain looks like it might be owned by someone else, are you sure you want to use it?" and then move on.

 

[Red Squirrel]

ok maybe microsoft.com is a bad example.

Say user1 signs up for the web host and is put on server1 and adds example.com as a domain because it's their domain and they'll make a site. Great, now he can use the rest of the features such as make email accounts and what not, and also add sub domains.

Now user2 signs up and ends up on the same server and decides to add smtp.example.com as a domain before user1 gets a chance to add it.

Actually, come to think of it, I could just break down the domain then do a check through the existing domains and sub domains to see if it exists. Though this does not stop user2 from signing up before user1 and putting smtp.example.com right away as a domain, stopping user1 from putting example.com.

Basically I need to make sure that a domain that is inputted is a top level domain, and not a sub domain. Right now I'm just removing the first portion and checking to see if the rest resolves and if it does not then it's considered valid, but this is not 100% foolproof.

 

[Nothinman]

How about if a user register's blah.com with you, that's the only user that's allowed to add anything that ends in blah.com?

 

[Red Squirrel]

How about if a user register's blah.com with you, that's the only user that's allowed to add anything that ends in blah.com?

Yeah I thought of that after, and it sorta works that way already with sub domains but could add the check in domains too.

Only issue is if somebody registers www.blah.com or mail.blah.com before. Suppose the odds of that are quite slim but I still want to find a way to check for that. I want to make sure the domains users input are top level domains and not sub domains. example.on.ca would be considered a top level domain for example, even though it sorta is a sub domain.

 

[imagoon]

Yeah I thought of that after, and it sorta works that way already with sub domains but could add the check in domains too.

Only issue is if somebody registers www.blah.com or mail.blah.com before. Suppose the odds of that are quite slim but I still want to find a way to check for that. I want to make sure the domains users input are top level domains and not sub domains. example.on.ca would be considered a top level domain for example, even though it sorta is a sub domain.

I am confused. How can a user register www.blah.com but not blah.com? When you register a domain of "blah.com" you gain control of it and all sub domains. You cannot run over to godaddy and register atot.microsoft.com just because you want to. Simplest way to "check" this is to only allow sub domain registrations to users that actually own the domain if this more of a system issue in your code. The list of TLDs is available, use that as your reference list.

 

[Red Squirrel]

By "register" I mean input into my system.

 

[Red Squirrel]

*dupe*

 

[imagoon]

By "register" I mean input into my system.

Force registration of the domain before allowing sub domains then. Odds are pretty unlikely people will register false domains as they won't do anything unless they own it at the registrar level. There is no 100% sure way except maybe doing a WHOIS to verify it exists. Maybe query WHOIS and verify it is real that way.

 

[Pheran]

Take a look at the Google apps domain registration process, they have some interesting ways of verifying that you own a domain you are registering, such as making the DNS admin create an arbitrary CNAME record that they specify in the domain.

 

[Nothinman]

Take a look at the Google apps domain registration process, they have some interesting ways of verifying that you own a domain you are registering, such as making the DNS admin create an arbitrary CNAME record that they specify in the domain.

Yea, I had forgotten about that. That way you don't have to worry about what the TLD is for the domain, just let them enter what they want and as long as they can create a CNAME or drop a file in the current host for that domain it's good.

 

[GeekDrew]

RedSquirrel, your logic is more than likely faulty, though intentions are good. I've seen software developers put restrictions like these in place previously, and it gets on my nerves, to no end. I can think of *very* few instances where restricting input to the root of a domain name is a good idea -- I'd love to know exactly what your goals are, as I'm having a hard time understanding that. Not your technical goals, but a high-level overview.

Here's an example of why I dislike your current approach. I manage several domains for local government agencies. In the State of Ohio, a large number of local governments use their respective delegated oh.us namespace for their website, internal management realm, etc. I've been delegated co.<entityname>.oh.us and sheriff.<entityname>.oh.us by Neustar (among others). Do you know what happens when I attempt to register one or both of those zones with some services? I've been told that I can't do so, because I'm not responsible for <entityname>.oh.us. I've also been told that I can register one or the other, but not both, because both would indicate that I'm responsible for the parent (not true).

And then we have situations where I want to open accounts for subdivisions, and can't do that because of arbitrary restrictions. I can't open a separate account for utilities.co.<entityname>.oh.us because I already have an account with the same company for co.<entityname>.oh.us, and their automated registration system checks to make sure that you're not trying to register a subdomain of an existing zone. (There is good reason that I want to do this -- legal and political separation between accounts/systems, it's not just because I felt like it.) Ok, I can live with having to contact the company and explaining the situation, because I understand that personal websites and the majority of small business websites will never encounter this situation. My blood boils when the company tells me that there's nothing they can do about it because their software can't handle that exception, or just because they don't believe me.

</vent>

 

[Red Squirrel]

I see your point. My software has an option to add a "custom TLD" so in a case like yours, co.entityname.oh.us would actually be entered as a TLD. This would be a request made to the administrator. I considered those cases already.

Basically this software will be a control panel, very much like cpanel. So in 99&#37; of cases it will be a user who owns several domains and wants to manage them through the system. For the special cases where a domain may be broken into several sub domains managed by different users, the administrator can always add a custom TLD.

Another thing I thought of is enabling users to "Delegate" access to their account or parts of it. This would be useful for resellers as well.

I'm thinking of just going with checking if part of the user entered domain is already in the system, and call it a day. Ex: can't add mail.example.com if someone already put example.com. If someone happens to put mail.example.com before then the admin would have to go rectify the issue - the odds of this are rare unless it's someone purposely trying to abuse the system. Think I'll also go with the resolve check. If example.com resolves then you can't put mail.example.com as a domain. That's assuming TLDs (Ex: com) never resolve though. Of course if someone owns example.com but did not configure DNS then someone will still be able to put mail.example.com, so it's not really fool proof.

My original idea was to actually input every single TLD in the system, but the list got in the thousands, and then realized this was not really a good approach anyway as there are probably new TLDs added on a daily bassis.

Is there perhaps a central registry somewhere that my app could just query?

 

[GeekDrew]

I still don't get what the business purpose behind all of this is. The only thing that you would (perhaps) need to check is whether any zone on the nameserver(s) in question is a parent or child of the requested zone. If so, prohibit the action until an administrator overrides the action and allows it to proceed. Why do you need any further validation?

 

[GeekDrew]

Another thing I thought of is enabling users to "Delegate" access to their account or parts of it. This would be useful for resellers as well.

Resellers almost certainly would not want to be able to delegate parts of their account except to their own internal staff; they need to be able to create completely separate accounts that reference the reseller account. Generally.

 

[GeekDrew]

Is there perhaps a central registry somewhere that my app could just query?

Research "whois". In my opinion, that's still a bad idea for these purposes.