How does GCloud DNS verify domain ownership?

Question

Configuring GCloud DNS, it is clear that they reuse nameservers across zones. However, I noticed that once GCloud's nameservers are added to the domains NS records in an external provider (Bluehost, GoDaddy, etc), the mapping resolution occurs without ownership validation.

What happens when:

• A domain owner (ex. joe.com) points their own valid NS records to GCloud as a subdomain zone (ex. my.app.joe.com)
• Another GCloud DNS user, not the domain owner, adds *.joe.com to their zone records

Does GCloud DNS allow the other user to hijack traffic at www.joe.com in this case? At what point does GCloud DNS assert the SOA back to the domain owner, given the overlap of Nameserver endpoints?

Update

Just created a new GCloud DNS zone for a domain that I do not own (ex. hijack.domain.com), that is publicly known for using GCloud DNS nameservers (ex. www.domain.com). Was able to CNAME that subdomain to www.mycustomsite.com.

Since zone's can take any form, doesn't this essentially mean someone can just hijack endless zone names on a GCloud DNS user's domain?

Update

3 hours later, the zone creation view in GCloud DNS now has a challenge to verify ownership at https://www.google.com/webmasters/verification

Not sure what happened earlier, but the verification wasn't part of the creation process.

Answer 1

Google Cloud DNS should work hand-in-hand with https://www.google.com/webmasters/verification

When creating new zones, there should be a challenge to verify ownership if not already established in their stack.