I recently set a server up on Digital Ocean. The process of pointing the domain to Digital Ocean name servers was as easy as updating them on the registrar's website, and just adding them to my server.
How did Digital Ocean verify I owned the domain I was adding to my server? Couldn't anyone do this? Could another customer have added my domain to their Digital Ocean account before I got around to it?
Couldn't anyone do this?
You are missing one factor. Domain name registration and hosting are two different things even if your host will register your domain for you. A domain name has to be registered and pointed to an IP address before the domain name does anything.
The hosting company does not generally care about the domain name registration except to sell you domain name registration to help you.
Let's assume for a moment you registered your domain name with GoDaddy and bought your hosting from Digital Ocean.
Digital Ocean would give you an IP address to your server. With GoDaddy, you would associate your domain name with that IP address. These are two separate processes. Even if you bought your domain name from Digital Ocean, the processes are still separated.
So if the question is, Could someone simply purchase hosting without a domain name and simply put a domain name in their hosting DNS server?, the answer is No. When a domain name is registered, the domain name has to appear in a TLD domain name server. For example, example.com would have to be registered in the .com TLD domain name server and SOA (statement of authority) records added. Simply placing a domain name in the hosting DNS does not do this.
How did DO verify I owned the domain I was adding to my server?
Again, hosting providers do not care if you own a domain name or not. The reason why is simple. The website you create will not work without properly registering a domain name. As well, it is not uncommon that the one who owns a domain name is not the one who is running the site itself. Separation between a domain name and host is a necessity. For example, when I was a web host, MARS candy owned the domain name, paid a hosting company to host the site, and then paid another to develop and maintain the site.
If you registered your domain name when you signed up for Digital Ocean, then they simply registered your domain name for you and set it up for you to work with their hosting. It is that simple.
Sure, anyone could do this, but what would they get from it? Attaching the domain to the server doesn't give you any kind of access or ownership of the servers.
You could point thedomainyouown.com at Google's IPs, but all you get from it is costs and no benefit.. thus it generally makes little sense to point your nameservers at anything else but your own servers, so people generally don't do it.
There are a few situations where it is actually necessary to point your domain to servers you do not own.. like white-label payment services. In a case like that, you point a subdomain that you own (e.g. cash.thedomainyouown.com) at a server owned by the payment provider, and when their servers see a request coming in with your domain name on it, they know to present the user with the payment page for your company.. and the user doesn't notice that you've delegated that service to another company unless they dig in deeper (e.g. verifying IP ownership). These white-label use cases wouldn't work if you had to prove server or IP ownership to set DNS records.
Simple answer: They don't know, and they don't care, To make your website work, you need to point your domain to your droplet which you only can if you are the owner of that domain. If other person adds your domain on DO then they won't be able to point your domain to their droplet.
How did Digital Ocean verify I owned the domain I was adding to my server? Couldn't anyone do this? Could another customer have added my domain to their Digital Ocean account before I got around to it?
Since none of the other answers have mentioned it: you probably had to tell your server which domain names to expect, but that does not actually cause those domain names to go there.
When you visit http://example.org/ in a web browser, your browser looks up the IP address of example.org. Then it contacts that IP address, and says "Hi, I'm looking for example.org. Please send me your home page."
Depending on the server configuration, the server might care about what domain the browser tells it, or it might not. If the browser said "Hi, I'm looking for asdjhashsdfsfgdfgdg.org. Please send me your home page." then the server will either send back the homepage for example.org (if it doesn't care) or it will send an error page saying "sorry, I don't know what site that is." If your server does care, then it needs to know what your domain is.
It's done this way so that you can use the same IP address for more than one domain, and still have different web pages on every domain. If you have more than one domain pointing to the same IP address, then the server does need to know which domains you have, so it can send the right page.
I think in general hosting providers don't verify that you actually own a domain before letting you instruct them and their nameservers to point it at your server or website. I've been able to do it at a hosting provider in the past. In most cases this is harmless, because either the owner of the domain set it up first (in which case your hosting provider won't accept another entry for the same domain), or they set it up on a different hosting provider (in which case nobody will ask yours for the site anyway).
This can cause problems, however, if you set up a domain you don't really own, and then the real owner of the domain later tries to bring it over to the provider you are using. I once got a phone call from a hosting provider complaining that I had entered someone else's domain into my account, and that now (many years later) that person was trying to switch over to the hosting provider and wasn't able to set up their domain properly because of it.
So in my experience the problems that result from this are handled by humans on a case-by-case basis. To actually claim enough domains to have a high probability of hitting one that was likely to be registered or transferred in, you'd have to add so many domains that you would raise other red flags.
I noticed that answers to this question (here and elsewhere) sometimes get side-tracked and address completely different concerns. So I'll first rephrase the question to emphasize the real issue.
Short answer, the situation creates a conflict and different hosts deal with it differently. Some hosts have specific additional steps one can take to assert ownership and break any tie in the race. Others require that the problem be explicitly reported, so that they can intervene. Malice is not automatically assumed.
As an example, here's how Digital Ocean (DO) handles it.
Only one user can add and manage a domain to DO's DNS. Once you've added a domain to your panel, no one else can add or manage the same domain, until you delete it.
If someone else previously added a domain to their DO's account that you currently own, thus preventing you from adding and managing it now on yours, contact DO to resolve the issue.
Other hosts may have automatic resolution steps, like asking you to validate your ownership of the domain by pointing the registrar to a specific address.
