diff --git a/api/dns.go b/api/dns.go
index a1739d3..b7fed8f 100644
--- a/api/dns.go
+++ b/api/dns.go
@@ -2,6 +2,7 @@ package api
 
 import (
 	"database/sql"
+	"fmt"
 	"log"
 	"net/http"
 	"strconv"
@@ -22,8 +23,18 @@ func userCanFuckWithDNSRecord(dbConn *sql.DB, user *database.User, record *datab
 	ownedByUser := (user.ID == record.UserID)
 
 	if !record.Internal {
-		publicallyOwnedByUser := (record.Name == user.Username || strings.HasSuffix(record.Name, "."+user.Username))
-		return ownedByUser && publicallyOwnedByUser
+		userOwnedDomains := []string{
+			fmt.Sprintf("%s", user.Username),
+			fmt.Sprintf("%s.endpoints", user.Username),
+		}
+
+		for _, domain := range userOwnedDomains {
+			isInSubDomain := strings.HasSuffix(record.Name, "."+domain)
+
+			ownedByUser = ownedByUser || domain == record.Name || isInSubDomain
+		}
+
+		return ownedByUser
 	}
 
 	owner, err := database.FindFirstDomainOwnerId(dbConn, record.Name)