

Name.com hijacks non-existent subdomains and redirects to their servers - tnorthcutt
http://www.destructuring.net/2013/02/28/name-com-is-doing-some-really-sketchy-stuff/

======
machrider
My workaround for this was to add a TXT record for *.mydomain.com that just
returns a string like "Unused". This seems to stop them from hijacking any
subdomains, and it's not an A record so undefined subdomain names do not
resolve, just like if you had not defined them in the first place.

(Workaround shouldn't be necessary of course, but this kind of bullshit is par
for the course with cheap hosting companies.)

~~~
ams6110
Just fyi, mydomain.com is a real domain, example.com is better to use for
illustrative purposes.

~~~
signed0
Amusingly mydomain.com is a domain registrar. I wonder how many people stumble
upon it by accident.

------
joshka
I ran into the same issue several years ago. Now I actively recommend against
name.com because of this practice, which I consider very dodgy. Their support
was unable to provide any real resolution to this and so I moved elsewhere. On
recollection, I should have asked for my money back. Not for the meaningful
amount that it cost, but to highlight how stupid this practice is. I'd
encourage anyone with name.com to do the same as a form of protest.

A previous series of support emails:

\--

I own the joshka.net domain registered with name.com. When I attempt to
resolve a subdomain that does not exist I expect this to return a NXDOMAIN
result. Instead, the name.com name servers return an IP address of spammers.

How can I setup my account to return NXDOMAIN for this domain?

\--

Hello Joshua,

I have set your domain to a wildcard 'A' record, that accepts any subdomain,
and points it to your hosting IP address. I ran a 'dig' [ping] command on
'stuff.joshka.net' as a test, please see the results below:

\--

I think we have a slight misunderstanding. I do not want a wildcard A record
(and have removed the record that was setup). Resolving any subdomain that I
have not explicitly created a DNS record should return a NXDOMAIN result. This
expectation is in line with ICANN's memorandum titled "Harms and Concerns
Posed by NXDOMAIN Substitution (DNS Wildcard and Similar Technologies) at
Registry Level" at
[http://www.icann.org/en/announcements/announcement-2-24nov09...](http://www.icann.org/en/announcements/announcement-2-24nov09-en.htm)
Providing this default wildcard service where it is not requested or required
is a disservice. I can't imagine why I would want or need this.

\--

Hello Joshua,

I apologize for the misunderstanding with the wildcard DNS record. We have had
multiple customers request this in the past, and this feature was used with
success in those cases. I have consulted our management team to see if there
is a different option that we can provide you. Please look for a response
concerning this issue tomorrow.

\--

Thanks Elicia, I'll look forward to hearing from you. It's not the wildcard
DNS itself that I couldn't see the use of. I understand why that would be
useful in narrow situations. What I don't understand is why name.com provide
the default wildcard A record redirecting to a site full of advertising. I
don't know how this would be useful to any business or entity that does not
want to use wildcard subdomains of their own.

I understand that section 19 of the registration agreement seems to cover this
use of wildcards (though the wording is fairly vague), but it also states "At
any time, you may disable the placeholder page by updating, modifying or
otherwise changing the name servers for the relevant domain name."

\--

Thanks for getting back with us. Yes you are correct, by changing the DNS or
name servers for this domain, it will no longer point to the parking page. I
have discussed all options for allowing this wording to show, with our support
management team, and the systems administration group. We sincerely apologize,
however our DNS servers are not able to show the 'nxdomain' that you
mentioned.

This option is possible should you wish to use your own custom name servers
for this domain. Should you wish to setup your own name servers, here are
instructions for registering these name servers from within your Name.com
account

<snip>

~~~
semenko
DNS aside, Name.com is one of the only registrars I know of with reasonable
security practices.

They support two-factor auth (almost no one else does), and have nicely scoped
cookies (HTTP only, Secure flag, etc.).

~~~
kristinn
The irony is that their actions can in fact make cookies their customers are
using for their sites invulnerable.

~~~
jervisfm
I don't understand what you are saying ? Is it that there is a security issue
arising from the DNS hijacking ? If so what's the issue ?

~~~
deizel
Say you set a session cookie that spans multiple subdomains (cookie domain =
`.example.com`).

Now, if one of your authenticated users visits the wrong subdomain, they are
directed to a server of name.com's choice.

That server now has access to your user's session ID (using Javascript or PHP
or whatever to read the cookie).

------
nbpoole
Some previous discussion on this issue (almost 2 years ago):

<http://news.ycombinator.com/item?id=2443710>

I'll say the same thing I said then:

 _As an anecdotal counterpoint, I'm an extremely happy Name.com customer. I
transfered several domains to them a year or so ago from GoDaddy. They support
two-factor authentication, their interface is uncluttered, I pay them less
money than I paid GoDaddy, and I haven't had a single issue. I would highly
recommend them to anyone looking for a registrar._

 _That being said, I don't use them for DNS. If this is a feature of their
nameservers, I do find it strange that they don't offer a way to opt out
(other than using alternative nameservers)._

I am still an incredibly happy Name.com customer and would recommend them as a
registrar to anyone who asks. I just would point them somewhere else for DNS
hosting.

~~~
jervisfm
May I ask where do you do your DNS hosting ? Do you host it yourself ? Or do
you use a third party ?

~~~
chewxy
for domains I'm actively using, I use Route53. For domains I'm not actively
using, I don't mind name.com is parking.

~~~
2xlp
I didn't mind name.com parking my domains either.

I do mind the idea of them treating ever possible 3LD as a parked domain, when
my domain is not parked (and configured using their Name Servers).

------
miles
Name.com is surprisingly open about this spammy practice, and even highlights
methods for circumventing it:

[http://www.name.com/blog/general/domains/2012/01/pro-tip-
how...](http://www.name.com/blog/general/domains/2012/01/pro-tip-how-to-get-
rid-of-that-pesky-parking-page/)

Of course, it would be better for them to simply charge a bit more and get rid
of it altogether, especially since it breaks standards.

~~~
UnoriginalGuy
I am boycotting Name.com so hard right now. Actually they just jumped ABOVE
GoDaddy on my boycott list. At least GoDaddy said sorry and pretended.

Still using NameCheap here.

~~~
lhnn
name.com is very usable and otherwise handy; I don't like this policy, but I
wouldn't wish GoDaddy on my worst enemy.

(OK, maybe I would)

EDIT: I really don't understand your thinking; I am the opposite. I respect
name.com for being forward about it and not acting like a politician (treating
me like a child).

~~~
UnoriginalGuy
> I really don't understand your thinking; I am the opposite. I respect
> name.com for being forward about it and not acting like a politician
> (treating me like a child).

I respect them for sharing their reasons. I think it is professional.

My issue is two fold:

\- This kind of activity "breaks the internet" on the purest sense possible.
It is against spec' for a very good reason, IT IS STUPID. Going to a null
domain should give you a null reply. It breaks software and it breaks user's
expectations (e.g. if you hit that page because you typo-ed the domain you
might assume the domain has gone out of business or been "hacked").

\- Their work-around(s) are silly. They are essentially "then use someone
else" or "register every single possible sub-domain." No opt-out.

They might be very good at business and marketing but they fail on every
technological ground you can fail. Someone who fails that badly at
understanding the internet isn't someone I want running my DNS of all
things...

~~~
sjs382
> \- Their work-around(s) are silly. They are essentially "then use someone
> else" or "register every single possible sub-domain." No opt-out.

"Use someone else" _is_ the opt-out, whether you take it to mean "use another
registrar" or use "other, non-gratis DNS services.

Your other option is to use a wildcard, as I think you understand (though your
"register every single possible sub-domain" is a bit misleading).

This behavior sucks, but if it's something that bothers you, you're probably
the type that should be using a better DNS provider, anyways. That said, I'm a
happy customer of name.com.

~~~
rhizome
Using a different nameservice provider only treats the symptom. Name.com is
still breaking the internet with this practice.

------
pi18n
Even worse; their customer agreement seems to indicate that you are
responsible for the content. They also refuse to turn it off if you send them
an email. What a shitty little company to be inflicting this on their
customers.

------
zx2c4
I'm in the process of switching to gandi.net. It's not as cheap as name.com (3
dollars difference...), but their DNS service seems really topnotch. Also,
they're open to acting as a secondary DNS server and mirroring my own NS via
AXFR, which is pretty nice.

~~~
WickyNilliams
I'm using gandi, as you say prices are a bit more expensive but I have had no
problems so far. Their admin UI is even bearable, which is almost worth the
cost alone!

------
ceejayoz
The more stories like this I read the happier I am that I use a paid service
(Route 53).

~~~
UnoriginalGuy
I LOVE Route53, it is just expensive. At least compared to other similar
services (e.g. ZoneEdit). Route53 is basically $1/month/domain - most other
services can match or beat that.

------
jstanley
It's really not that hard to run your own nameserver. While I obviously
disagree with what they're doing, I think you should have been running your
own in the first place.

~~~
UnoriginalGuy
Easy but for single-server setups also silly.

If your server falls off of the net your DNS goes boom too and you have no
shot of redirecting people to a landing page or similar "oh shit" activities.

Now you could re-point your nameserver records but in my experience that takes
longer to propagate than a new A record with a short TTL.

~~~
jstanley
I take the opposite viewpoint: if the machine is down, I wouldn't be able get
to the machine anyway even if DNS was working, so I don't care.

------
fuser
Can't you just do a CNAME entry with a wildcard pointing to your primary
domain?

~~~
lcampbell
The wildcard fix is annoying when you have everything on SSL but don't want to
handle a wildcard cert[1]. When someone typos <https://foo.example.com> I'd
like the UX to be a browser's "could not connect to server" error, not "this
site is untrusted, run away as fast as you can".

\--

[1] IMO, the use of wildcard certs is a dangerous practice[2] made obsolete by
SNI.

[2] If the cert gets stolen from one server, the thief can impersonate _any_
server on that domain.

~~~
JoshTriplett
Given that no means currently exists to safely hand out a certificate for
example.org that can in turn sign separate certificates for arbitrary
foo.example.org subdomains, some sites still need wildcards. If you hand
customers their own subdomain, and you automatically mint new customer
subdomains when new customers sign up, you can't get a separate CA certificate
for each one even if SNI _does_ work; you really do need a wildcard for that.

------
krichman
21\. Parked domain service

All domain names registered via Name.com will automatically be provided a
Parked Domain Service. All domains will default to our name servers unless and
until you modify your default settings. At any time, you may disable the
placeholder page by updating, modifying or otherwise changing the name servers
for the relevant domain name.

Domain names using our Parked Domain Service may display a placeholder page
for your future website. These placeholder pages may include contextual and/or
other advertisements for products or services. Name.com will collect and
retain any and all revenue acquired from these advertisements, and you will
have no right to any information or funds generated via the Parked Domain
Service.

You agree that we may display our logo and links to our website(s) on pages
using the Parked Domain Service.

 _Name.com will make no effort to edit, control, monitor, or restrict the
content displayed by the Parked Page Service. Any advertising displayed on
your parked page may be based on the content of your domain name and may
include advertisements of you and/or your competitors. It is your
responsibility to ensure that all content placed on the parked page conforms
to all local, state, federal, and international laws and regulations._

 _It is your obligation to ensure that no third party intellectual or
proprietary rights are being violated or infringed due to the content placed
on your parked page. Neither Name.com nor our advertising partners will be
liable to you for any criminal or civil sanctions imposed as a direct or
indirect result of the content or links (or the content of the websites to
which the links resolve) displayed on your parked pages._

 _As further set forth above, you agree to indemnify and hold Name.com and its
affiliated parties harmless for any harm or damages arising from your use of
the Parked Domain Service._

------
jbarham
FWIW I run DNS hosting service SlickDNS (<https://www.slickdns.com/>) and
hijacking non-existent subdomains is a non-feature. It's free for personal use
for 2 domains and paid plans start at $10/month.

------
xpose2000
I contacted Name over twitter and their response was sarcastic and they don't
seem to care. <https://twitter.com/namedotcom/status/307523296910532608>

~~~
autotravis
There's a time for humor and there is a time for a serious response. This is
the latter and I find myself regretting my move to name.com.

------
arikrak
Bluehost puts ads on subdomains and directories that you haven't set up yet.

------
fvdsvcfhgyju
_Internal Server Error_

 _The server encountered an internal error or misconfiguration and was unable
to complete your request._

 _Please contact the server administrator, webmaster@destructuring.net and
inform them of the time the error occurred, and anything you might have done
that may have caused the error._

 _More information about this error may be available in the server error log._

 _Additionally, a 500 Internal Server Error error was encountered while trying
to use an ErrorDocument to handle the request._

------
2xlp
Thanks. That was my post. Sad to see others have dealt with this before. I
went through their TOS, and there's no way in hell their "Parked Domains"
clause is applicable to DNS failovers. What they are doing is just totally
wrong. I wrote a second post about it as an Open Letter to them here :
[http://www.destructuring.net/2013/02/28/an-open-letter-to-
na...](http://www.destructuring.net/2013/02/28/an-open-letter-to-name-com/)

------
MatthewPhillips
I caught Hover.com doing something similar[1] a couple of years ago. They were
adding forwards not for subdomains but paths of the root domain. I actually
switched to Name.com for this very reason, troubling to see another pulling
this stuff.

[1]<http://matthewphillips.info/posts/no-thanks-hover.html>

~~~
ricardobeat
At the end of the post you say you fully believe their explanation (that those
are added as forwarding examples on new accounts). Which one is it?

~~~
MatthewPhillips
What do you mean? I believed their explanation but wanted to leave anyways. I
don't want them redirecting my domains regardless of intent.

~~~
sahaskatta
I moved quite a few domains to Hover within the last 2 months. I went and
immediately checked the forwards section after reading your comment.
Thankfully, there are ZERO forwards setup. I'm guessing they stopped pre-
configuring example forwards for demonstration purposes.

~~~
nkozyra
They did. I use Hover now, and while they still have a dumb landing page for
unused subdomains (which I disable immediately on first login), they aren't
doing the forwards by default.

------
nathanhammond
I posted about this almost two years ago
(<http://news.ycombinator.com/item?id=2443710>) ... I am eagerly looking
forward to DNSimple (<http://dnsimple.com>) entering the market as their own
registrar (instead of reselling enom). Their founder has said that is a high
priority goal for them this year which will immediately make them the
registrar and DNS provider for all of my domains.

Oh, and don't use name.com, they hijack DNS. :)

------
SODaniel
Well domain.com uses 'parked' domains to ear themselves advertising dollars
until you 'use' them so it seems most domain registrars are in on the
'racket'.

------
antsam
This is generally why I stay clear of using the "free DNS" provided by
registrars. But then again, they can still be more reliable than hosting your
own.

------
ajju
I love name.com but I find this irritating enough that I plan to find another
provider unless they fix this.

------
jacob019
Switched from godaddy to namecheap for my 20+ domains a couple years ago. I
couldn't be happier.

~~~
error54
Second on namecheap. I use them for all my domains and they don't do any
wildcard routing.

------
unreal37
A bit off topic, but I used to work for a company called NAME that had the
name.com domain. They went out of business in the dot com bust of 2001, and I
guess the domain got sold. I can't see name.com without thinking of that.

~~~
drmonocle
That domain must have been pricy, even during the dot-com bust.

------
lowglow
I'm building a registrar we'd want to use. I'd like to hear a list of "love to
haves" for people interested in the project. Try out what I have so far
<http://nametagup.com/>

------
circa
I have never used name.com but I mainly use hover.com and namecheap.com -
never had bad experiences with them or register.com either.

GoDaddy is the absolute devil though. We all know that.

------
pidg
This applies to customers of DomainSite too (same company). Annoying, as
they've been really good otherwise for many years.

------
RKearney
By default, every 404 page hosted with HostGator puts an advertisement for
HostGator hosting on your site.

~~~
reustle
That's only shared hosting though I would think.

------
mikehc
I was not aware of this. Adblock just showed me a blank page.

------
didyousaymeow
badger.com - haven't looked back once.

------
circa
wow Subdomains? That is pretty low.

------
iamtherockstar
I actually _just_ ran into this. I had a client forget to add a www CNAME
record, so they thought the site was "hacked" when they added the www to their
domain and got this parked site. Luckily, it's not a cached record, so when we
fixed it, DNS servers started finding the right record immediately.

