Hacker Newsnew | comments | show | ask | jobs | submit login
Name.com hijacks non-existent subdomains and redirects to their servers (destructuring.net)
208 points by tnorthcutt 795 days ago | 91 comments



My workaround for this was to add a TXT record for *.mydomain.com that just returns a string like "Unused". This seems to stop them from hijacking any subdomains, and it's not an A record so undefined subdomain names do not resolve, just like if you had not defined them in the first place.

(Workaround shouldn't be necessary of course, but this kind of bullshit is par for the course with cheap hosting companies.)

-----


Just fyi, mydomain.com is a real domain, example.com is better to use for illustrative purposes.

-----


Amusingly mydomain.com is a domain registrar. I wonder how many people stumble upon it by accident.

-----


example.com isn't just better: it's actually specified in RFC 2606 as one of the domains "reserved for use in private testing, as examples in documentation, and the like."

-----


While it is probably not relevant for must users, there is a subtle difference between "There exists no A record for x.example.com" and "There is no x.example.com".

-----


A workaround for this is to make *.example.com a CNAME for something.invalid. ".invalid" is a reserved TLD guaranteed not to exist so this should force all queries for non-existent domains to come back with NXDOMAIN.

-----


A workaround? As opposed to simply switching registrars with something decent?

-----


yeah, the best workaround is namecheap.com

-----


I don't like being with resellers.

-----


What do you think of http://en.gandi.net/ guys? I'm on name.com as well but this thing is really bugging me.

-----


I'm with gandi, there's a few things I don't like but overall they've been super stable with very little headaches. I think in the 3+ years I've been with them I've had one slight issue that was dealt with in <24 hours.

-----


I typically just do a *.example.com @A record to the IP address, works just as well and would fix the specific problem in the link (unless he's worried about having to extract individual subdomains to go separate places later).

-----


This is a good workaround, and I am voting you up in the hopes that others see it.

-----


Confirmed to work with name.com

Before: Parked page After: Bing search (thanks IE)

-----


I ran into the same issue several years ago. Now I actively recommend against name.com because of this practice, which I consider very dodgy. Their support was unable to provide any real resolution to this and so I moved elsewhere. On recollection, I should have asked for my money back. Not for the meaningful amount that it cost, but to highlight how stupid this practice is. I'd encourage anyone with name.com to do the same as a form of protest.

A previous series of support emails:

--

I own the joshka.net domain registered with name.com. When I attempt to resolve a subdomain that does not exist I expect this to return a NXDOMAIN result. Instead, the name.com name servers return an IP address of spammers.

How can I setup my account to return NXDOMAIN for this domain?

--

Hello Joshua,

I have set your domain to a wildcard 'A' record, that accepts any subdomain, and points it to your hosting IP address. I ran a 'dig' [ping] command on 'stuff.joshka.net' as a test, please see the results below:

--

I think we have a slight misunderstanding. I do not want a wildcard A record (and have removed the record that was setup). Resolving any subdomain that I have not explicitly created a DNS record should return a NXDOMAIN result. This expectation is in line with ICANN's memorandum titled "Harms and Concerns Posed by NXDOMAIN Substitution (DNS Wildcard and Similar Technologies) at Registry Level" at http://www.icann.org/en/announcements/announcement-2-24nov09... Providing this default wildcard service where it is not requested or required is a disservice. I can't imagine why I would want or need this.

--

Hello Joshua,

I apologize for the misunderstanding with the wildcard DNS record. We have had multiple customers request this in the past, and this feature was used with success in those cases. I have consulted our management team to see if there is a different option that we can provide you. Please look for a response concerning this issue tomorrow.

--

Thanks Elicia, I'll look forward to hearing from you. It's not the wildcard DNS itself that I couldn't see the use of. I understand why that would be useful in narrow situations. What I don't understand is why name.com provide the default wildcard A record redirecting to a site full of advertising. I don't know how this would be useful to any business or entity that does not want to use wildcard subdomains of their own.

I understand that section 19 of the registration agreement seems to cover this use of wildcards (though the wording is fairly vague), but it also states "At any time, you may disable the placeholder page by updating, modifying or otherwise changing the name servers for the relevant domain name."

--

Thanks for getting back with us. Yes you are correct, by changing the DNS or name servers for this domain, it will no longer point to the parking page. I have discussed all options for allowing this wording to show, with our support management team, and the systems administration group. We sincerely apologize, however our DNS servers are not able to show the 'nxdomain' that you mentioned.

This option is possible should you wish to use your own custom name servers for this domain. Should you wish to setup your own name servers, here are instructions for registering these name servers from within your Name.com account

<snip>

-----


DNS aside, Name.com is one of the only registrars I know of with reasonable security practices.

They support two-factor auth (almost no one else does), and have nicely scoped cookies (HTTP only, Secure flag, etc.).

-----


The irony is that their actions can in fact make cookies their customers are using for their sites invulnerable.

-----


I don't understand what you are saying ? Is it that there is a security issue arising from the DNS hijacking ? If so what's the issue ?

-----


Say you set a session cookie that spans multiple subdomains (cookie domain = `.example.com`).

Now, if one of your authenticated users visits the wrong subdomain, they are directed to a server of name.com's choice.

That server now has access to your user's session ID (using Javascript or PHP or whatever to read the cookie).

-----


invulnerable? You mean "vulnerable", right?

-----


Yeah, I meant vulnerable. My bad. :-)

Thanks for the correction.

-----


Some previous discussion on this issue (almost 2 years ago):

http://news.ycombinator.com/item?id=2443710

I'll say the same thing I said then:

As an anecdotal counterpoint, I'm an extremely happy Name.com customer. I transfered several domains to them a year or so ago from GoDaddy. They support two-factor authentication, their interface is uncluttered, I pay them less money than I paid GoDaddy, and I haven't had a single issue. I would highly recommend them to anyone looking for a registrar.

That being said, I don't use them for DNS. If this is a feature of their nameservers, I do find it strange that they don't offer a way to opt out (other than using alternative nameservers).

I am still an incredibly happy Name.com customer and would recommend them as a registrar to anyone who asks. I just would point them somewhere else for DNS hosting.

-----


May I ask where do you do your DNS hosting ? Do you host it yourself ? Or do you use a third party ?

-----


for domains I'm actively using, I use Route53. For domains I'm not actively using, I don't mind name.com is parking.

-----


I didn't mind name.com parking my domains either.

I do mind the idea of them treating ever possible 3LD as a parked domain, when my domain is not parked (and configured using their Name Servers).

-----


For anyone who doesn't want to park inactive domains, you can just remove a domain's nameservers, and users will just get a DNS error. (NXDOMAIN)

-----


In my case all of my domains are on name.com (and I haven't had a problem with them so far either); for my smaller personal sites the DNS is managed by my shared hosting provider and for others Route 53.

-----


The hosting companies I've used (eg: Linode, Dreamhost for smaller projects) all provide DNS services. I trust them to manage a DNS infrastructure more than I trust myself.

-----


I don't quite understand why people have this allergy to running their own DNS. If you just want a single text file and don't need anything major, dnsmasq will serve records out of /etc/hosts. Slightly up the chain in terms of power, MaraDNS lets you use a text file, and finally there's PowerDNS (which I use) lets you use SQL databases, embed Lua, or read from a pipe. (Being able to use a regular RDBMS is nice for things like writing a little cron job to do your own dynamic DNS, or doing self-service hosting for people.)

If you've never done it, it is a couple of hours of reading and fiddling, but very quick if you have set up DNS before. I'm actually a bit curious about why people (even some sysadmins!) tend to spend time clicking on some clunky web interface to update records manually when it's actually easier to do it yourself. (Mail servers, on the other hand...)

-----


A bit surprised not to see Bind mentioned here, as it's a kind of an industry standard.

Personally, I got Bind installed on all my machines, both for DNS zones and resolving. The only exception is my phone, and that is only because I couldn't find a package for it.

For those that do not want to deal with config files, there is also GUIs like gadmin-bind.

-----


Sorry for the omission; I think Bind is actually a bit tricky to configure by comparison to the other three mentioned.

-----


Check out CloudFlare, they provide some great DNS services with some added bonuses.

-----


Name.com is surprisingly open about this spammy practice, and even highlights methods for circumventing it:

http://www.name.com/blog/general/domains/2012/01/pro-tip-how...

Of course, it would be better for them to simply charge a bit more and get rid of it altogether, especially since it breaks standards.

-----


I am boycotting Name.com so hard right now. Actually they just jumped ABOVE GoDaddy on my boycott list. At least GoDaddy said sorry and pretended.

Still using NameCheap here.

-----


name.com is very usable and otherwise handy; I don't like this policy, but I wouldn't wish GoDaddy on my worst enemy.

(OK, maybe I would)

EDIT: I really don't understand your thinking; I am the opposite. I respect name.com for being forward about it and not acting like a politician (treating me like a child).

-----


> I really don't understand your thinking; I am the opposite. I respect name.com for being forward about it and not acting like a politician (treating me like a child).

I respect them for sharing their reasons. I think it is professional.

My issue is two fold:

- This kind of activity "breaks the internet" on the purest sense possible. It is against spec' for a very good reason, IT IS STUPID. Going to a null domain should give you a null reply. It breaks software and it breaks user's expectations (e.g. if you hit that page because you typo-ed the domain you might assume the domain has gone out of business or been "hacked").

- Their work-around(s) are silly. They are essentially "then use someone else" or "register every single possible sub-domain." No opt-out.

They might be very good at business and marketing but they fail on every technological ground you can fail. Someone who fails that badly at understanding the internet isn't someone I want running my DNS of all things...

-----


> - Their work-around(s) are silly. They are essentially "then use someone else" or "register every single possible sub-domain." No opt-out.

"Use someone else" is the opt-out, whether you take it to mean "use another registrar" or use "other, non-gratis DNS services.

Your other option is to use a wildcard, as I think you understand (though your "register every single possible sub-domain" is a bit misleading).

This behavior sucks, but if it's something that bothers you, you're probably the type that should be using a better DNS provider, anyways. That said, I'm a happy customer of name.com.

-----


Using a different nameservice provider only treats the symptom. Name.com is still breaking the internet with this practice.

-----


Even worse; their customer agreement seems to indicate that you are responsible for the content. They also refuse to turn it off if you send them an email. What a shitty little company to be inflicting this on their customers.

-----


I'm in the process of switching to gandi.net. It's not as cheap as name.com (3 dollars difference...), but their DNS service seems really topnotch. Also, they're open to acting as a secondary DNS server and mirroring my own NS via AXFR, which is pretty nice.

-----


I'm using gandi, as you say prices are a bit more expensive but I have had no problems so far. Their admin UI is even bearable, which is almost worth the cost alone!

-----


The more stories like this I read the happier I am that I use a paid service (Route 53).

-----


I LOVE Route53, it is just expensive. At least compared to other similar services (e.g. ZoneEdit). Route53 is basically $1/month/domain - most other services can match or beat that.

-----


+1. Route 53 is pretty spiffy.

-----


dnsmadeeasy is a fine service too.

-----


It's really not that hard to run your own nameserver. While I obviously disagree with what they're doing, I think you should have been running your own in the first place.

-----


Easy but for single-server setups also silly.

If your server falls off of the net your DNS goes boom too and you have no shot of redirecting people to a landing page or similar "oh shit" activities.

Now you could re-point your nameserver records but in my experience that takes longer to propagate than a new A record with a short TTL.

-----


I take the opposite viewpoint: if the machine is down, I wouldn't be able get to the machine anyway even if DNS was working, so I don't care.

-----


It's really not hard at all. I wrote a blog post about my setup a few months ago[1]. To summarize: djbdns + a few VPS instances which can be very tiny + puppet.

[1]: https://bugsplat.info/2012-12-31-how-i-run-my-own-dns.html

-----


Instead of djbdns, take a look at NSD, so that you get IPv6 support, and DNSSEC support!

-----


Why bother? ZoneEdit works great. I've been using them for, geez, over 15 years I think.

-----


ZoneEdit now charge. They grandfathered old users in at a free tier (first 5?) but now all new users have to pay either $1/month/domain or less if you buy a lot of "credits."

-----


I'm still sad that they discontinued their free tier. It was awesome..just like google apps was awesome.

:(

-----


As i haven't seen them mentioned before in this thread i'll mention http://freedns.afraid.org/ - While i don't have any current experience, i've used them a few years back and they've also been top notch... Only downside is their interface which is showing its age...

-----


Can't you just do a CNAME entry with a wildcard pointing to your primary domain?

-----


The wildcard fix is annoying when you have everything on SSL but don't want to handle a wildcard cert[1]. When someone typos https://foo.example.com I'd like the UX to be a browser's "could not connect to server" error, not "this site is untrusted, run away as fast as you can".

--

[1] IMO, the use of wildcard certs is a dangerous practice[2] made obsolete by SNI.

[2] If the cert gets stolen from one server, the thief can impersonate any server on that domain.

-----


Given that no means currently exists to safely hand out a certificate for example.org that can in turn sign separate certificates for arbitrary foo.example.org subdomains, some sites still need wildcards. If you hand customers their own subdomain, and you automatically mint new customer subdomains when new customers sign up, you can't get a separate CA certificate for each one even if SNI does work; you really do need a wildcard for that.

-----


yes, you can enter a wildcard record yourself, and that will override the name.com wildcard. Is it irritating that they do that? Sure. Should they be doing? probably not. But it does have a pretty simple fix.

Personally, I use a third-party dns service. Seen too many registrars play with DNS. Don't know why anyone would trust them.

-----


>> Don't know why anyone would trust them.

I don't know about you, but i give everyone the benefit of doubt and unless someone violates this trust, i'd think most people do too.

Also, at least i tend to think of registrars as some kind of neutral entity that i, indeed, can trust - guess there are some exceptions to the rule.

How many years and years of abuse has it taken for people to notice what GoD*ddy has been doing all that time and finally cause some sort of mass-defect to other registrars..

Hopefully, the level of tolerance for this behavior is of an all-time low so registrars simply can't afford to abuse the trust of their customers any longer.

-----


"I don't know about you, but i give everyone the benefit of doubt and unless someone violates this trust, i'd think most people do too."

True.. and I used to trust registrars to manage my DNS.. but over the years, this is at least the 3rd or 4th time this has happened with a registrar I am on (yes, I have domains at name.com).

Since I don't have time to interrogate every registrars DNS server when I sign up, I just assume it's useless these days. + I end up having to pay for a DNS service anyway, to avoid the bad registrars DNS.. so it's easier to use a single DNS service for all of the domains.

-----


This is what happened. For example, I previously gave Name.com the benefit of the doubt and sent them an email asking them to fix the issue. They did not, so now I mention this every time I see their service mentioned. They are scum just like GoDaddy but on a lower scale.

-----


21. Parked domain service

All domain names registered via Name.com will automatically be provided a Parked Domain Service. All domains will default to our name servers unless and until you modify your default settings. At any time, you may disable the placeholder page by updating, modifying or otherwise changing the name servers for the relevant domain name.

Domain names using our Parked Domain Service may display a placeholder page for your future website. These placeholder pages may include contextual and/or other advertisements for products or services. Name.com will collect and retain any and all revenue acquired from these advertisements, and you will have no right to any information or funds generated via the Parked Domain Service.

You agree that we may display our logo and links to our website(s) on pages using the Parked Domain Service.

Name.com will make no effort to edit, control, monitor, or restrict the content displayed by the Parked Page Service. Any advertising displayed on your parked page may be based on the content of your domain name and may include advertisements of you and/or your competitors. It is your responsibility to ensure that all content placed on the parked page conforms to all local, state, federal, and international laws and regulations.

It is your obligation to ensure that no third party intellectual or proprietary rights are being violated or infringed due to the content placed on your parked page. Neither Name.com nor our advertising partners will be liable to you for any criminal or civil sanctions imposed as a direct or indirect result of the content or links (or the content of the websites to which the links resolve) displayed on your parked pages.

As further set forth above, you agree to indemnify and hold Name.com and its affiliated parties harmless for any harm or damages arising from your use of the Parked Domain Service.

-----


FWIW I run DNS hosting service SlickDNS (https://www.slickdns.com/) and hijacking non-existent subdomains is a non-feature. It's free for personal use for 2 domains and paid plans start at $10/month.

-----


I contacted Name over twitter and their response was sarcastic and they don't seem to care. https://twitter.com/namedotcom/status/307523296910532608

-----


There's a time for humor and there is a time for a serious response. This is the latter and I find myself regretting my move to name.com.

-----


http://name-dot-com-eats-babies.name.com

-----


Bluehost puts ads on subdomains and directories that you haven't set up yet.

-----


Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@destructuring.net and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

-----


Thanks. That was my post. Sad to see others have dealt with this before. I went through their TOS, and there's no way in hell their "Parked Domains" clause is applicable to DNS failovers. What they are doing is just totally wrong. I wrote a second post about it as an Open Letter to them here : http://www.destructuring.net/2013/02/28/an-open-letter-to-na...

-----


I caught Hover.com doing something similar[1] a couple of years ago. They were adding forwards not for subdomains but paths of the root domain. I actually switched to Name.com for this very reason, troubling to see another pulling this stuff.

[1]http://matthewphillips.info/posts/no-thanks-hover.html

-----


At the end of the post you say you fully believe their explanation (that those are added as forwarding examples on new accounts). Which one is it?

-----


What do you mean? I believed their explanation but wanted to leave anyways. I don't want them redirecting my domains regardless of intent.

-----


I moved quite a few domains to Hover within the last 2 months. I went and immediately checked the forwards section after reading your comment. Thankfully, there are ZERO forwards setup. I'm guessing they stopped pre-configuring example forwards for demonstration purposes.

-----


They did. I use Hover now, and while they still have a dumb landing page for unused subdomains (which I disable immediately on first login), they aren't doing the forwards by default.

-----


I posted about this almost two years ago (http://news.ycombinator.com/item?id=2443710) ... I am eagerly looking forward to DNSimple (http://dnsimple.com) entering the market as their own registrar (instead of reselling enom). Their founder has said that is a high priority goal for them this year which will immediately make them the registrar and DNS provider for all of my domains.

Oh, and don't use name.com, they hijack DNS. :)

-----


Well domain.com uses 'parked' domains to ear themselves advertising dollars until you 'use' them so it seems most domain registrars are in on the 'racket'.

-----


This is generally why I stay clear of using the "free DNS" provided by registrars. But then again, they can still be more reliable than hosting your own.

-----


I love name.com but I find this irritating enough that I plan to find another provider unless they fix this.

-----


Switched from godaddy to namecheap for my 20+ domains a couple years ago. I couldn't be happier.

-----


Second on namecheap. I use them for all my domains and they don't do any wildcard routing.

-----


A bit off topic, but I used to work for a company called NAME that had the name.com domain. They went out of business in the dot com bust of 2001, and I guess the domain got sold. I can't see name.com without thinking of that.

-----


That domain must have been pricy, even during the dot-com bust.

-----


I'm building a registrar we'd want to use. I'd like to hear a list of "love to haves" for people interested in the project. Try out what I have so far http://nametagup.com/

-----


I have never used name.com but I mainly use hover.com and namecheap.com - never had bad experiences with them or register.com either.

GoDaddy is the absolute devil though. We all know that.

-----


This applies to customers of DomainSite too (same company). Annoying, as they've been really good otherwise for many years.

-----


By default, every 404 page hosted with HostGator puts an advertisement for HostGator hosting on your site.

-----


That's only shared hosting though I would think.

-----


I was not aware of this. Adblock just showed me a blank page.

-----


badger.com - haven't looked back once.

-----


wow Subdomains? That is pretty low.

-----


I actually just ran into this. I had a client forget to add a www CNAME record, so they thought the site was "hacked" when they added the www to their domain and got this parked site. Luckily, it's not a cached record, so when we fixed it, DNS servers started finding the right record immediately.

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: