name.com is doing some really sketchy stuff | destructuring.net

Like many other people, I got frustrated with GoDaddy.com. Aside from the founder being a jackass… there were endless upsells, constantly increasing prices, and a need to use crappy online ‘coupon’ sites whenever I renewed a domain. I decided to slowly move off them, and in the wake of their misguided SOPA/CISPA support I went with Name.com

I really regret that now. They seem to be jackasses too. They are Hijacking DNS ( aka squatting ) all 3rd level domains registered through them.

I registered a few domains with name.com for a new project. One of them is for shortened urls clqd.in. The following illustrates why i’m pissed.

clqd.in uses name.com’s nameservers (DNS), pretty standard when you use a registrar. I configured my account on Name.com to direct a handful of A records to specific IP addresses – which is also pretty standard.

If I whois the domain, I see these nameservers :

Great. Things appear to be working.

If I want to test my DNS records, I use another tool — dig— and I query their nameservers directly.

If I dig @NS4JPZ.NAME.COM clqd.in , as expected, I get the DNS records that I’ve updated with name.com. Yay.

; <<>> DiG 9.6-ESV-R4-P3 <<>> @NS4JPZ.NAME.COM clqd.in ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60866 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available

;; QUESTION SECTION: ;clqd.in. IN A

;; ANSWER SECTION: clqd.in. 300 IN A 66.228.44.231

;; Query time: 43 msec ;; SERVER: 184.72.222.215#53(184.72.222.215) ;; WHEN: Wed Feb 27 19:24:3

Now, this is where things get weird…

If I query a domain name that doesn’t exist, I’m supposed to see a failure. The status above should read NXDOMAIN and I’d get something like when I dig a non-existant domain from Microsoft using dig nodomain.microsoft.com :

; <<>> DiG 9.6-ESV-R4-P3 <<>> nodomain.microsoft.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64226 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION: ;nodomain.microsoft.com. IN A

;; AUTHORITY SECTION: microsoft.com. 3600 IN SOA ns1.msft.net. msnhst.microsoft.com. 2013022601 300 600 2419200 3600

;; Query time: 521 msec ;; SERVER: 66.234.224.2#53(66.234.224.2) ;; WHEN: Wed Feb 27 19:28:26 2013 ;; MSG SIZE rcvd: 95

Now, if i dig a non-existant third-level domain against clqd.in, here is what i see ( dig @NS4JPZ.NAME.COM nodomain.clqd.in ):

; <<>> DiG 9.6-ESV-R4-P3 <<>> @NS4JPZ.NAME.COM nodomain.clqd.in ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46513 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available

;; QUESTION SECTION: ;nodomain.clqd.in. IN A

;; ANSWER SECTION: nodomain.clqd.in. 300 IN A 174.37.172.70

;; Query time: 226 msec ;; SERVER: 184.72.222.215#53(184.72.222.215) ;; WHEN: Wed Feb 27 19:31:23 2013 ;; MSG SIZE rcvd: 50

Instead of returning a NXDOMAIN status (non-existant domain), Name.com is returning a valid status and directing the user to the ip address of “174.37.172.70″ while still showing the domain name. That IP address displays a “parked domain” , managed by sedo.com and filled with a mix of advertising and search engine marketing, which one of those two parties (sedo.com or name.com) controls. I use the phrase “directing” because you are not redirectied, and the original url still appears on the browser. Name.com is telling your computer that ip address corresponds to the domain, and the Sedo site is serving the marketing material off of your domain.

Instead of saying “This domain doesn’t exist” — as expected — Name.com has created a system where any wildcarded third-level domain name that fails a real DNS query is treated like a real domain… a real domain that I don’t control, but instead they do , and are trying to monetize.

In fact, if you make a DNS query against ANY fully qualified domain name ( FQDN ) that is not entirely configured on Name.com, you are redirected to the same marketing sites. You can try querying any domain registered elsewhere — they’ll all point to 174.37.172.70 as the configured ip address for that domain. As far as Name.com is concerned, there doesn’t seem to be any such thing as a non-existant domain.

I am beyond mad:

• I didn’t sign up for this.
• There is no way to opt out of this on any of their screens.
• This practice actively hurts the business and brands of domain owners by associating low-value content on third-level domains with the second-level domain.
• This has serious security implications in regards to Cross-Site Scripting and how cookies are locked down into a domain.
• This violates the IETF’s RFC 2308, which pretty much states “how dns should work”

I’m now looking to transfer these domain names elsewhere. I only found out about this, because of a typo.

I’ve put in a support request with Name.com to address this, I sure as hell don’t trust them do the right thing – this is a dirty and backhanded practice that should not have existed in the first place.

As a quick addendum: this practice is called “DNS HiJacking”. It’s popular with a handful of ISPs who try to monetize DNS failures. I’ve never heard of a Registrar doing this before. You can read about it more here: http://en.wikipedia.org/wiki/DNS_hijacking

UPDATES -

After looking on Bing and Google against “Name.com” + “dns hijack”, it turns out this has been going on for a LONG time

• http://nathanhammond.com/namedotcom-another-unscrupulous-registrar
• http://www.taborcg.com/2010/05/06/name-com-host-typo-hijacking/

and if you look on the GetSatisfaction site, it’s filled with people complaining over the same thing : https://getsatisfaction.com/namecom

Update 2 -

Name.com reached out over twitter, and pointed to a blog posting defending this practice on technical grounds and that it’s hidden in their TOS. I call bullshit. Hiding things in a TOS doesn’t make it right, and there are no technical grounds to trying to generate revenue.

Update 3 -

Apologies if you had trouble reading this. WordPress Caching was not enabled, and my server failed.