Name.com is doing some really sketchy stuff

PREFACE
A lot of people read this and say “I read the Terms Of Service, and it says in shady language they can do that.” I read it too — and I actually went through it carefully, line by line. The TOS does not permit 3LD DNS Hijacking. As I explain in this follow-up posting [An Open Letter to Name.com](http://www.destructuring.net/2013/02/28/an-open-letter-to-name-com/) the Name.com TOS — in very clear terms — merely permits for 2nd Level “Parked Domains” as a default activity. In no way whatsoever does Name.com’s TOS suggest that they have the right to control 3rd Level domains if you use their DNS services.


Like many other people, I got frustrated with GoDaddy.com. Aside from the founder being a jackass… there were endless upsells, constantly increasing prices, and a need to use crappy online ‘coupon’ sites whenever I renewed a domain. I decided to slowly move off them, and in the wake of their misguided SOPA/CISPA support I went with Name.com

I really regret that now. They seem to be jackasses too. They are Hijacking DNS ( aka squatting ) all 3rd level domains registered through them.

I registered a few domains with name.com for a new project. One of them is for shortened urls `clqd.in`. The following illustrates why i’m pissed.

`clqd.in` uses name.com’s nameservers (DNS), pretty standard when you use a registrar. I configured my account on Name.com to direct a handful of `A records` to specific IP addresses – which is also pretty standard.

If I `whois` the domain, I see these nameservers :


>> Name Server:NS4JPZ.NAME.COM
>> Name Server:NS2NSW.NAME.COM
>> Name Server:NS1FKL.NAME.COM
>> Name Server:NS3GMV.NAME.COM

Great. Things appear to be working.

If I want to test my DNS records, I use another tool — `dig` — and I query their nameservers directly.

If I `dig @NS4JPZ.NAME.COM clqd.in` , as expected, I get the DNS records that I’ve updated with name.com. Yay.


; <<>> DiG 9.6-ESV-R4-P3 <<>> @NS4JPZ.NAME.COM clqd.in
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60866 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;clqd.in. IN A ;; ANSWER SECTION: clqd.in. 300 IN A 66.228.44.231 ;; Query time: 43 msec ;; SERVER: 184.72.222.215#53(184.72.222.215) ;; WHEN: Wed Feb 27 19:24:3

Now, this is where things get weird...

If I query a domain name that doesn't exist, I'm supposed to see a failure. The `status` above should read `NXDOMAIN` and I'd get something like when I `dig` a non-existant domain from Microsoft using `dig nodomain.microsoft.com` :


; <<>> DiG 9.6-ESV-R4-P3 <<>> nodomain.microsoft.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64226 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;nodomain.microsoft.com. IN A ;; AUTHORITY SECTION: microsoft.com. 3600 IN SOA ns1.msft.net. msnhst.microsoft.com. 2013022601 300 600 2419200 3600 ;; Query time: 521 msec ;; SERVER: 66.234.224.2#53(66.234.224.2) ;; WHEN: Wed Feb 27 19:28:26 2013 ;; MSG SIZE rcvd: 95

Now, if i `dig` a non-existant third-level domain against `clqd.in`, here is what i see ( `dig @NS4JPZ.NAME.COM nodomain.clqd.in` ):


; <<>> DiG 9.6-ESV-R4-P3 <<>> @NS4JPZ.NAME.COM nodomain.clqd.in
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46513 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;nodomain.clqd.in. IN A ;; ANSWER SECTION: nodomain.clqd.in. 300 IN A 174.37.172.70 ;; Query time: 226 msec ;; SERVER: 184.72.222.215#53(184.72.222.215) ;; WHEN: Wed Feb 27 19:31:23 2013 ;; MSG SIZE rcvd: 50

Instead of returning a `NXDOMAIN` status (non-existant domain), Name.com is returning a valid status and directing the user to the ip address of "174.37.172.70" while still showing the domain name. That IP address displays a "parked domain" , managed by sedo.com and filled with a mix of advertising and search engine marketing, which one of those two parties (sedo.com or name.com) controls. I use the phrase "directing" because you are not redirectied, and the original url still appears on the browser. Name.com is telling your computer that ip address corresponds to the domain, and the Sedo site is serving the marketing material off of your domain.

Instead of saying "This domain doesn't exist" -- as expected -- Name.com has created a system where any wildcarded third-level domain name that fails a real DNS query is treated like a real domain... a real domain that I don't control, but instead they do , and are trying to monetize.

In fact, if you make a DNS query against ANY fully qualified domain name ( FQDN ) that is not entirely configured on Name.com, you are redirected to the same marketing sites. You can try querying any domain registered elsewhere -- they'll all point to 174.37.172.70 as the configured ip address for that domain. As far as Name.com is concerned, there doesn't seem to be any such thing as a non-existant domain.

I am beyond mad:

- I didn't sign up for this.
- There is no way to opt out of this on any of their screens.
- This practice actively hurts the business and brands of domain owners by associating low-value content on third-level domains with the second-level domain.
- This has serious security implications in regards to Cross-Site Scripting and how cookies are locked down into a domain.
- This violates the IETF's RFC 2308, which pretty much states "how dns should work"

I'm now looking to transfer these domain names elsewhere. I only found out about this, because of a typo.

I've put in a support request with Name.com to address this, I sure as hell don't trust them do the right thing - this is a dirty and backhanded practice that should not have existed in the first place.

As a quick addendum: this practice is called "DNS HiJacking". It's popular with a handful of ISPs who try to monetize DNS failures. I've never heard of a Registrar doing this before. You can read about it more here: http://en.wikipedia.org/wiki/DNS_hijacking

UPDATES -

After looking on Bing and Google against "Name.com" + "dns hijack", it turns out this has been going on for a LONG time

* http://nathanhammond.com/namedotcom-another-unscrupulous-registrar
* http://www.taborcg.com/2010/05/06/name-com-host-typo-hijacking/

and if you look on the GetSatisfaction site, it's filled with people complaining over the same thing : https://getsatisfaction.com/namecom

Update 2 -

Name.com reached out over twitter, and pointed to a blog posting defending this practice on technical grounds and that it's hidden in their TOS. I call bullshit. Hiding things in a TOS doesn't make it right, and there are no technical grounds to trying to generate revenue.

Update 3 -

Apologies if you had trouble reading this. WordPress Caching was not enabled, and my server failed.

35 thoughts on “Name.com is doing some really sketchy stuff

  1. Wow, this is shocking. It’s hard to find a company that will stoop lower than GoDaddy but these guys sure do. A registrar doing this is just baffling. Thanks for sharing.

  2. Those are the mass-market registrars. For someone like yourself who knows what you’re doing, you have choices:

    • Use a pro-grade registrar: DynDNS (expensive, full-featured, worth it); PairNIC (cheap, minimalist, high quality). I’m sure there are others, but as a rule: if you see stock photo banners anywhere on the site, or if have to click through upsell screens when you register, run away.

    • Keep using the low-end registrar, but point your DNS to Amazon Route 53 ($1/month + 50¢ per million queries).

  3. (Follow up) I noticed that clqd.in is hosted on Linode. They offer free DNS hosting with your account. You could point to that.

  4. Whilst this is a bad practice, I find its best to use the registrars just for domain purchase, and to use specialist name server services for dns. The quality of name servers for registry is never the best. Amazon Route 53 for example gives the best control I’ve seen, but there are also some free services out there.

    However if you are looking for someone who handles domain purchases and DNS without any werd tactics (that I’ve noticed so far), try fasthosts. I was about to move away from them for someone with a slicker admin UI, but it looks like remaining with them for their service level is probably best.

  5. Almost all ISPs do this now as does OpenDNS.

    It can cause real issues for systems that rely on something not being available really not being available. It wreaks havoc for somethings on OS X and iOS because the network reachability APIs depend on not being able to find a DNS resolution for a name. If EVERYTHING resolves to an IP then the APIs effectively stop working.

    You can turn some of them off, but asshats all around.

  6. Honestly, I don’t see a problem with what they are doing. Granted, I’ve never ever used registrar DNS opting to create my own wildcard A records, but if it’s the difference between the visitor getting a shitty browser error message and something graphic, I’ll take the graphic.

    Having said that, you might consider checking these guys out.
    http://en.gandi.net/no-bullshit

    1. The problem is that there’s no way to realistically turn it off ( wildcard records are not a real solution ) and name.com customers are put into this situation by default. By wildcarding the non-existant 3LDs to their servers, my 2LD name loses search engine equity due to their content. Additionally, any cookies for my 2LD that aren’t explicitly locked down to the FQDN are sent to their servers AND those servers are enabled for usage in Cross Site Scripting attacks against my domain. That last section is the really bad part, because it creates legal liabilities in many jurisdictions.

      If this was an opt-in service, or explicitly laid out for customers to opt-out of — I wouldn’t have an issue. Instead Name.com is completely hiding that they engage in this practice at-all, and trying to hide behind a Terms of Service clause that was written for Domain Parking. This is a sleazy action, being defended through a sleazier action.

      1. I hadn’t thought of the cross-site scripting issues, although most browsers have options to disable this if not disabled by default.

        I get that you’re pissed off at the discovery and yeah… it has a sleaze component to it, but for someone who clearly understands how use dig and gets DNS namespace, I’m surprised you weren’t managing your own DNS to start with. While irritating, this didn’t have to happen.

        Here… they’re not free, but they are extremely reasonable. Interface is great, support is responsive and skilled, and it’s another no-bullshit company I highly recommend (for DNS). http://nettica.com

        My $0.02, for what it’s worth man.

      1. Actually, if you review their TOS, there are at least five areas that would allow for this activity, with the usual blanket failsafe “reserves the right to change these terms, etc.”

        You did agree to it. It sucks, but you did.

        1. Nathan – he signed up for a domain registration and some DNS services. He agreed to a TOS that technically permits this – and it wasn’t something he explicitly signed up for.

          As a registrar myself, I can share that there is a technical term for this practice – we call it “scumbaggery”.

          Registrars make such a bad name for themselves by exploiting the dark corners of their relationship with their customers and it just isn’t right. There’s a lot of money to be made in DNS and registrations – it just isn’t right to be hijacking that deal by selling it again to a third party so that useless adverts can be shown to random interlopers. Its shortsighted and unfortunately, all too typical in this business.

          1. Ross – if you go through their actual Terms of Service, it does not permit this : technically or legally. The TOS only permits them do do this as a default behavior on the 2nd level domain. This is a classic case of “Some asshole in marketing had an idea, the lawyer said ‘That sounds ok by our TOS!” and a company just trying turn their lawyers misunderstood belief into fact.

  7. I point A record with value * to my IP to bypass Name.com hijack.

    My story: first, I move all domain from godaddy to name, now I move all name to reseller club.
    any suggest for best domain provider?
    thanks

    1. Parked domain service
      All domain names registered via Name.com will automatically be provided a Parked Domain Service. All domains will default to our name servers unless and until you modify your default settings. At any time, you may disable the placeholder page by updating, modifying or otherwise changing the name servers for the relevant domain name.

    Domain names using our Parked Domain Service may display a placeholder page for your future website. These placeholder pages may include contextual and/or other advertisements for products or services. Name.com will collect and retain any and all revenue acquired from these advertisements, and you will have no right to any information or funds generated via the Parked Domain Service.

    You agree that we may display our logo and links to our website(s) on pages using the Parked Domain Service.

    Name.com will make no effort to edit, control, monitor, or restrict the content displayed by the Parked Page Service. Any advertising displayed on your parked page may be based on the content of your domain name and may include advertisements of you and/or your competitors. It is your responsibility to ensure that all content placed on the parked page conforms to all local, state, federal, and international laws and regulations.

    It is your obligation to ensure that no third party intellectual or proprietary rights are being violated or infringed due to the content placed on your parked page. Neither Name.com nor our advertising partners will be liable to you for any criminal or civil sanctions imposed as a direct or indirect result of the content or links (or the content of the websites to which the links resolve) displayed on your parked pages.

    As further set forth above, you agree to indemnify and hold Name.com and its affiliated parties harmless for any harm or damages arising from your use of the Parked Domain Service.

  8. I separate my name purchasing from my name management so I can swap registrars easily without reconfiguring all my dans records, therefore I have full control. I use the great nettica.com which is very very reasonably price starting at about $50 a year for 50 domains (http://www.nettica.com/Domain/Dns.aspx) and they were also great and imported all my existing domain records for 120+ domains right at the beginning which was amazing

  9. frankly im pretty happy with name.com compared to any other provider ive been through. also try setting ‘*.domain’ to point to something, maybe thats the way to deal with hijacking your subdomains for someone elses profit

    1. No, that’s not. *.domain says “This domain exists” and redirects to another service. I don’t want that, and I shouldn’t have to do that.

  10. I would suggest you use cloudflare for your DNS, they are the best in security and with openness with respect to the workings of their company.. you could setup any domain within minutes..

  11. I thought it’s my ISP doing that and I was ready to blame them. I was moving servers when I noticed this – even now http://doesntexist.psdhunter.com/ gives you a crappy page filled with links and ads.

    And to think their moto is “Giving a sh**”. I was about to transfer the rest of my GoDaddy domains to them as well. Too bad.

  12. here is response from name.com:
    Hello,
    Thank you for your email. Our system is set a specific way. To clarify, It is correct that all domains and sub-domains that use our Name Servers are automatically directed to a parking Page. We fully understand your concern about domains/sub-domains resolving to a parking page.
    The issue at hand has been escalated to our Management department for review. At this time, no decision has been made. However, we are more than happy to add records pointing a wild card subdomains, thus bypassing any parking pages in the meantime.
    Once again, we apologize for the inconvenience and appreciate your patience in this matter.
    Sincerely,

  13. Wow, I just discovered this too, just by chance. I just added a *.xxx.xxx.xxx.xxx to my ip address and it seemed to work, will be calling them up on Moday and seeing why the hell they have to redirect this, if in deed they have. I suspect that somehow the scumbags at parking company just did a lookup on their domain server and saw that they don’t have a wild card in there ???????

  14. Thank you very much. Their behavior is just unacceptable and even if they will change that, I can’t trust them anymore.

Leave a Reply

Your email address will not be published. Required fields are marked *