Month: February 2013

Dear Name.com,

Yesterday I noticed, via a typo, that your name servers are performing a “DNS Hijack” on all Third-Level domain queries. If an exact Third-Level domain is not configured , instead of responding with a NXDOMAIN (non-existant domain) status, your servers direct users to a “domain parking page” which you fully control and monetize.

After blogging about your practice of [Hijacking DNS for failed queries yesterday](http://www.destructuring.net/2013/02/28/name-com-is-doing-some-really-sketchy-stuff/) I learned that you have been doing this for years, and have frustrated countless bloggers and consumers on sites such as “Get Satifsaction”. Thanks to it trending on [HackerNews](http://news.ycombinator.com/item?id=5299534) I also learned that many other internet professionals have been subject to your antics over the years ( [even 2 years ago on HackerNews](http://news.ycombinator.com/item?id=2443710 ) )

You’ve defended this practice multiple times as being enabled by your registration services agreement:

* [http://nathanhammond.com/namedotcom-another-unscrupulous-registrar](http://nathanhammond.com/namedotcom-another-unscrupulous-registrar)
* [http://www.name.com/blog/general/domains/2012/01/pro-tip-how-to-get-rid-of-that-pesky-parking-page/](http://www.name.com/blog/general/domains/2012/01/pro-tip-how-to-get-rid-of-that-pesky-parking-page/)

And in your own words you state:

> It is standard practice in the registrar world, and it is spelled out in our TOS.

I have some news for you : this is completely not standard for a registrar. And when I read your TOS more closely, it seems to completely runs afoul of your TOS too.

Let me be clear about this : Your DNS Hijacking is beyond being sketchy and wrong — it is illegal and not covered by your Terms of Service justifications.

Section 21 of your Terms of Service states:

---

>21. Parked domain service

>All domain names registered via Name.com will automatically be provided a Parked Domain Service. All domains will default to our name servers unless and until you modify your default settings. At any time, you may disable the placeholder page by updating, modifying or otherwise changing the name servers for the relevant domain name.

>Domain names using our Parked Domain Service may display a placeholder page for your future website. These placeholder pages may include contextual and/or other advertisements for products or services. Name.com will collect and retain any and all revenue acquired from these advertisements, and you will have no right to any information or funds generated via the Parked Domain Service.

>You agree that we may display our logo and links to our website(s) on pages using the Parked Domain Service.

>Name.com will make no effort to edit, control, monitor, or restrict the content displayed by the Parked Page Service. Any advertising displayed on your parked page may be based on the content of your domain name and may include advertisements of you and/or your competitors. It is your responsibility to ensure that all content placed on the parked page conforms to all local, state, federal, and international laws and regulations.

>It is your obligation to ensure that no third party intellectual or proprietary rights are being violated or infringed due to the content placed on your parked page. Neither Name.com nor our advertising partners will be liable to you for any criminal or civil sanctions imposed as a direct or indirect result of the content or links (or the content of the websites to which the links resolve) displayed on your parked pages.

>As further set forth above, you agree to indemnify and hold Name.com and its affiliated parties harmless for any harm or damages arising from your use of the Parked Domain Service.

---

Let’s focus on what has happened in the context of the first two paragraphs of Section 21 ( and ignore the egregious and abusive language on the rest of the clause , which you should be totally ashamed of) :

* I registered my domain with Name.com
* I updated my DNS record entries with name.com
* You continued to serve “parked pages” and monetize DNS failures

Upon configuring DNS services for my domain by modifying the default settings despite remaining with Name.com, I effectively and legally opted-out of your Parked Domain service for that domain. I literally “unparked” the domain when establishing specific DNS records. Additionally, while my “Domain Name” specifically fell under the “Parked Domain Service” terms which your lawyers explicitly crafted , the third-level domain names which you are monetizing against do not.

There exists no items in your Terms Of Service that state :

* DNS failures will be treated as a parked page and/or monetized
* Third-level domain names will be monetized ( your lawyer specifically identified the “domain names” registered , not the subdomains which fall under the aforementioned domain’s registration )
* Users of Name.com for DNS services will also be covered by a Parked Domain policy

I’d also note that there exists no space on your administration console that notifies users that their unspecified third-level domains are falling under a “parked domain” monetization scheme or that ( according to your blog instructions ) a “*” wildcard entry must be created to disable these monetization pages. And to speak for a moment from a technical standpoint — aside from breaking the RFC describing how DNS should work, your system is completely unable to deliver a NXDOMAIN status code — pushing a wildcard entry to a specific address or TXT entry is not that same thing as saying “I don’t exist”.

Technically, Legally, and Ethically you are completely in the wrong.

At this point, you’ve lost me as a customer. There’s nothing you can say or do — I don’t have enough time in my day for bullshit like this. I’m in the process of finding a new registrar and I would never consider using you again. Your actions and defenses are beyond redeemable. They are underhanded and downright sleazy.

I’m writing you to strongly suggest that you to “Do the right thing” for all your remaining customers – and yourself – and stop this practice immediately. By immediately, I mean “you should really call in your CTO and VP Engineering as you read this , and have turn things off before they go home tonight”.

Your underhanded scheme to generate revenue compromises the security and privacy of every domain under your DNS services. Unless a user knows the bizzarre trick to disable your “Domain Parking” pages , their website is vulnerable to XSS ( Cross Site Scripting ) attacks through your monetization partners. Additionally, unless a consumer’s cookie was locked down to a single Fully Qualified Domain Name, those cookies would be sent to your business partners as well. ( I’d also add that while Name.com suggests you operate these services yourselves , yesterday the domains were displaying logos for Sedo.com. )

If you’re not familiar with DNS Hijacking or all the risks that you’ve put your customers at, I suggest you start reading this [WikiPedia entry on DNS Hijacking](http://en.wikipedia.org/wiki/DNS_hijacking).

Aside from the various privacy concerns this raises, or the laws this breaks in specific jurisdictions — as these “Parked Pages” occur from DNS Failures on domains configured via your systems — the indemnifications and blame shifting available under Clause 21 would likely not be applicable and you would fully liable. I’m not a lawyer, but having dealt with numerous contracts and negotiations on behalf of technology companies , I really can’t imagine any lawyer, judge or jury agreeing that the near-infinite number of “Third Level Domains” (or 4th, 5th, etc) for an explicitly configured “Second Level Domain” fall within the terms of you Domain Parking language , or that any of your claimed rights exist after a DNS entry has been updated.

I’d also note that, until this deceptive and underhanded practice is stopped, every new client signing up for your service is a candidate for a potential class action lawsuit. Your greedy and indefensible attempt at generating negligible revenue has put the security of countless internet users at risk, in addition to exposing your own customers to serious security and legal complications.

Sincerely,
Jonathan Vanasco

---

---

Attention: Name.com Customers,

If you use Name.com for DNS services , [a comment on Hacker News by Machrider]( http://news.ycombinator.com/item?id=5300205 ) suggests a very effective way to quickly address your situation

Quoted below:
> My workaround for this was to add a TXT record for *.mydomain.com that just returns a string like “Unused”. This seems to stop them from hijacking any subdomains, and it’s not an A record so undefined subdomain names do not resolve, just like if you had not defined them in the first place.
> (Workaround shouldn’t be necessary of course, but this kind of bullshit is par for the course with cheap hosting companies.)

In the wake of patent trolling against some Podcasting companies, several House members have devised the SHIELD act to protect people from Patent Trolls.

This is a horrible, terrible bill. I am firmly against it.

If you read the actual bill – http://www.scribd.com/doc/127669554/H-R-845-2013-Shield-Act-re-patent-trolls — it legislates the scenario where a non-original inventor must post a bond covering full court costs in order to litigate a patent claim.

The costs of serious Patent litigation ( not a trolling one ) where it is proven that one party violated another’s patents , averages $3-5 million dollars. Under this law, if an independent inventor wants to sell their invention ( I’m not sure what would happen if a company is acquired ), that invention is no longer covered by the clause and effectively tremendously devalued — requiring bonds that are potentially millions of dollars to be posted if litigation were ever to happen.

The free market effects of this are obvious – it creates an economy where independent inventors have a tremendously reduced ability to sell their innovations , and secondary patent holders can be infringed upon with almost guaranteed impunity.

* Who wants to buy a Patent if you need at least 5 Million dollars to defend it ?
* Why respect a patent if you know the rightsholder won’t be able to raise enough money to sue ?

On top of all this, some of the most notorious Patent Trolls are totally immune from this law. Many of these companies set up co-owned trusts/business entities or licensing schemes where there is joint ownership of the IP Rights with the inventor — enabling them protections under the “original inventor” clause of this bill.

This law does little but ensure that patent litigation can only happen between a David and Goliath, precludes small/medium businesses from exerting patent protections, and seriously undermines the incentive for independent entities or small businesses to support innovation.

It is horribly misguided.

If you want to directly fix the situation, address 35 U.S.C. § 285 : “court in exceptional cases may award reasonable attorney fees to the prevailing party.” Tone down “exceptional” and attorney fees can be awarded when appropriate. Create a USPTO review and recertification process for (oft?) litigated patents. Create a variety of means to directly address the issue of Patent Trolling , without damaging inventors.

Stopping Patent Trolls can – and should – be done… but this law is an attack on individual inventors and the incentive to innovate / fund research & development.

PREFACE
A lot of people read this and say “I read the Terms Of Service, and it says in shady language they can do that.” I read it too — and I actually went through it carefully, line by line. The TOS does not permit 3LD DNS Hijacking. As I explain in this follow-up posting [An Open Letter to Name.com](http://www.destructuring.net/2013/02/28/an-open-letter-to-name-com/) the Name.com TOS — in very clear terms — merely permits for 2nd Level “Parked Domains” as a default activity. In no way whatsoever does Name.com’s TOS suggest that they have the right to control 3rd Level domains if you use their DNS services.

---

Like many other people, I got frustrated with GoDaddy.com. Aside from the founder being a jackass… there were endless upsells, constantly increasing prices, and a need to use crappy online ‘coupon’ sites whenever I renewed a domain. I decided to slowly move off them, and in the wake of their misguided SOPA/CISPA support I went with Name.com

I really regret that now. They seem to be jackasses too. They are Hijacking DNS ( aka squatting ) all 3rd level domains registered through them.

I registered a few domains with name.com for a new project. One of them is for shortened urls `clqd.in`. The following illustrates why i’m pissed.

`clqd.in` uses name.com’s nameservers (DNS), pretty standard when you use a registrar. I configured my account on Name.com to direct a handful of `A records` to specific IP addresses – which is also pretty standard.

If I `whois` the domain, I see these nameservers :


>> Name Server:NS4JPZ.NAME.COM
>> Name Server:NS2NSW.NAME.COM
>> Name Server:NS1FKL.NAME.COM
>> Name Server:NS3GMV.NAME.COM


Great. Things appear to be working.

If I want to test my DNS records, I use another tool — `dig` — and I query their nameservers directly.

If I `dig @NS4JPZ.NAME.COM clqd.in` , as expected, I get the DNS records that I’ve updated with name.com. Yay.


; <<>> DiG 9.6-ESV-R4-P3 <<>> @NS4JPZ.NAME.COM clqd.in
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60866 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;clqd.in. IN A ;; ANSWER SECTION: clqd.in. 300 IN A 66.228.44.231 ;; Query time: 43 msec ;; SERVER: 184.72.222.215#53(184.72.222.215) ;; WHEN: Wed Feb 27 19:24:3

Now, this is where things get weird...

If I query a domain name that doesn't exist, I'm supposed to see a failure. The `status` above should read `NXDOMAIN` and I'd get something like when I `dig` a non-existant domain from Microsoft using `dig nodomain.microsoft.com` :


; <<>> DiG 9.6-ESV-R4-P3 <<>> nodomain.microsoft.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64226 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;nodomain.microsoft.com. IN A ;; AUTHORITY SECTION: microsoft.com. 3600 IN SOA ns1.msft.net. msnhst.microsoft.com. 2013022601 300 600 2419200 3600 ;; Query time: 521 msec ;; SERVER: 66.234.224.2#53(66.234.224.2) ;; WHEN: Wed Feb 27 19:28:26 2013 ;; MSG SIZE rcvd: 95

Now, if i `dig` a non-existant third-level domain against `clqd.in`, here is what i see ( `dig @NS4JPZ.NAME.COM nodomain.clqd.in` ):


; <<>> DiG 9.6-ESV-R4-P3 <<>> @NS4JPZ.NAME.COM nodomain.clqd.in
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46513 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;nodomain.clqd.in. IN A ;; ANSWER SECTION: nodomain.clqd.in. 300 IN A 174.37.172.70 ;; Query time: 226 msec ;; SERVER: 184.72.222.215#53(184.72.222.215) ;; WHEN: Wed Feb 27 19:31:23 2013 ;; MSG SIZE rcvd: 50

Instead of returning a `NXDOMAIN` status (non-existant domain), Name.com is returning a valid status and directing the user to the ip address of "174.37.172.70" while still showing the domain name. That IP address displays a "parked domain" , managed by sedo.com and filled with a mix of advertising and search engine marketing, which one of those two parties (sedo.com or name.com) controls. I use the phrase "directing" because you are not redirectied, and the original url still appears on the browser. Name.com is telling your computer that ip address corresponds to the domain, and the Sedo site is serving the marketing material off of your domain.

Instead of saying "This domain doesn't exist" -- as expected -- Name.com has created a system where any wildcarded third-level domain name that fails a real DNS query is treated like a real domain... a real domain that I don't control, but instead they do , and are trying to monetize.

In fact, if you make a DNS query against ANY fully qualified domain name ( FQDN ) that is not entirely configured on Name.com, you are redirected to the same marketing sites. You can try querying any domain registered elsewhere -- they'll all point to 174.37.172.70 as the configured ip address for that domain. As far as Name.com is concerned, there doesn't seem to be any such thing as a non-existant domain.

I am beyond mad:

- I didn't sign up for this.
- There is no way to opt out of this on any of their screens.
- This practice actively hurts the business and brands of domain owners by associating low-value content on third-level domains with the second-level domain.
- This has serious security implications in regards to Cross-Site Scripting and how cookies are locked down into a domain.
- This violates the IETF's RFC 2308, which pretty much states "how dns should work"

I'm now looking to transfer these domain names elsewhere. I only found out about this, because of a typo.

I've put in a support request with Name.com to address this, I sure as hell don't trust them do the right thing - this is a dirty and backhanded practice that should not have existed in the first place.

As a quick addendum: this practice is called "DNS HiJacking". It's popular with a handful of ISPs who try to monetize DNS failures. I've never heard of a Registrar doing this before. You can read about it more here: http://en.wikipedia.org/wiki/DNS_hijacking

UPDATES -

After looking on Bing and Google against "Name.com" + "dns hijack", it turns out this has been going on for a LONG time

* http://nathanhammond.com/namedotcom-another-unscrupulous-registrar
* http://www.taborcg.com/2010/05/06/name-com-host-typo-hijacking/

and if you look on the GetSatisfaction site, it's filled with people complaining over the same thing : https://getsatisfaction.com/namecom

Update 2 -

Name.com reached out over twitter, and pointed to a blog posting defending this practice on technical grounds and that it's hidden in their TOS. I call bullshit. Hiding things in a TOS doesn't make it right, and there are no technical grounds to trying to generate revenue.

Update 3 -

Apologies if you had trouble reading this. WordPress Caching was not enabled, and my server failed.