Yesterday I noticed, via a typo, that your name servers are performing a “DNS Hijack” on all Third-Level domain queries. If an exact Third-Level domain is not configured , instead of responding with a NXDOMAIN (non-existant domain) status, your servers direct users to a “domain parking page” which you fully control and monetize.
After blogging about your practice of [Hijacking DNS for failed queries yesterday](http://www.destructuring.net/2013/02/28/name-com-is-doing-some-really-sketchy-stuff/) I learned that you have been doing this for years, and have frustrated countless bloggers and consumers on sites such as “Get Satifsaction”. Thanks to it trending on [HackerNews](http://news.ycombinator.com/item?id=5299534) I also learned that many other internet professionals have been subject to your antics over the years ( [even 2 years ago on HackerNews](http://news.ycombinator.com/item?id=2443710 ) )
You’ve defended this practice multiple times as being enabled by your registration services agreement:
And in your own words you state:
> It is standard practice in the registrar world, and it is spelled out in our TOS.
I have some news for you : this is completely not standard for a registrar. And when I read your TOS more closely, it seems to completely runs afoul of your TOS too.
Let me be clear about this : Your DNS Hijacking is beyond being sketchy and wrong — it is illegal and not covered by your Terms of Service justifications.
Section 21 of your Terms of Service states:
>21. Parked domain service
>All domain names registered via Name.com will automatically be provided a Parked Domain Service. All domains will default to our name servers unless and until you modify your default settings. At any time, you may disable the placeholder page by updating, modifying or otherwise changing the name servers for the relevant domain name.
>Domain names using our Parked Domain Service may display a placeholder page for your future website. These placeholder pages may include contextual and/or other advertisements for products or services. Name.com will collect and retain any and all revenue acquired from these advertisements, and you will have no right to any information or funds generated via the Parked Domain Service.
>You agree that we may display our logo and links to our website(s) on pages using the Parked Domain Service.
>Name.com will make no effort to edit, control, monitor, or restrict the content displayed by the Parked Page Service. Any advertising displayed on your parked page may be based on the content of your domain name and may include advertisements of you and/or your competitors. It is your responsibility to ensure that all content placed on the parked page conforms to all local, state, federal, and international laws and regulations.
>It is your obligation to ensure that no third party intellectual or proprietary rights are being violated or infringed due to the content placed on your parked page. Neither Name.com nor our advertising partners will be liable to you for any criminal or civil sanctions imposed as a direct or indirect result of the content or links (or the content of the websites to which the links resolve) displayed on your parked pages.
>As further set forth above, you agree to indemnify and hold Name.com and its affiliated parties harmless for any harm or damages arising from your use of the Parked Domain Service.
Let’s focus on what has happened in the context of the first two paragraphs of Section 21 ( and ignore the egregious and abusive language on the rest of the clause , which you should be totally ashamed of) :
* I registered my domain with Name.com
* I updated my DNS record entries with name.com
* You continued to serve “parked pages” and monetize DNS failures
Upon configuring DNS services for my domain by modifying the default settings despite remaining with Name.com, I effectively and legally opted-out of your Parked Domain service for that domain. I literally “unparked” the domain when establishing specific DNS records. Additionally, while my “Domain Name” specifically fell under the “Parked Domain Service” terms which your lawyers explicitly crafted , the third-level domain names which you are monetizing against do not.
There exists no items in your Terms Of Service that state :
* DNS failures will be treated as a parked page and/or monetized
* Third-level domain names will be monetized ( your lawyer specifically identified the “domain names” registered , not the subdomains which fall under the aforementioned domain’s registration )
* Users of Name.com for DNS services will also be covered by a Parked Domain policy
I’d also note that there exists no space on your administration console that notifies users that their unspecified third-level domains are falling under a “parked domain” monetization scheme or that ( according to your blog instructions ) a “*” wildcard entry must be created to disable these monetization pages. And to speak for a moment from a technical standpoint — aside from breaking the RFC describing how DNS should work, your system is completely unable to deliver a NXDOMAIN status code — pushing a wildcard entry to a specific address or TXT entry is not that same thing as saying “I don’t exist”.
Technically, Legally, and Ethically you are completely in the wrong.
At this point, you’ve lost me as a customer. There’s nothing you can say or do — I don’t have enough time in my day for bullshit like this. I’m in the process of finding a new registrar and I would never consider using you again. Your actions and defenses are beyond redeemable. They are underhanded and downright sleazy.
I’m writing you to strongly suggest that you to “Do the right thing” for all your remaining customers – and yourself – and stop this practice immediately. By immediately, I mean “you should really call in your CTO and VP Engineering as you read this , and have turn things off before they go home tonight”.
Your underhanded scheme to generate revenue compromises the security and privacy of every domain under your DNS services. Unless a user knows the bizzarre trick to disable your “Domain Parking” pages , their website is vulnerable to XSS ( Cross Site Scripting ) attacks through your monetization partners. Additionally, unless a consumer’s cookie was locked down to a single Fully Qualified Domain Name, those cookies would be sent to your business partners as well. ( I’d also add that while Name.com suggests you operate these services yourselves , yesterday the domains were displaying logos for Sedo.com. )
If you’re not familiar with DNS Hijacking or all the risks that you’ve put your customers at, I suggest you start reading this [WikiPedia entry on DNS Hijacking](http://en.wikipedia.org/wiki/DNS_hijacking).
Aside from the various privacy concerns this raises, or the laws this breaks in specific jurisdictions — as these “Parked Pages” occur from DNS Failures on domains configured via your systems — the indemnifications and blame shifting available under Clause 21 would likely not be applicable and you would fully liable. I’m not a lawyer, but having dealt with numerous contracts and negotiations on behalf of technology companies , I really can’t imagine any lawyer, judge or jury agreeing that the near-infinite number of “Third Level Domains” (or 4th, 5th, etc) for an explicitly configured “Second Level Domain” fall within the terms of you Domain Parking language , or that any of your claimed rights exist after a DNS entry has been updated.
I’d also note that, until this deceptive and underhanded practice is stopped, every new client signing up for your service is a candidate for a potential class action lawsuit. Your greedy and indefensible attempt at generating negligible revenue has put the security of countless internet users at risk, in addition to exposing your own customers to serious security and legal complications.
Attention: Name.com Customers,
If you use Name.com for DNS services , [a comment on Hacker News by Machrider]( http://news.ycombinator.com/item?id=5300205 ) suggests a very effective way to quickly address your situation
> My workaround for this was to add a TXT record for *.mydomain.com that just returns a string like “Unused”. This seems to stop them from hijacking any subdomains, and it’s not an A record so undefined subdomain names do not resolve, just like if you had not defined them in the first place.
> (Workaround shouldn’t be necessary of course, but this kind of bullshit is par for the course with cheap hosting companies.)