This is frightening. I just started the process of moving all ~60 of my domains from Amazon Registrar + Google Cloud DNS to Cloudflare, and will definitely wait until somebody from Cloudflare chimes in here to clarify what's going on.
Are you using physical U2F keys for your Google or Amazon accounts?
Cloudflare does support standard TOTP-based 2FA like most people use for Amazon and Google. So whether or not the lack of U2F support should matter depends on whether you actually use it elsewhere anyways.
How many of your sixty domains are business-critical?
Cloudflare's Domains service is new, and some of it's management tools are lacking, but I also moved most of my domains to it over the last year for cost savings. I'm thrilled with it, but I'm still keeping a few of my most critical domains with GoDaddy. (Hate them all you want, but GoDaddy hasn't screwed up my domains in well over a decade.)
You may be able to save a lot of money without risking your primary domain that you route email through.
I've been planning too soon, am also now going to wait to see where this goes. DNS is obviously a critical system and I don't know if I can trust Cloudflare now. I'm not a big fish that can make noise. I'm an easy victim.
This is what I do. Domains are at Porkbun and domain registration is the ONLY thing I use them for. DNS and caching are at Cloudflare. Hosting is wherever makes sense.
Consolidating domain registration, DNS hosting, and site hosting under the same account is a terrible idea and a big risk IMO. Always ask yourself “what if this account gets banned?” All of the big tech companies have automated systems that could turn you into an outlier with no support.
There's a number of Cloudflare folks who are HN regulars, so hopefully you'll get some answers. Hopefully it's something they can reverse.
But as a general reminder to everyone (I think this is an unfortunately common problem from a number of companies): If this is how your company handles account issues, you're probably wrong. Whether it's automated or manual, a user should be able to access all of their own information even when you decide to no longer provide them service. And you should test and retest the ability for people who you now deny service to transfer out.
Funny that this is coming up. I just transferred over from Namecheap to Cloudflare a few days ago and had a similar issue. One of my A records (out of about 20) were missing after the transfer.
as much as i like cloudflare (and i like them a lot), it's kind of absurd that this kind of thing can happen. a lot of red flags that, if true, would mean that their infrastructure require a lot more care (127.0.0.1 as the source of an audit event? no email when DNS records are deleted? no 1-to-1 message due to this happening?).
At the very least, this sort of lack of good process is definitely what happens when Google decides to cut you off (and another person just commented a similar experience with Amazon), but I suspect it's likely the case for a much larger number of companies and services than people realize. It's fundamental internet architecture, and often little more thought goes into account termination than what you'd do to ban someone from your mid-2000s phpBB forum.
So much business focus goes into the onboarding experience, and since you assume all of the people your service terminates are "probably bad people anyways", not a lot of thought goes into offboarding, or ideally, appeals.
I had an issue with them recently where a SRV record pointing to “.” (meaning “service unavailable”) was being rewritten to the string “false”. It didn’t take them too long to fix it, but it made me wonder how they managed to push a bug like that to production without some sort of automated test catching it.
Which is fair, I'd rather be a guinea pig than look at ads in exchange for a free service. I was just surprised that the thing they broke was as well defined and testable as DNS validation.
Simple. They don't give a damn about doing what we've all been doing properly for a quarter of a century. Apparently these large companies are above owning O'Reilly books.
This happened to me with AWS somewhat recently[0], and I never found out exactly what happened. I just chalk it up to some dev made a mistake and didn't tell anyone. It's pretty alarming when things like this happen though.
cloudns.net does it a bit more customer-friendly way:
they e-mailed me saying they deleted some domains not because some entries were broken or had problematic entries, but just because it was "underused", i.e. too few DNS resolve calls. So the tiny data packets in their nameserver caused them unnecessary consumption of electricity or whatever. Very compelling! This is how they do business these days.
They bombarded people with all sorts of useless info, but not about this policy of theirs. Makes you feel very much like the proverbial "valued customer".
Everything is going downhill in this century, that's a fact.
I've been involved in using Route 53 to manage thousands of DNS zones, and haven't come across something like that. I'd recommend putting in a support request via the account that was affected to ensure that it gets looked at.
If you haven't already, you might consider checking the CloudTrail logs for the account in question to see if there were any API commands related to the zone.
Although not DNS related, I have had weird things happen on AWS, such as spikes of 5xx errors reported from CloudFront which was backed by ELB/EB, but the ELB is showing no errors. Even after contacting AWS support they couldn't resolve it, said they required application logs, but there is no logs because the requests never reached the application servers.
DNS was a good idea but now there are organizations that have the power to arbitrarily take control and even remove your domain names and records. We really need to come up with a peer-to-peer solution and take back control of the naming system from these authorities.
I don't work for Cloudflare but I work for another large company that also manages domain names and DNS records. I don't want to risk the possibility that my comment could be interpreted by my employer as conflict the interest.
I looked into self-hosting DNS and it doesn't seem like that big of a deal as long as you can ensure uptime to be honest. If you set up the two first on different hosts and possibly have #3/4 being cloud providers I think you're pretty good.
Does anyone here have experience with running their own DNS servers for their domains?
Indeed.
I am curious to see what comes out of attempts at decentralizing this such as Handshake[0] and ENS[1]. I think I saw something similar with prominent backers come up here on HN the other week but can't recall it now. Namecoin[2] was very early on this.
The main problem which people seem to have is that their domain name registrar decides to pull their domain. Luckily, there is ample competition in this space, my place of employment included, which should make it reasonable to pick a place which 1. doesn’t do that and 2. has reasonable real-live-person support.
Of course, if the registry (i.e. the TLD) wants your domain gone, you are out of luck whatever you do. If this is a concern then you should pick a TLD with what you consider reasonable management. There are a lot of ccTLDs and gTLDs to choose from.
Therefore, what you absolutely shouldn’t do is to pick whatever domain registrar is either cheapest or largest, and pick whatever domain name which happens to look cool and be available. Both are recipies for potential disaster.
Cool, do you have any software to recommend for a casual power user who would like something a bit more lean than BIND from a configuration perspective? pdns seems nice, and there's an official terraform provider for it as well.
I've been self hosting for years. Currently using online.net secondary DNS service as my 3rd or 4th backup NS. They've lost my 10€/month box once (shitty cheap intel avoton hardware with everything soldered on I suspect) but the domain still resolved fine. I had backups and restored it in a day. You can also use a VPS image to self host DNS. Some providers offer automatic or manual snapshots. Hetzner comes to mind. They've annoyingly asked for a copy of my id card (welcome to Germany), but their services are fine.
You don't even need multiple servers (especially if both your website and mail run on the same server), it's a misconception debunked by the author of djbdns:
The question is whether you're violating the standard or doing something unreasonable. Clearly DNS can't prevent you from using one server, just like it can't prevent you from using one network you own.
These are some valid arguments against third-party providers. Assuming nobody's perfect, I still see benefit in having redundancy for cases of downtime. Could just be a duplicated setup on a separate physical network (if all your DNS records point to the same network your DNS is on, I guess it's pointless with network separation, but I don't think that is very common).
>DNS has become frighteningly unreliable. Here are previous stories that show how it is possible to lose access to your domain for no fault of yours:
The second story you posted is about a user who forgot to renew their domain and did not wish to pay the overly-inflated fee to re-register it while it was in the grace period.
I hold no love for any registrar that jacks up rates for getting back an expired domain and agree that they should have sent a reminder email, but describing this as someone "losing their domain through no fault of their own" is, frankly, incredibly misleading.
The user:
1) forgot to renew their domain
2) had full right to recover their domain but objected to the price
3) had full right to transfer the domain out to another registrar for the original 15EUR price
and
4) eventually got back full control of the domain
Also don't forget: Cloudflare breaks many second and third world countries' Internet with their DNS captchas because they think the good guys live only in first world countries (maybe look up the word discrimination in your dictionary cloudflare) and force them to install extensions like PrivacyPass because they think "we are so big and know what is right for the world".
That's CDN captcha, not DNS. If you use Cloudflare solely as a DNS provider, your users don't see the captcha. If you route your traffic through their servers, then they do.
you're right, it's their CDN not their DNS. Nevertheless many site owners choose Cloudflare (paid or not paid) and use Cloudflare's default settings and maybe they also never check their sites from second or third world countries. Result is that the Internet is utterly broken on many Cloudflare hosted sites (and that's a lot of sites) outside of first world countries.
Is it really all that surprising when a big company that claims to be good but hosts phishing content in the name of free speech does whatever they want, including breaking things and not explaining why?
I don't trust Cloudflare one bit, and I think everyone should question whether their attempt to re-centralize everything is beneficial to the planet.
There are two major problems here: one, the problem itself, which is the deletion of DNS for apparently no good reason, and two, which is the bigger problem, is that it's incredibly difficult to talk to a human about what happened, so there's no assurance it won't happen again.
If people want things to be reliable, we've got to stop using companies with which we cannot communicate.
IMHO (and I know the parent post includes significant difficulties getting back out of Cloudflare), services like Cloudflare may be crucial to decentralization. I can't deal with something like my blog post being frontpaged on HN if my website is hosted in my house, unless I have a good CDN.
As a self-hosting enthusiast, something like Cloudflare is one of the best chances of having a plan that competes with "just hosting it in the cloud".
I don't know. Sure, maybe not on your barely-broadband DSL connection, but I'm pretty sure you can run most things on a average shared webhosting, even if you're using WP. You just need to make sure that you have a working caching system in place. It's a gigantic difference even on an apache to just read & send a plain file and invoke PHP & run all the costly code. I don't believe HN should bring down any site that can essentially be cached as static HTML.
Cloudflare will only help once your server has gone down with their "Always On" thingy, if you have that enabled. They don't cache HTML by default.
There's alternatives to Cloudflare that offer affordable-but-not-free CDNs which has always felt less risky to me. I'd rather know I'm the customer instead of the product.
I hear you, but their DDoS services are painful to the rest of the world and to people who want or need to use Tor, and others.
I'm talking about their rather political move to re-centralize DNS by shoehorning themselves in to Firefox via DoH, for instance. Their unwillingness to be transparent makes this all the more frightening. Add to that their blatant desire to make money at the cost of doing the right thing (and I'm talking about unambiguous things - is someone going to argue that freedom of speech allows people run a phishing site of your bank?), and you've got a scenario where once they reach critical mass, they will be exercising their position to the detriment of everyone who isn't paying them, similarly to how Gmail, through doing and not communicating, say "screw you" to many small email services.
When people who don't use large providers have email issues with Gmail, lots of people have knee-jerk reactions saying that everything should move to the big providers, that people and small businesses should not host their own email, and so on. This is NOT the way the Internet should work, and we should never allow Gmail to just arbitrarily do whatever they want, then accept it as the new normal.
If you have more than a dozen megabits of outgoing bandwidth, you can easily host a blog from your home network which can handle a front paging here. Just don't expect to dynamically generate a new copy of the site for every visitor, and if your bandwidth is tight, then host your images on a static server off of your network. Cloudflare is not necessary - perhaps it's easier, but it isn't necessarily best to blindly trust a company that wants to become a monopoly.
> I can't deal with something like my blog post being frontpaged on HN if my website is hosted in my house, unless I have a good CDN.
IPFS can work as a CDN, at least for static content that users are willing to seed. This is especially relevant to the "blog post hits frontpage on HN" case. Of course, dynamic content is not quite as easy.
I really had a strong dislike for Cloudflare after they banned certain customers for political reasons[1]. The CEO mentioned how maybe it wasn't the right thing to do .. and then they did it again.
There aren't really any self-hosted solutions for DDoS protection like Cloudflare since it requires things happening in the network layer. Implementing a solution would require access to monitor and reshape the local network, but I'm glad to see companies like Linode and DO offering DDos package.
I want to start running my own DNS-over-HTTPS server as well, so I can pump firefox DNS requests to a self-hosted solution and not to Google or Cloudflare. I really don't trust them and am having trouble understanding why so many other people do.
While there are a lot of reasons not to trust cloudflare, the fact that they stopped hosting nazis and pedophiles doesn't seem like a good one to open with imo
I think it is a problem when you talk about fear of ideas. You can label anyone as a Nazi today, and when you ban people, you kinda give them power.
It shows you're afraid of their ideas, and the persecution can embolden them or give them a sense of legitimacy. It can being the Streisand Effect to their cause, taking a no-name site no one knew or cared about and blowing it up into something everyone is deeply aware of.
>and when you ban people, you kinda give them power.
The key word being "kinda". You give the perception of power, but there are plenty of things in society we deal with by a form of "banning" (such as incarceration) in which we judge the ban to be good regardless of the power it gives people, or the ideas they represent or practice. Locking up child abusers, for instance, may give the spectre of child abuse power, and highly-publicized instances may fuel the moral panic around "strangers out to get your children", but that doesn't mean they should not be locked up.
In civil society, we are justifiably afraid of many ideas - I don't know anyone who wouldn't be afraid of a Nazi-style dictatorship, or its prospect. Fear can be a legitimate way of preventing bad things from happening. I fear dying in a house fire, thus I take certain precautions when cooking. In the same way, a demonstration of power over a person or idea may outweigh the power supposedly given to that idea by banning it.
The key is a balance; it may well be that you get an instance of the Streisand Effect, but it has to be shown that the consequences of that outweigh the very material consequences of such ideas coming to fruition in real life. For example, many people don't know who Barbara Streisand even is, and if they do, they likely don't know about the pictures of her house. The very canonical example of the Streisand Effect shows a short-lived controversy about the actual matter and ensuing attention for a few months after the incident. Then people forgot, or simply stopped caring. "The Streisand Effect" is more of a Streisand Effect than the actual incident that created it.
>I don't know anyone who wouldn't be afraid of a Nazi-style dictatorship
Do you believe that if people with ideas that you consider to be Nazi-like are allowed participate in the public debate as freely and meaningfully as everyone else (e.g. by using electronic services regularly available to everyone else), a Nazi-style dictatorship is likely to come about?
No, I don't, but I do think it increases its chances of happening - and there is historical precedent for it. For that reason, I sit somewhere between Popper's paradox of tolerance on these matters (and I go further than him), Sartre's notes on anti-semitism, and Marcuse's criticism of simple plurality as a substitute for educated and rational thought.
To be clear, I don't advocate for censorship of ideas that I simply "don't like". That's not a sufficiently rigorous standard. Ideas which advocate for targeting marginalized groups, or entire groups of people for ideas they have no control over, are fair game, in my opinion. I don't pretend to have no bias in my answer to that question. I am biased, and others have their own biases. I draw the line where I want to draw it, with no concern for pretending to derive it from first principles.
To get this straight, you are stating that you believe it is in your interest for certain other people who live in the same society as you to be prohibited from attempting to further their own interests by freely and meaningfully participating in the public political debate to the same degree that you and others in your society are able.
Do you think that's going to end well? How do you expect those people to feel about you? There is a very good reason why societies have protected the right to political speech, and it is to prevent the inevitable conflict that arises when some people in society feel that the rest of society is preventing them from attempting to further their own interests in the same capacity that other groups are able.
In the case of political speech that you consider Nazi-style, your rationale is that you believe it will make an event you consider to be unlikely become even less likely. You believe it will have a sufficiently large influence on the likelihood to make it worth bearing the consequences of telling people in your society that they cannot participate in the public political debate as freely and meaningfully as others. Why do you believe it would make that event less likely? And why do you believe it would reduce it enough to justify the risk?
It sounds to me like you have no desire to share a society with people that hold the views you describe, and would rather kill them or expel them over their ideas than share your society with them and grant them the same ability and freedom as others to participate in the public political debate. Would you agree with that?
>when those certain other people hold views fundamentally incompatible with what we as a society have agreed (whether tacitly or otherwise) are the foundational values of our society
Which values are you referring to, out of curiosity?
1. Cloudflare has only banned large websites, not any "no-name sites".
2. Admittedly anecdotal, but while bans like these do increase _knowledge of_ said websites, I see no evidence they significantly increase their popularity or userbase.
Again, this is in reaction to literal neo-nazis getting deplatformed.
If your first reaction to seeing nazis get in trouble is to ask "well what if I get called a nazi?" then you might need to do some introspection my dude...
Also - deplatforming is incredibly effective at severely limiting people's reach. Anyone know what Milo Yiannopoulos is up to these days?
Is that a reference to 8chan? Because if so I am pretty sure that they removed controversial boards of this form a few years back - long before cloudflare banned them.
If you run a restaurant, you can refuse to do business with anyone you choose. If that was not the case, you would effectively be a slave; unable to choose actions for yourself and your business. Cloudflare refused to do business with people and content; that is their prerogative.
>If you run a restaurant, you can refuse to do business with anyone you choose.
You will suffer legal consequences if it's determined that you refused to do business with them on the basis of certain characteristics protected by law. Property rights are not absolute. Exceptions to them can be made if people think there is good reason to do so.
The situation we are in now, where technology companies have found themselves with wide power to control the public political debate occurring among regular people merely as a consequence of successfully running some particular types of business, is not one we've really seen before. There are some very persuasive arguments for limiting their property rights, similar to how they were limited e.g. ~50 years ago by the civil rights act.
> A store cannot have blacks only and whites only bathrooms or water fountains. Bars and restaurants in some jurisdictions can allow smoking within their establishments, while in other municipalities, smoking indoors is banned for all businesses. Companies who chose to be equal opportunity employers have several criteria for which they cannot discriminate against. Laws such as the Americans with Disabilities Act mandates certain accessibility requirements in order to maintain a storefront ... Speech does not yet fall into any of these existing regularity frameworks.
So no, you're wrong. You cannot refuse to do business with anyone you choose. The Colorado cake case is a really special one, because it had to do with art. As an artist, you can refuse a commission to build a creative work if it goes against your values. The guy who ran that shop just stopped accepting custom orders, and then later got in trouble again when he refused to sell plain non-custom cupcakes to a gay couple.
OP here. My website wasn't up when this happened because of some yak shaving, but when it is I disable DDOS protection. I was only using Cloudflare for domain registration and DNS.
I don't think I have ethical issues with DDOS protection in general, but as someone who browses using Firefox on Linux with tracking blocking I know how annoying it can get. If I don't need it why bother? Plus I generally like to minimize opaque layers in my "stack".
It's very easy to manage incoming bandwidth when you're hosting a tor onion service. The entire Tor ecosystem kind of helps to since there's a limit on the instantaneous amount of data in any circuit. Overall tor is great because I own my domain name (rather than leasing it on the whim of some corp) and it has nice DoS and bandwidth tools built in.
And if you were using cloudflare before you should be okay with some people not being able to access your site since that's the norm there.
Well, I've been operating a bunch of small ones from a home connection. So my bandwidth issues might be of less scale but certainly more acute. One simple line of Tor config allows me to limit my total bandwidth and avoid saturating my home connection due to people hitting the onion services.
I've had one that's been under a DoS for about a month now and things are going well regardless. Differentiating "real" from "bad" traffic is super hard and almost infeasible, I get what you're saying about that. But in terms of not getting knocked offline Tor is easy and really nice.
> But in terms of not getting knocked offline Tor is easy and really nice.
That’s of course only until someone who isn’t utterly incompetent tries to DoS you and you realize that you’ll need to spin up hundreds and hundreds of tor daemons (with cpu cores to match!) to tank it.
Onionbalance isn’t built in, and hardly solves attacks. There are no DDoS protection services, so you’re left scrambling to build your own infra against impossible odds.
None of the big onionland sites manage decent uptimes.
I had this exact thing happen to me as well, but wrote it off to having been compromised (fortunately I was only using Cloudflare as secondary DNS servers on a non-production account and am not using them as a registrar, so I only noticed months after the fact). I think a major reason going with someone like Cloudflare for DNS in the first place is reliability and availability and this does not speak to that.
Last week, I have had an issue where a number of domains were purged from the 2nd tier registrar (Claranet) with exactly the same symptoms (domains suspended, zone-files blown away)... and Network Solutions are to blame.
An assumption of false-payment led to them suspending "300-500" accounts (mostly UK based). I am still of the opinion something far more sinister is at play... and this doesn't comfort me.
Be wary of being part of something that is a cost center for the company instead of a profit center.
CloudFlare is selling domains at cost. That means they are not making any money from being a domain registrar, which means they will do everything to keep the cost of doing it as low possible to themselves. This means lack of customer service and use of ML dragnets for "anomalous" behavior.
.com has a price floor of $7.85. Most registrars seem to target anywhere from the $9.99 - $14.99 range for registration because, as far as I can tell, there is no real differentiation outside of price.
Sure, I could spend $lots to get a dedicated account rep from MarkMonitor or CSC but that's not really feasible for my personal site.
Are there really any registrars that hit a reasonable price point for individuals and offer service beyond bargain basement? Because if so I'm doing some transfers this weekend.
One of the reasons I've stuck with GoDaddy is 24/7, American phone support. Their .com pricing is closer to $20 for renewal at this point, but I've called them at 2 AM before and gotten help.
From previous research, at least, most domain registrars have ticket support at best. I did move all my "less important" domains to Cloudflare for cost savings recently, but they have my most important domains.
I'll speak for myself and say that all my domains have been with Hover for well over a decade now, and the times I've had to deal with their customer service, they've been excellent.
In fact, I even had to call them once, and I got a human almost immediately, and that human was able to resolve my issue while I was on the phone.. I don't recall the exact issue and I'm sure it wasn't anything major, but it was still nice.
So yeah, Hover. They're nice. And I think their prices are decent?
Namesilo has been a great, cheap registrar for me for many years and has always had privacy included for free.
I tried several of the lower price registrar's back in the day, and they all sucked in their own way, despite me not needed anything except the thing to just stay registered.
One or two would change the price of their domain privacy, most renew the privacy for like 3 dollars and then send you the renewal email that your domain needs to be renewed, one of them used to charge me separately like 80 cents from some weird Canadian shell company...
I actually have a domain still with probably the biggest "cheap" provider, and they now have a thing where you are supposed to keep a deposit in your account to cover automatic renewals. Just charge my damn credit card guys, please.
So I'm saying namesilo all the way. Only one that hasn't ever pulled any shenanigans on me.
Not true. CF claims it is $8.03. Let’s say it’s $7.85 + .18 tax or something.
You don’t deal with the registry. You deal with a registrar. Just as they can charge a markup, they can give a discount.
Registration could be free. It would mean a loss of $7.85/$8.03 per year. Maybe they make it up by selling ads on your domain. Maybe they use it as a loss leader service.
There is no floor.
Even CF’s at cost pricing loses them money. It’s not free to maintain the services.
Every related incident seems to be due to either nameservers temporarily/incidentally chanced away from CF (and CF's service not re-checking it perhaps) or the registration billing failing (which doesn't look to be the case since registration expires 2021[0]). The latest change to the domain was about a week ago[0], so if that was when it was transferred to CF, it might be the first scenario.
> Because Cloudflare deleted my domain registration I can't change the status from clientTransferProhibited through their dashboard so I don't think I can even leave.
Unless something else happened, deleting the zone from your account doesn't affect the registration. Re-adding the domain will instantly allow you to view the registration info and likely transfer away; this would only not work if the zone is banned for some reason.
> Every related incident seems to be due to either nameservers temporarily/incidentally chanced away from CF (and CF's service not re-checking it perhaps) or the registration billing failing (which doesn't look to be the case since registration expires 2021[0]).
The changes a week ago involves adding and deleting TXT and A records only. Cloudflare manages the nameservers I use as my registrar and I never changed them from the default. I just confirmed all of that in the Cloudflare audit log.
> Unless something else happened, deleting the zone from your account doesn't affect the registration. Re-adding the domain will instantly allow you to view the registration info and likely transfer away; this would only not work if the zone is banned for some reason.
i think that it would be rather unusual to update timestamps in whois (which i guessed the parent poster was referring to) based on updates to in-zone data. A transfer would be an example of something that would change information in whois and thus update the timestamp noted there for the latest update. it is sometime possible to infer the date of the latest change of in-zone data because the serial of the zone is often constructed by using a date and a counter. But that is actually just convention and not reliable. Its also unlikely the parent poster was referring to this.
Huh. I definitely didn't make any such changes within the last two weeks. Maybe the whois date got changed because of something opaque and internal to Cloudflare?
yes that is most likely what happened. A change of the nameservers with authority for your zone for example or updates of DNSEC keys would trigger that too, i think. But most commonly it probably happens when the domain gets a renewed registration period or the contact details for some person changed.
btw here are the dates referred in whois for your domain:
I believe the latest change happened afterwards when on judge2020's advice I re-added the domain to cloudflare which I think triggered a NS change back to them.
Unrelated issue but sometimes Cloudflare docs/communications are not in sync with their actual system which is immensely frustrating. I was bitten a few times.
For instance, a while back I forgot to renew one of my side project domains so it briefly expired for maybe a day or two. Got this email from Cloudflare saying
> Your DNS records will be completely removed from our system in 7 days.
> ...
> Once you have completed this change, click the “Recheck Nameservers” button in your Cloudflare dashboard to ensure your domain stays active on Cloudflare.
I promptly renewed, except there's no "Recheck Nameservers" button anywhere, and the dashboard still read "Moved" for maybe a day. Eventually the problem was just gone, but the communication worried me that entire time.
> Does anyone know what might have caused Cloudflare to delete my domain? Any ideas for how I could transfer my domain away from Cloudflare sooner?
I don't get the point of 'shoot first ask questions later' type approach. Obviously it would pay to get some kind of affirmative reply from Cloudflare prior to a post which everyone here with incomplete information speculates and wastes time on (like I am doing).
Also Cloudflare did not 'delete my (the) domain. It deleted the dns records. There is a difference and no I am not being pedantic either. How would 'the internet' know why this was done there could be any number of good or bad reasons.
Lastly the domain is not expired and as such the registrar is required (per ICANN) to supply an auth code so someone can transfer out. Or to allow the customer to change the primary and secondary dns to another dns provider. There is zero (legitimately) that allows cloudflare as either a dns provider or a registrar to lock the domain up pretty much (other than for a legal court order) just for some reason they might decide to do that.
> Also Cloudflare did not 'delete my (the) domain. It deleted the dns records. There is a difference and no I am not being pedantic either.
Thanks. You're absolutely right. I meant delete their record of the domain as it shows up in the UI of their dashboard.
> How would 'the internet' know why this was done there could be any number of good or bad reasons.
For many reasons luckily HN isn't 'the internet'. I've already gotten some good suggestions.
> Lastly the domain is not expired and as such the registrar is required (per ICANN) to supply an auth code so someone can transfer out. Or to allow the customer to change the primary and secondary dns to another dns provider. There is zero (legitimately) that allows cloudflare as either a dns provider or a registrar to lock the domain up pretty much (other than for a legal court order) just for some reason they might decide to do that.
I know. Again, I guess I was insufficiently specific. Cloudflare has warned me to expect long wait times before I can talk to a customer support rep. My question was if there's a way to transfer out without needing to wait on a slow support loop.
1. Setup up monitoring on your critical domains. UptimeRobot and Hetrixtools are good starters with generous free tier. You should know when your website/email/dns isn't working.
2. Don't tie your domain registration with your DNS provider. You lose everything if something goes wrong with your account.
3. Be able to jump ship easily, have backups of your zone, already know where you will transfer to.
> UptimeRobot and Hetrixtools are good starters with generous free tier
Are there any open source status pages/monitor programs that have build-in checks for HTTPS, DNS records (ipv4/6), arbitrary port checks, etc? I'd rather just setup a status page/alert app on a $5 minimal DO/Vultr node and self-host/support/contribute to a FOSS program than use a commercial provider.
If you want email or text message alerts I would assume that's a complicated enough system you would want uptime alerts on it, and so on recursively ad infinitum.
If you can set up nagios (which one would probably consider an interesting evening challenge if you were already willing to go for your own monitoring droplet) setting up pushover or amazon sns (for sms) should be easy enough.
I would try to set up a completely open source monitoring setup just for fun, but once I'm paying for SNS I personally would rather just pay epsilon more and buy/rent the whole system. I get that may just be personal taste. I absolutely don't trust myself to run my own highly-reliable mailserver to send status alerts.
FWIW, a lot of cellular providers have an email gateway for delivering SMS messages. There's also paid SMS gateways, and options for providing arbitrary push notifications to smartphones.
This was a few (3) years past, but they accepted root@localhost sendmail messages just fine in most cases, and delivered alerts within a minute or two of sending. We didn't rely on this long term, but it was a "good enough" first pass.
I'd probably recommend using one of the gateways (or a more fully-featured service like Pagerduty) for more serious businesses, but for personal use (or where an outage detected the next day isn't crippling), it's remarkably useful.
You need to host across several nodes in different geographic locations and data centers to resist network splits. Then you need some way to slowly roll out upgrades to your monitoring platform over time.
I'm just talking about my personal infrastructure. If I host my crap in Vultr or Linode, I should be able to buy one cheap node on another provider just to run a simple status app: something with celary or sidekiq jobs to check my other stuff and intervals and generate a page with some red/yellow/green dots.
Nagios. Or its descendant with a better configuration language, Icinga2. They're fairly easy to do a minimal install and configure in a container or on a VM.
> Setup up monitoring on your critical domains. UptimeRobot and Hetrixtools are good starters with generous free tier. You should know when your website/email/dns isn't working.
Lesson learned :)
> Don't tie your domain registration with your DNS provider. You lose everything if something goes wrong with your account.
I don't see how that helps. How do I recover from my registrar deleting/disabling my account even if DNS is somewhere else? I think there's still only one failure point and the lesson is that I need to pay that failure point more money.
> Be able to jump ship easily, have backups of your zone,
Luckily I have that
> already know where you will transfer to.
Any suggestions? Ironically I recently moved from Google Domains to Cloudflare because I was worried about issues with opaque support. I've learned my lesson picking based on cost alone, but I'm a college student who can't afford something too heavy-duty.
>I don't see how that helps. How do I recover from my registrar deleting/disabling my account even if DNS is somewhere else? I think there's still only one failure point and the lesson is that I need to pay that failure point more money.
Your outage was a DNS outage, not a registrar outage. If you still had control of the domain you could update your name servers to another provider, import your backed up records and get the site back online without talking to CloudFlare.
> Your outage was a DNS outage, not a registrar outage. If you still had control of the domain you could update your name servers to another provider, import your backed up records and get the site back online without talking to CloudFlare.
I believe it was both.
If I have a registrar outage I'm hosed. If I don't have a registrar outage and do have a DNS outage I can recover with a little work. But in the only case I can recover my registrar was reliable, so why didn't I just have them do DNS as well?
> But in the only case I can recover my registrar was reliable, so why didn't I just have them do DNS as well?
Because they have just proved being uncapable of doing it? Because redundancy? Because you shouldn't keep all your eggs in the same basket.
I've been self hosting for at least 15 years and did not have any huge problems like the domain becoming non resolvable. I would never host my DNS on my registrar's infrastructure. It's being sloppy and lazy and it gets you embarassed.
A domain registered at a provider (but not DNS) can be down with no impact to your domain, so long as the domain is still in the TLD root servers, everything will keep going.
Had the same thing happen to me some years ago. Had a (not so important) domain with Gandi, which pointed to the Cloudflare nameservers, and after some time, the domain was gone from the CF dashboard together with all DNS entries. The NS records were still pointing to CF and there also weren't any anomalies with renewal of the domain.
I didn't give much thought to it, as I wasn't using CF for anything in production at the time, but sad to see that it also seems to happen to other people.
Cloudflare lost my support when they started de-platforming people for holding opinions they didn't agree with. Censorship outside of strictly legal bounds should not be tolerated from a company as powerful as Cloudflare.
Why do you think you have a right to host with them? You don’t, you have a privilege that’s extended by them. You’re welcome to host your own thing somewhere else.
Why do successful technology companies have a right to have a proportionally large influence on the public political debate? Is it good for society to allow successful technology companies to have such a large degree of control over something so incredibly vital, merely because they were effective at running a particular type of business?
Yes, it is censorship. The entire history of First Amendment jurisprudence was set around the idea that powerful people were not allowed to stop political and religious speech. Marsh v. Alabama is a great example: a company town owned sidewalks that they didn't want religious prosyletizers on. The courts ruled that the fact that they owned the sidewalks and roads is irrelevant. For the entire history of my country powerful people were not allowed to buy up the public square and prevent the little guy from speaking. Everyone had a right to enumerate their grievances in a free and open marketplace of ideas. This has of course changed in the age of the Internet, where a bunch of scheming Stanford grads have bought up the courts, wrested control of the key Internet infrastructure away from the public who funded its creation, and sit there and grin as they take the role of arbiter over all speech on the Internet. The wealth and power disparity between the rich and poor is at its height, and it is clear that there will be no legal or democratic solution to the concentration of power in the hands of a handful of Silicon valley billionaires.
Would you be OK with your phone provider or imternet provider to stop doing business with because you said some unsavory thing to a friend or have blog supporting the wrong candidate?
At least in some cases, those people were claiming that because they hadn't been removed, Cloudflare supported them. I don't see what other option Cloudflare had at that point.
Except that Matthew Prince, Cloudflare's CEO, made that up out of thin air. There's no point where Daily Stormer said that Cloudflare supported their ideology. There's no record of this on the Internet. Can't find it, because nobody at the site ever made such claims. Stormer was kicked off of dozens of domain registrars and registries (GoDaddy, Google, Namecheap, Dreamhost, several national cctlds) in the same period -- none of them had to come up with a fake excuse like "people will think we support their ideology". Cloudflare does do infrastructure plenty of pedophile and Islamic terrorist sites, so now we can assume that they actually do support those as they aren't removing them from the service.
Cloudflare also didn't even bother telling that lie anymore when the dozens of sites they censored afterwards including 8chan were systematically barred from basic commerce.
FWIW I recently evaluated a few DNS companies after Namecheap ballsed up our MX records in a similar way.
I actively looked for someone we could pay money to, so we are their customer (as opposed to being a free tier user, effectively a cost)
The winner was DNSimple[1], who do exactly 1 thing, and they do it extremely well. And they are small enough to not take themselves too seriously[2], which I really appreciate.
Oh and their normal support channel is email, and everyone in the company takes a turn. I tested out their support before signing up and quickly heard back from a competent engineer, so they passed that test too.
I haven't needed to talk to them much, but one time I tried to add a .ninja domain, and there backend wouldn't handle it. I emailed them to report the problem at 4:49 p.m. I got an email at 7:09 p.m. the same day (2 hours 20 minutes later later) asking me to try adding it again. [1] When a free service fixes your problem in a few hours, they get +1 gold star from me.
[1] I just checked my email to look up the actual times. This was on Mar 15, 2017.
You listed their good points, the other poster listed some counterpoints. The one post is no less relevant than the other in a discussion about possible DNS hosting options IMO.
Though I think the post would benefit from some citations to improve its relevance/usefulness otherwise it is little better than personal opinion/conjecture.
Unless you are specifically questioning the relevance of hosting spammers, on which case: If that is true (again, some examples would be helpful here) and you intend to host your own mail servers via their services not just the MX records pointing to other mail services, you could find yourself blocked by association at some point. False positives are a big problem in this area and can be much admin to clear up.
I use no-ip as dyndns for my home ip, so I can log in at home from outside. Recently at work my putty failed to connect, so I figured my internet line was down, it happens.
Came home, internet works fine. Everything looked just fine.
Back at work next day still can't connect. So I tried pinging, and I immediately see that the ip my home hostname resolves to is not what my ISP has. So I go to nslookup and try a DNS server I know (another local ISP), and it resolves to what I expected.
A bit of checking later I find that at work they've started using OpenDNS, and OpenDNS has blocked all of no-ip due to malware and spam.
I am sure AWS, OCI, GCP, etc. all host scam websites with varying degrees of removal efficiency. What cases are you referring to specifically? Did they state they were not going to take these sites down or what was the context that you object to?
I think they're mad that DigitalOcean's IP range shows up in their ssh logs with failed authentication. A lot of people think that it's the ISP's job to regulate all traffic on their network, judging from the comments here, DigitalOcean at one time or another has failed to do that.
I host all my personal stuff there, including something that updates their DNS via an API. They've been great to me.
In this context, that sounds like an endorsement, honestly. If we're discussing providers that are willing to kill your services too easily, then saying that a provider is unwilling to cut service even to problem customers sounds like an amazing reason to use them.
Love the idea of this. I was about to switch providers then discovered that they are 3-4 times more expensive than my current provider for small-mid sized websites (currently on dnsmadeeasy.com)
We used ns1 at my last job, they were indeed great to us. We moved from self-hosting DNS because the DNS servers would randomly become unresponsive and would start returning fake records. After switching to ns1 and getting our first bill, we realized that a lot of our network equipment apparently did a DNS lookup for every log line. This resulted in an exceedingly large bill, which ns1 happily reversed (we did fix our stuff ;).
Since then I've started using CoreDNS, which does seem easier to monitor. (I don't know if it's faster or more reliable, but it has a lot of ways to figure out what's going wrong. As it turns out, DNS causes people a lot of trouble these days when they use it for service discovery, and their services discover each other hundreds of times a second. So that's why DNS servers grew APIs and observability features.)
I did the same after getting tired of NC's DNS interface. I host a few client sites with Netlify[1] anyways and moving over to their DNS (NS1) has been a breath of fresh air. It is free but they do have some paid options and the is UI dead simple which should be a requirement. Feel fairly confident I can rely on them to not muck up DNS records as this is critical to mail systems, websites, etc.
Two years ago there was a moment where I was close to working for them too so I always try to use their products where I see fit. :)
432 comments
[ 3.9 ms ] story [ 365 ms ] threadYou're very brave considering that Cloudflare doesn't even have U2F yet Google and Amazon do.
Cloudflare does support standard TOTP-based 2FA like most people use for Amazon and Google. So whether or not the lack of U2F support should matter depends on whether you actually use it elsewhere anyways.
Cloudflare's Domains service is new, and some of it's management tools are lacking, but I also moved most of my domains to it over the last year for cost savings. I'm thrilled with it, but I'm still keeping a few of my most critical domains with GoDaddy. (Hate them all you want, but GoDaddy hasn't screwed up my domains in well over a decade.)
You may be able to save a lot of money without risking your primary domain that you route email through.
Also for your core domains, do not let the registrar and dns provider be the same entity.
Also, don't decide on not migrating just because of one bad experience. None of them are perfect, though vigilance is wise.
(I know am probably preaching to the choir :) )
Consolidating domain registration, DNS hosting, and site hosting under the same account is a terrible idea and a big risk IMO. Always ask yourself “what if this account gets banned?” All of the big tech companies have automated systems that could turn you into an outlier with no support.
But as a general reminder to everyone (I think this is an unfortunately common problem from a number of companies): If this is how your company handles account issues, you're probably wrong. Whether it's automated or manual, a user should be able to access all of their own information even when you decide to no longer provide them service. And you should test and retest the ability for people who you now deny service to transfer out.
So much business focus goes into the onboarding experience, and since you assume all of the people your service terminates are "probably bad people anyways", not a lot of thought goes into offboarding, or ideally, appeals.
0. https://news.ycombinator.com/item?id=21326014
they e-mailed me saying they deleted some domains not because some entries were broken or had problematic entries, but just because it was "underused", i.e. too few DNS resolve calls. So the tiny data packets in their nameserver caused them unnecessary consumption of electricity or whatever. Very compelling! This is how they do business these days.
They bombarded people with all sorts of useless info, but not about this policy of theirs. Makes you feel very much like the proverbial "valued customer".
Everything is going downhill in this century, that's a fact.
If you haven't already, you might consider checking the CloudTrail logs for the account in question to see if there were any API commands related to the zone.
(1) https://news.ycombinator.com/item?id=21700139 - Sinkholed
(2) https://news.ycombinator.com/item?id=19322966 - I lost my domain and everything that goes with it
No different than this story where the author's DNS records were deleted because of so called "anomaly".
Here are so many more stories: https://news.ycombinator.com/item?id=21710939
DNS was a good idea but now there are organizations that have the power to arbitrarily take control and even remove your domain names and records. We really need to come up with a peer-to-peer solution and take back control of the naming system from these authorities.
Does anyone here have experience with running their own DNS servers for their domains?
[0]: https://www.namebase.io/
[1]: https://ens.domains/
[2]: https://bit.namecoin.org/
Of course, if the registry (i.e. the TLD) wants your domain gone, you are out of luck whatever you do. If this is a concern then you should pick a TLD with what you consider reasonable management. There are a lot of ccTLDs and gTLDs to choose from.
Therefore, what you absolutely shouldn’t do is to pick whatever domain registrar is either cheapest or largest, and pick whatever domain name which happens to look cool and be available. Both are recipies for potential disaster.
http://cr.yp.to/djbdns/third-party.html
The second story you posted is about a user who forgot to renew their domain and did not wish to pay the overly-inflated fee to re-register it while it was in the grace period.
I hold no love for any registrar that jacks up rates for getting back an expired domain and agree that they should have sent a reminder email, but describing this as someone "losing their domain through no fault of their own" is, frankly, incredibly misleading.
The user:
1) forgot to renew their domain 2) had full right to recover their domain but objected to the price 3) had full right to transfer the domain out to another registrar for the original 15EUR price and 4) eventually got back full control of the domain
My website was down for yak shaving when this happened, but before then I had DDOS protection turned off.
I don't trust Cloudflare one bit, and I think everyone should question whether their attempt to re-centralize everything is beneficial to the planet.
There are two major problems here: one, the problem itself, which is the deletion of DNS for apparently no good reason, and two, which is the bigger problem, is that it's incredibly difficult to talk to a human about what happened, so there's no assurance it won't happen again.
If people want things to be reliable, we've got to stop using companies with which we cannot communicate.
As a self-hosting enthusiast, something like Cloudflare is one of the best chances of having a plan that competes with "just hosting it in the cloud".
Cloudflare will only help once your server has gone down with their "Always On" thingy, if you have that enabled. They don't cache HTML by default.
I'm talking about their rather political move to re-centralize DNS by shoehorning themselves in to Firefox via DoH, for instance. Their unwillingness to be transparent makes this all the more frightening. Add to that their blatant desire to make money at the cost of doing the right thing (and I'm talking about unambiguous things - is someone going to argue that freedom of speech allows people run a phishing site of your bank?), and you've got a scenario where once they reach critical mass, they will be exercising their position to the detriment of everyone who isn't paying them, similarly to how Gmail, through doing and not communicating, say "screw you" to many small email services.
When people who don't use large providers have email issues with Gmail, lots of people have knee-jerk reactions saying that everything should move to the big providers, that people and small businesses should not host their own email, and so on. This is NOT the way the Internet should work, and we should never allow Gmail to just arbitrarily do whatever they want, then accept it as the new normal.
If you have more than a dozen megabits of outgoing bandwidth, you can easily host a blog from your home network which can handle a front paging here. Just don't expect to dynamically generate a new copy of the site for every visitor, and if your bandwidth is tight, then host your images on a static server off of your network. Cloudflare is not necessary - perhaps it's easier, but it isn't necessarily best to blindly trust a company that wants to become a monopoly.
IPFS can work as a CDN, at least for static content that users are willing to seed. This is especially relevant to the "blog post hits frontpage on HN" case. Of course, dynamic content is not quite as easy.
There aren't really any self-hosted solutions for DDoS protection like Cloudflare since it requires things happening in the network layer. Implementing a solution would require access to monitor and reshape the local network, but I'm glad to see companies like Linode and DO offering DDos package.
I want to start running my own DNS-over-HTTPS server as well, so I can pump firefox DNS requests to a self-hosted solution and not to Google or Cloudflare. I really don't trust them and am having trouble understanding why so many other people do.
[1]: https://battlepenguin.com/politics/the-new-era-of-corporate-...
It shows you're afraid of their ideas, and the persecution can embolden them or give them a sense of legitimacy. It can being the Streisand Effect to their cause, taking a no-name site no one knew or cared about and blowing it up into something everyone is deeply aware of.
The key word being "kinda". You give the perception of power, but there are plenty of things in society we deal with by a form of "banning" (such as incarceration) in which we judge the ban to be good regardless of the power it gives people, or the ideas they represent or practice. Locking up child abusers, for instance, may give the spectre of child abuse power, and highly-publicized instances may fuel the moral panic around "strangers out to get your children", but that doesn't mean they should not be locked up.
In civil society, we are justifiably afraid of many ideas - I don't know anyone who wouldn't be afraid of a Nazi-style dictatorship, or its prospect. Fear can be a legitimate way of preventing bad things from happening. I fear dying in a house fire, thus I take certain precautions when cooking. In the same way, a demonstration of power over a person or idea may outweigh the power supposedly given to that idea by banning it.
The key is a balance; it may well be that you get an instance of the Streisand Effect, but it has to be shown that the consequences of that outweigh the very material consequences of such ideas coming to fruition in real life. For example, many people don't know who Barbara Streisand even is, and if they do, they likely don't know about the pictures of her house. The very canonical example of the Streisand Effect shows a short-lived controversy about the actual matter and ensuing attention for a few months after the incident. Then people forgot, or simply stopped caring. "The Streisand Effect" is more of a Streisand Effect than the actual incident that created it.
Do you believe that if people with ideas that you consider to be Nazi-like are allowed participate in the public debate as freely and meaningfully as everyone else (e.g. by using electronic services regularly available to everyone else), a Nazi-style dictatorship is likely to come about?
To be clear, I don't advocate for censorship of ideas that I simply "don't like". That's not a sufficiently rigorous standard. Ideas which advocate for targeting marginalized groups, or entire groups of people for ideas they have no control over, are fair game, in my opinion. I don't pretend to have no bias in my answer to that question. I am biased, and others have their own biases. I draw the line where I want to draw it, with no concern for pretending to derive it from first principles.
Do you think that's going to end well? How do you expect those people to feel about you? There is a very good reason why societies have protected the right to political speech, and it is to prevent the inevitable conflict that arises when some people in society feel that the rest of society is preventing them from attempting to further their own interests in the same capacity that other groups are able.
In the case of political speech that you consider Nazi-style, your rationale is that you believe it will make an event you consider to be unlikely become even less likely. You believe it will have a sufficiently large influence on the likelihood to make it worth bearing the consequences of telling people in your society that they cannot participate in the public political debate as freely and meaningfully as others. Why do you believe it would make that event less likely? And why do you believe it would reduce it enough to justify the risk?
It sounds to me like you have no desire to share a society with people that hold the views you describe, and would rather kill them or expel them over their ideas than share your society with them and grant them the same ability and freedom as others to participate in the public political debate. Would you agree with that?
>when those certain other people hold views fundamentally incompatible with what we as a society have agreed (whether tacitly or otherwise) are the foundational values of our society
Which values are you referring to, out of curiosity?
2. Admittedly anecdotal, but while bans like these do increase _knowledge of_ said websites, I see no evidence they significantly increase their popularity or userbase.
Again, this is in reaction to literal neo-nazis getting deplatformed.
If your first reaction to seeing nazis get in trouble is to ask "well what if I get called a nazi?" then you might need to do some introspection my dude...
Also - deplatforming is incredibly effective at severely limiting people's reach. Anyone know what Milo Yiannopoulos is up to these days?
Is that a reference to 8chan? Because if so I am pretty sure that they removed controversial boards of this form a few years back - long before cloudflare banned them.
You heard wrong.
> But if not - that's good
Censoring people for their attractions/fetishes/sexual orientation is never good - it is bigoted.
You will suffer legal consequences if it's determined that you refused to do business with them on the basis of certain characteristics protected by law. Property rights are not absolute. Exceptions to them can be made if people think there is good reason to do so.
The situation we are in now, where technology companies have found themselves with wide power to control the public political debate occurring among regular people merely as a consequence of successfully running some particular types of business, is not one we've really seen before. There are some very persuasive arguments for limiting their property rights, similar to how they were limited e.g. ~50 years ago by the civil rights act.
> A store cannot have blacks only and whites only bathrooms or water fountains. Bars and restaurants in some jurisdictions can allow smoking within their establishments, while in other municipalities, smoking indoors is banned for all businesses. Companies who chose to be equal opportunity employers have several criteria for which they cannot discriminate against. Laws such as the Americans with Disabilities Act mandates certain accessibility requirements in order to maintain a storefront ... Speech does not yet fall into any of these existing regularity frameworks.
So no, you're wrong. You cannot refuse to do business with anyone you choose. The Colorado cake case is a really special one, because it had to do with art. As an artist, you can refuse a commission to build a creative work if it goes against your values. The guy who ran that shop just stopped accepting custom orders, and then later got in trouble again when he refused to sell plain non-custom cupcakes to a gay couple.
I don't think I have ethical issues with DDOS protection in general, but as someone who browses using Firefox on Linux with tracking blocking I know how annoying it can get. If I don't need it why bother? Plus I generally like to minimize opaque layers in my "stack".
And if you were using cloudflare before you should be okay with some people not being able to access your site since that's the norm there.
Yeaah, I don’t think anyone who’s operated a larger onion service would agree with you.
I've had one that's been under a DoS for about a month now and things are going well regardless. Differentiating "real" from "bad" traffic is super hard and almost infeasible, I get what you're saying about that. But in terms of not getting knocked offline Tor is easy and really nice.
That’s of course only until someone who isn’t utterly incompetent tries to DoS you and you realize that you’ll need to spin up hundreds and hundreds of tor daemons (with cpu cores to match!) to tank it.
Onionbalance isn’t built in, and hardly solves attacks. There are no DDoS protection services, so you’re left scrambling to build your own infra against impossible odds.
None of the big onionland sites manage decent uptimes.
Zero communication in my case as well.
An assumption of false-payment led to them suspending "300-500" accounts (mostly UK based). I am still of the opinion something far more sinister is at play... and this doesn't comfort me.
CloudFlare is selling domains at cost. That means they are not making any money from being a domain registrar, which means they will do everything to keep the cost of doing it as low possible to themselves. This means lack of customer service and use of ML dragnets for "anomalous" behavior.
Sure, I could spend $lots to get a dedicated account rep from MarkMonitor or CSC but that's not really feasible for my personal site.
Are there really any registrars that hit a reasonable price point for individuals and offer service beyond bargain basement? Because if so I'm doing some transfers this weekend.
From previous research, at least, most domain registrars have ticket support at best. I did move all my "less important" domains to Cloudflare for cost savings recently, but they have my most important domains.
I'll speak for myself and say that all my domains have been with Hover for well over a decade now, and the times I've had to deal with their customer service, they've been excellent.
In fact, I even had to call them once, and I got a human almost immediately, and that human was able to resolve my issue while I was on the phone.. I don't recall the exact issue and I'm sure it wasn't anything major, but it was still nice.
So yeah, Hover. They're nice. And I think their prices are decent?
I tried several of the lower price registrar's back in the day, and they all sucked in their own way, despite me not needed anything except the thing to just stay registered.
One or two would change the price of their domain privacy, most renew the privacy for like 3 dollars and then send you the renewal email that your domain needs to be renewed, one of them used to charge me separately like 80 cents from some weird Canadian shell company...
I actually have a domain still with probably the biggest "cheap" provider, and they now have a thing where you are supposed to keep a deposit in your account to cover automatic renewals. Just charge my damn credit card guys, please.
So I'm saying namesilo all the way. Only one that hasn't ever pulled any shenanigans on me.
Not true. CF claims it is $8.03. Let’s say it’s $7.85 + .18 tax or something.
You don’t deal with the registry. You deal with a registrar. Just as they can charge a markup, they can give a discount.
Registration could be free. It would mean a loss of $7.85/$8.03 per year. Maybe they make it up by selling ads on your domain. Maybe they use it as a loss leader service.
There is no floor.
Even CF’s at cost pricing loses them money. It’s not free to maintain the services.
https://community.cloudflare.com/search?q=127.0.0.1%20audit
Every related incident seems to be due to either nameservers temporarily/incidentally chanced away from CF (and CF's service not re-checking it perhaps) or the registration billing failing (which doesn't look to be the case since registration expires 2021[0]). The latest change to the domain was about a week ago[0], so if that was when it was transferred to CF, it might be the first scenario.
> Because Cloudflare deleted my domain registration I can't change the status from clientTransferProhibited through their dashboard so I don't think I can even leave.
Unless something else happened, deleting the zone from your account doesn't affect the registration. Re-adding the domain will instantly allow you to view the registration info and likely transfer away; this would only not work if the zone is banned for some reason.
0: https://who.is/whois/danielzfranklin.org
"Your domain registration configuration depends on your DNS zone configuration" is a very strange way to do things.
> Every related incident seems to be due to either nameservers temporarily/incidentally chanced away from CF (and CF's service not re-checking it perhaps) or the registration billing failing (which doesn't look to be the case since registration expires 2021[0]).
The changes a week ago involves adding and deleting TXT and A records only. Cloudflare manages the nameservers I use as my registrar and I never changed them from the default. I just confirmed all of that in the Cloudflare audit log.
> Unless something else happened, deleting the zone from your account doesn't affect the registration. Re-adding the domain will instantly allow you to view the registration info and likely transfer away; this would only not work if the zone is banned for some reason.
Thank you so much! Trying that now.
btw here are the dates referred in whois for your domain:
looks like a change has been done even more recently.For instance, a while back I forgot to renew one of my side project domains so it briefly expired for maybe a day or two. Got this email from Cloudflare saying
> Your DNS records will be completely removed from our system in 7 days.
> ...
> Once you have completed this change, click the “Recheck Nameservers” button in your Cloudflare dashboard to ensure your domain stays active on Cloudflare.
I promptly renewed, except there's no "Recheck Nameservers" button anywhere, and the dashboard still read "Moved" for maybe a day. Eventually the problem was just gone, but the communication worried me that entire time.
(I do appreciate Cloudflare's service, though.)
This sounds like a plot of a japanese horror movie.
I don't get the point of 'shoot first ask questions later' type approach. Obviously it would pay to get some kind of affirmative reply from Cloudflare prior to a post which everyone here with incomplete information speculates and wastes time on (like I am doing).
Also Cloudflare did not 'delete my (the) domain. It deleted the dns records. There is a difference and no I am not being pedantic either. How would 'the internet' know why this was done there could be any number of good or bad reasons.
Lastly the domain is not expired and as such the registrar is required (per ICANN) to supply an auth code so someone can transfer out. Or to allow the customer to change the primary and secondary dns to another dns provider. There is zero (legitimately) that allows cloudflare as either a dns provider or a registrar to lock the domain up pretty much (other than for a legal court order) just for some reason they might decide to do that.
> Also Cloudflare did not 'delete my (the) domain. It deleted the dns records. There is a difference and no I am not being pedantic either.
Thanks. You're absolutely right. I meant delete their record of the domain as it shows up in the UI of their dashboard.
> How would 'the internet' know why this was done there could be any number of good or bad reasons.
For many reasons luckily HN isn't 'the internet'. I've already gotten some good suggestions.
> Lastly the domain is not expired and as such the registrar is required (per ICANN) to supply an auth code so someone can transfer out. Or to allow the customer to change the primary and secondary dns to another dns provider. There is zero (legitimately) that allows cloudflare as either a dns provider or a registrar to lock the domain up pretty much (other than for a legal court order) just for some reason they might decide to do that.
I know. Again, I guess I was insufficiently specific. Cloudflare has warned me to expect long wait times before I can talk to a customer support rep. My question was if there's a way to transfer out without needing to wait on a slow support loop.
At first I thought you were talking about Cloudflare shooting first, but apparently not.
1. Setup up monitoring on your critical domains. UptimeRobot and Hetrixtools are good starters with generous free tier. You should know when your website/email/dns isn't working.
2. Don't tie your domain registration with your DNS provider. You lose everything if something goes wrong with your account.
3. Be able to jump ship easily, have backups of your zone, already know where you will transfer to.
Are there any open source status pages/monitor programs that have build-in checks for HTTPS, DNS records (ipv4/6), arbitrary port checks, etc? I'd rather just setup a status page/alert app on a $5 minimal DO/Vultr node and self-host/support/contribute to a FOSS program than use a commercial provider.
I'd probably recommend using one of the gateways (or a more fully-featured service like Pagerduty) for more serious businesses, but for personal use (or where an outage detected the next day isn't crippling), it's remarkably useful.
Remember that Linode/Vultr/etc don't run their own datacenters, they share datacenters and sometimes downtime events can exist outside of datacenters.
Nagios. Or its descendant with a better configuration language, Icinga2. They're fairly easy to do a minimal install and configure in a container or on a VM.
</opinion>
Maybe one fits what you are looking for.
https://github.com/skx/overseer/
Handles SSL-checks, DNS-checks, SMTP-checks, & etc. Runs a thousand-checks every two minutes for me, give or take. Pluggable output via a redis-queue.
Lesson learned :)
> Don't tie your domain registration with your DNS provider. You lose everything if something goes wrong with your account.
I don't see how that helps. How do I recover from my registrar deleting/disabling my account even if DNS is somewhere else? I think there's still only one failure point and the lesson is that I need to pay that failure point more money.
> Be able to jump ship easily, have backups of your zone,
Luckily I have that
> already know where you will transfer to.
Any suggestions? Ironically I recently moved from Google Domains to Cloudflare because I was worried about issues with opaque support. I've learned my lesson picking based on cost alone, but I'm a college student who can't afford something too heavy-duty.
Your outage was a DNS outage, not a registrar outage. If you still had control of the domain you could update your name servers to another provider, import your backed up records and get the site back online without talking to CloudFlare.
I believe it was both.
If I have a registrar outage I'm hosed. If I don't have a registrar outage and do have a DNS outage I can recover with a little work. But in the only case I can recover my registrar was reliable, so why didn't I just have them do DNS as well?
Because they have just proved being uncapable of doing it? Because redundancy? Because you shouldn't keep all your eggs in the same basket.
I've been self hosting for at least 15 years and did not have any huge problems like the domain becoming non resolvable. I would never host my DNS on my registrar's infrastructure. It's being sloppy and lazy and it gets you embarassed.
I didn't give much thought to it, as I wasn't using CF for anything in production at the time, but sad to see that it also seems to happen to other people.
imagine if one day your bank decided to close your entire bank account without telling you...lol.
When/why did they remove that one? Have you got any source?
You don't now.
Why do successful technology companies have a right to have a proportionally large influence on the public political debate? Is it good for society to allow successful technology companies to have such a large degree of control over something so incredibly vital, merely because they were effective at running a particular type of business?
I'd switch to an ISP that promised they'd take no money from Nazis
Cloudflare also didn't even bother telling that lie anymore when the dozens of sites they censored afterwards including 8chan were systematically barred from basic commerce.
I actively looked for someone we could pay money to, so we are their customer (as opposed to being a free tier user, effectively a cost)
The winner was DNSimple[1], who do exactly 1 thing, and they do it extremely well. And they are small enough to not take themselves too seriously[2], which I really appreciate.
Oh and their normal support channel is email, and everyone in the company takes a turn. I tested out their support before signing up and quickly heard back from a competent engineer, so they passed that test too.
[1] https://dnsimple.com [2] https://dnsimple.com/dnsound <— bonkers
https://dns.he.net/
I haven't needed to talk to them much, but one time I tried to add a .ninja domain, and there backend wouldn't handle it. I emailed them to report the problem at 4:49 p.m. I got an email at 7:09 p.m. the same day (2 hours 20 minutes later later) asking me to try adding it again. [1] When a free service fixes your problem in a few hours, they get +1 gold star from me.
[1] I just checked my email to look up the actual times. This was on Mar 15, 2017.
For example, you can run your own DNS server on a VPS or something, and HE will AXFR the zones from your VPS and serve them authoritatively.
This allows you to run a hidden master, for example, which I can imagine some HN folks being interested in.
[1]: https://www.knot-dns.cz/
Running my own dns looks more and more reasonable though.
Though I think the post would benefit from some citations to improve its relevance/usefulness otherwise it is little better than personal opinion/conjecture.
Unless you are specifically questioning the relevance of hosting spammers, on which case: If that is true (again, some examples would be helpful here) and you intend to host your own mail servers via their services not just the MX records pointing to other mail services, you could find yourself blocked by association at some point. False positives are a big problem in this area and can be much admin to clear up.
Came home, internet works fine. Everything looked just fine.
Back at work next day still can't connect. So I tried pinging, and I immediately see that the ip my home hostname resolves to is not what my ISP has. So I go to nslookup and try a DNS server I know (another local ISP), and it resolves to what I expected.
A bit of checking later I find that at work they've started using OpenDNS, and OpenDNS has blocked all of no-ip due to malware and spam.
So yeah, could be relevant.
I host all my personal stuff there, including something that updates their DNS via an API. They've been great to me.
Even now, like you, I get the occasional (ie. once per year) named segfaults or it randomly stops responding over TCP.
Few SaaS products are less effort than one reboot per year, but still worth it IMO.
Two years ago there was a moment where I was close to working for them too so I always try to use their products where I see fit. :)
[1] https://docs.netlify.com/domains-https/netlify-dns/