Tell HN: Please update your DNS records when abandoning servers
I got contacted by someone wanting to buy the domain and was thoroughly surprised. It seems that the owner had it pointed to a Linode instance/IP which was then abandoned and was subsequently "inherited" by me.
http://unstoppable.com/
https://whois.domaintools.com/unstoppable.com
https://reverseip.domaintools.com/search/?q=unstoppable.com
68 comments
[ 2.5 ms ] story [ 129 ms ] threadhttps://www.gov.uk/guidance/protect-domains-that-dont-send-e...
If I were you I would configure my web server so that it will only accept HTTP connections for hostnames that are your own. If you had done that then the buyer would probably never have found you.
And yeah I should have had server_name in my nginx config in the first place. This time I did some fun with multiple roots/domains on one server: one for unstoppable.com and the other for my actual website.
A few years ago I had a server on DigitalOcean and stopped using it. I forgot to remove the A record for it on a sub-domain connected to my main site and suddenly a sub-domain on my main site was serving ~400,000 pirated PDFs because the old server's IP address was in control by someone else.
I wrote about it here: https://nickjanetakis.com/blog/a-recycled-ip-address-caused-...
And it was discussed on HN back then: https://news.ycombinator.com/item?id=17020944
Then another DNS related issue happened 6 months ago where someone thought I owned a domain they used to have: https://nickjanetakis.com/blog/at-first-i-thought-someone-wa...
In this 2nd case someone else forgot to update an old domain redirect and I ended up being the recipient.
I mean hell, create a bunch of random bogus A records too just in case any of them wins the lottery ticket. A records are free, after all.
It seems either desperate, or hostile, or so casual as to be literally stupid.
Why is it hostile though? A records are under your own domain. Creating a bunch of bogus A records for sale is the digital equivalent of a garage sale on your front lawn. You're not actually squatting any TLDs, which would be the digital equivalent of a real estate ghost town.
Don't allow the requests from non hosted domains on your server.
You don't control the DNS' you can't rely on people to updated them.
Thanks OP!
Something digitalocean could do? Once an ip is assigned to another customer either: warn, warn/disable dns, change dns automatically
The protocols are working as intended.
https://letsencrypt.org/docs/challenge-types/
https://www.hackerone.com/blog/Guide-Subdomain-Takeovers https://github.com/EdOverflow/can-i-take-over-xyz
I've also had people abandon domains onto my nameservers and keep renewing them for years, which is similar.
They are now a sort of pseudo-controlled domain now.
Why would my domain point to somebody else's server?
The original post says, "It seems that the owner had it pointed to a Linode instance/IP which was then abandoned and was subsequently "inherited" by me."
As per my reading of this, it sounds like the domain name is owned by someone else that points to an IP address of the poster's server. My comment was meant for a scenario like this where if someone else's domain name points to my server's IP address and a visitor visits my web server via that domain name, then my server will close the connection without response.
The owner of the domain should have been more careful to delete their A records once they no longer owned the IP address. IPv4 addresses are finite and it's not surprising for a housing provider to recycle them.
Yes, if a domain points to IP addresses of servers we do not control, many bad things can happen. Here is a really interesting security disclosure related to stale DNS entries that comes to my mind: https://thehackernews.com/2019/04/subdomain-microsoft-azure.... .
answers the "Why would my domain point to somebody else's server?", doesn't it?
I believe that at least with Apache and nginx doing this requires using a non-default module.
Webmasters we have two things in control:
1. Their domain name. It should point to trusted servers only.
2. Their web server. It should be configured to return successful responses only for domain names they care about and no response/error for everything else.
Edit: only asking for cases where #1 does not apply - that is you don’t have domains or sub-domains pointing at rogue IPs
I sold a 4-letter “acronym” .com (acquired in a merger) on behalf my employer about 5 years ago for a few hundred thousand USD.
I think they want to "do right by the community" not realizing almost nothing works when people hit the old domain name.
Repo: https://git.kaijucode.com/matt/dug HN Post about dug: https://news.ycombinator.com/item?id=25618012
So, while winding down or pending removal it's basically a dead-end parking page.