Ask HN: Domain taken over temporarily during transfer?

22 points by wellthisisgreat ↗ HN
I think I just encountered ephemeral DNS pirates or something.

Is it common?

Here is the story.

I was transferring a domain name from some registrar to AWS. The configurations etc. there were untouched for years (so it was always just "page doesn't exist"). So the request went out, now "waiting for confirmation, can take up to 10 days etc.". For some cosmic reason I decide to check the URL of that domain in the browser. To my astonishment it loads and it's some crazy half-swedish half-turkish (I think) SEO bot page with some JPGed-out pics of belly-button and a working boot.

There is an email address in the footer - abada@goodprizwomen.com (maybe not abada but similar sounding). I whois my domain - all DNS lookups, Nameservers look ok. I whois goodprizwomen.com - it is registered with Alibaba domain service. I contact the support of my registrar, that I am transferring the domain from, who after some 15 minutes admits that they have no idea how that has happened or who are those goodprizwomen. My (now ex-) registrar expedites the transfer, it clears and everything looks good now.

So as I see this now - there are bots out there looking for domains with unlocked DNS, that they can take over for a couple minutes / days it takes for the transfer to clear. Ephemeral DNS pirates.

4 comments

[ 3.8 ms ] story [ 21.7 ms ] thread
There are bots that will check to see what zones are pointing to route53 and will then check to see if those zones are registered in route53. If not, they will register them and your domain is hijacked. Set up your domain in route53 before moving it, if you haven't. If AWS won't let you register the domain because someone beat you to it, point the root servers back to your old name servers and open a case with Amazon.
Thank you, am I getting this right?

Moving example.com from registrar to AWS

1. Register Hosting Zone in AWS (example.com)

2. Initiate the transfer for example.com, get to the part where they ask for Auth code

3. Initiate the transfer on registrar side, get the Auth code.

4. Enter the Auth code on AWS side.

5. Done?

I am pretty sure that's what I did but after Step-4 that whole thing with goodprizwomen.com happened. Or did I miss something?

That is the normal order of things. Probably the best you could do would be to open a case with Amazon and your current registrar and see if they can figure out where it went sideways.
> Is it common?

It definitely is. Just like bots scanning the web for server exploitations. If money can be made/extracted from it, you can bet that there are bots trying to exploit that.

However, domain transfers should be safe if done correctly. Sounds like that was not the case for you. Glad to know that it was resolved. Domain name takeovers can be very costly to recover from; if recoverable at all.