Tell HN: Transfer your Google domain to other registrar before it locks you out
I have been running imagetoexcel.com registered with Google Domain. The service is live since May 2019 with 1000 DAUs. I have auto-renewal turned on, so every year it renews for one year charging my credit card linked in the account. I lost my cards in February, so I had to block my cards with the bank. Apparently, in May, Google Services tried to take the payment and hit a bad response from the Payment. I received an email stating the same, so when I tried to add a new card(s) it threw an error `OR-HDT-09`. Understandably they had to verify me and asked me to submit my ID, which I did. Two weeks to date no response from the Google Pay services, even on the follow-up. Now the site is down.
As a precautionary step, I've transferred my 4 other domains to the porkbun, which was super easy. I just thought of informing fellow hacker news followers to keep them out in such a situation.
97 comments
[ 0.26 ms ] story [ 173 ms ] threadThey have a good interface for buying domains, but thanks for this warning.
The moral here I'd say is transfer any service you have with a company that doesn't even have the possibility of customer-service, with everything running with crappy ml models (that get them probably around 40% accuracy and product managers are fighting about how/who can fix it, or even if they should).
Leave any company that has automated customer service with AI.
A friend’s business site which I help with got removed from Google Business without warning or any known reason 2 weeks ago(they’ve been listed for over 2 years with no changes to the listing in that time). The company already lost over 50% of their regular leads during their normal peak time(it’s a junk hauling business) since their business page accounted for most of their organic searches. Even though Google states an appeal response normally takes 3 days, they haven’t heard anything for going on 2 weeks now.
This whole ordeal led me to begin forwarding all my existing emails to my own custom domain on Fastmail since seeing the result of these arbitrary bans firsthand really drove home the risk you take when using Google services. Unfortunately for my friend’s business, they really have no other options to get as much exposure for their business as a Google business listing provides.
That itself makes up the difference.
Admittedly, the more important part is maintaining your own custom domain, so you can switch email providers with a simple DNS update.
What OP is missing is that the "single provider" is about bundling dns, email, hosting, etc together. If you use Fastmail by itself and something happens to Fastmail you can change your email provider pretty easily. I do regular backups of my email anyways, so I'm not locked into Fastmail at all.
Using GMail and having your domain registered with Google means that if something bad happens and Google locks you out you are simply screwed with no recourse except running a PR campaign to hopefully get someone's attention. Even pretending like Google and Fastmail are the same (they aren't, Fastmail actually offers real support) these are still very very different scenarios.
In these discussions it's not really about the volume of people using a single provider, but about individual users relying on a single provider to perform multiple functions.
So the issue of over-reliance on a single provider is usually in the context of that provider being in a situation to take offence at something unrelated and apply penalties that impact other things you actually rely on.
For example Google don't like something you do related to YouTube or AdSense and they kill your account. Now you've got no email and your domain expires as you can't pay for it.
In these kinds of cases it exactly solves the problem as the vital stuff is not affected by shenanigans with the everyday stuff because you've spread the functions across multiple providers.
In practice, this means that organizations like Google and Cloudflare, for whom the registrar business is either a cost center or at best a drop in the bucket for their revenue (and likely the pet project of a small team that is almost certainly being reallocated away from it in this economic climate), aren't registrars I would use or recommend. They can be great for other services though, where there's alternatives if there should ever be a disruption to one's account!
Self-hosting and/or moving to smaller, less full-featured hosted services, is a lot more work, but I rest easy at night knowing that my self-hosted services are always going to work.
1: https://www.history.com/news/what-was-the-sword-of-damocles
I’d be interested in hearing about other smaller services that work well.
https://news.ycombinator.com/item?id=31576353
I would highly recommended porkbun over CF for registrar services.
I tried to reason with Richard [CEO who says to be 'open' to user input], but I didn't even get a robotic response.
The truth is that the web environment is totally corrupted and the domain registration process seems like something under the control of the mafia. A refoundation of the network is in order.
Disclosure: The domain is registered on the excellent and unbiased Registro.br [unfortunately below the top level .com]. Namecheap allowed me to create aucky.live and aucky.app. I want my aucky.com. (*)The service proper is in the making.
If you mean namecheap doesn't support letsencrypt DNS-01 challenge, you can still buy your domain in namecheap but point your NS somewhere else that support DNS-01 challenge (e.g. cloudflare, Route53, or even Google Cloud DNS).
Most letsencrypt clients uses HTTP-01 challenge though, which doesn't care about who's hosting your dns.
They are a french company. Their slogan is "No Bullshit," (2) and I think they've done a decent job of living up to that.
My only frustration has been a situation where I was transferring an existing domain over to them. I wanted to create the zone file ahead of time so that when the transfer happened, there would be an identical zone file ready to go. But they wouldn't allow me to create a zone file for a domain that hadn't transferred over to them yet. Since I'm not doing anything critical with my domains, it was just an annoyance, but that would be a show-stopper for some.
As it pertains to billing problems, they allow you to pre-pay a chunk of money to your account. (They take PayPal.) It deducts from that amount when domains renew. That provides a buffer if you need to cancel your credit card.
Also, on the occasions that I have created trouble tickets, they have been responded to in a reasonable amount of time with helpful information.
(1) https://www.gandi.net (2) https://www.gandi.net/en/no-bullshit
On that note, their secondary nameserver suited my needs until I started using DNS authentication for Let’s Encrypt wild-card certificates. Their secondary nameserver only supports requesting a full zone transfer (AXFR) every half hour or so. For some reason, they don’t use IXFR or – what would be more useful to me – DNS NOTIFY. This means that the secondary name server lags behind the primary nameserver by about half an hour. This results in the Let’s Encrypt DNS authentication failing randomly, depending on whether they checked the primary or secondary nameserver for the authenticating TXT records. I plan to move the `_acme-challenge.example.com` to a different zone that doesn’t use the secondary nameserver but I haven’t got around to it yet.
Otherwise, I’ve been very happy with Gandi.
¹ https://docs.gandi.net/en/domain_names/advanced_users/second...
What is the reason, surely there must be some service/quality difference or… something?
There exist some companies who specialize in protecting domain names. Not just from fradulent transfer attempts, but also from bad corporate actors (like Google, Cloudflare?, etc). The two ones I know of are Mark Monitor and AppDetex, though I'm sure there's others. [AppDetex is a former client of mine].
As a related comment said - if the registrar you're using isn't afraid of a bad reputation (Google, etc) then you probably should think of using one that is.
Since I moved my custom domain mail hosting out of Google, I don't have to worry anymore. I finally put my Google password in a password manager, since I don't use it that often.
Nowadays, I would recommend using Google account only for a throwaway stuff, like setting up a new Android phone, E-Mail used for spam, etc, ... for anything real, thanks but no thanks.
Other mentioned Fastmail, which is also fine as a provider, but I somehow trust EU / Belgian regulations more than Australian.
EDIT: Replied to the wrong post, I wanted to actually reply to the parent post.
That's for work. On a personal level, I block their ASes at my router.
State level ones may exist, but maybe we can convince the CFPB to strongarm corporations into the desired compliance over matters like this
What do you all think, are the .dev domains safe enough?
I'd rather not have to worry about some algorithm deciding to throw a fit and locking me out without any chance of recourse other than hoping a Googler reads my woes on Twitter or Hacker News. So I guess I wonder about some requirements from ICANN or some guarantees in this regard from Google
At work we had an entire .dev domain nuked at the registrar level by google because a developer generated some traffic google didn't like on a subdomain. They replaced the ENTIRE domain with a google phishing warning page with no way to bypass to get to the actual site.
It took multiple days to resolve the phishing false positive and restore the domain, if it had been our main domain it would have a major emergency at work.
Trying to save a lousy dollar here and there they're destroying billions of dollars of goodwill that'll be hard, slow and expensive to rebuild.
Its amazing how Google transformed itself from "a convenient place to centralize my digital life", to "I've made a huge mistake" this quickly.
Lol, no. I had long since taken my business elsewhere.
Google are famous for bad support so it’s not surprising but it’s perplexing that it is so consistently bad. I continue to use GCP though and know I’ll someday be paying for trusting Google despite constant reminders not to.
This whole thing and the stories from others have made me so nervous that I'm moving my personal stuff off of Google, too. Future tech decisions I make will likely exclude Google. They don't seem to understand how devastating this will be for them.
AWS -> near instant
Alibaba Cloud -> some shenanigans with the business cert but done in two days
GCP -> apparently four weeks?!
LOL!
This broke my Gmail account (I was over the free limit) and I had to migrate everything to fastmail and delete a ridiculous amount of mail.
This also broke my domains DNS resolution, I had no idea my custom domain didn't have mail flowing until people told me they were getting bouncebacks.
This broke all of my app subscriptions.
Since then I've de-googled everything, including my phone. The only thing I can't get off is SSO but I use email as much as possible now. If they nuke my SSO login I will be screwed.
I'm invested: I have a lot of domains on Google and would rather not lose them!
I created the email myself, so I retrieved her password from bitwarden but couldn't login. Confused, I tried the same password multiple times, then tried the 'forgot password' feature, entered her phone number and got another shock when google asked me to get a code from my samsung galaxy S20 app - I don't use galaxy.
Google refused to send a reset code to her phone number even when I provided the original password.
Turns out she needed some contacts the previous day and asked my siblings for help. They used the forgot password feature, got a code through the retrieved SIM card, changed the password and logged in through an app on a samsung galaxy phone.
It's crazy, someone who didn't know the password could change it. But I who had both the original password and the SIM card but couldn't.
We'd have lost her contacts if it was thief who changed her password before we retrieved her SIM card.
Not complex, not complicated, not much expensive.
I got a surprise that *most companies, including Google!! do not support this*. Apparently, Tidal, Google (all Google related billing including Youtube, Google Domains, etc), DigitalOcean, among others attempt to bill you at some random time during the night/early-morning. Of course when they tried to charge my card the payment was rejected as it was blocked.
I contacted all those services asking them the process to actively perform the payment (like, me clicking a button so that they could charge me), but they DON'T have that option. AWS surprised me, because they DO have an option to charge on demand.
How is it possible that something so simple like that is not commonplace? So now, I have to leave one card unblocked, exposed to being stolen, so that all these half cooked services can bill me (I got several warnings from Google Domains saying that my payment could not be processed). At the end, I left a card with $500 USD limit permanently unlocked... but I shouldn't have to.
I guess this has brought the attention at the Google. The verification is done. I was able to renew immediately. The site is up and running now. I am going to transfer this domain too under porkbun.
On a lighter note, another anecdote to validate the need for "Complain on HN as a service" (COHNaaS) (or COSMaaS for more generic service posting complaints to twitter/fb as well) which seems to be the only way to get any sort of customer service these days! ;)