Okay, so this is anecdotal, but since the domain belongs to me it’s more than a little annoying.
I got some calls that one of my domains, 2dpnr.org was going to a page that said it was Network Solutions and that my domain was available for renew or purchase.
I hit my registrar, DirectNic, and found I’m good through 2023. They pulled up DNS checker and found that a bunch of DNS servers were showing 208.91.197.132 as the IP for the domain. It’s actually in 64.130.197.x .
I hit my registrar, DirectNic, and found I'm good through 2023. They
pulled up DNS checker and found that a bunch of DNS servers were
showing 208.91.197.132 as the IP for the domain. It's actually in
64.130.197.x .
I'm wondering if I was the only one?
No, you're not. Half of the RIPE Atlas probes see the wrong address:
% blaeu-resolve -r 100 --type A 2dpnr.org
[64.130.197.11] : 59 occurrences
[208.91.197.132] : 41 occurrences
Test #33310635 done at 2021-11-11T21:38:30Z
Yeah, apparently when a domain expires, a lot of DNS queries to domains in that domain’s DNS server… get redirected to a Network Solutions “this is expired” website at that IP.
Even though those domains are perfectly legit and paid up. Or so it was explained to me and how it appeared.
Anything I could say about my opinion of that might be actionable, or at least inflammatory, so I’ll stop now. The original problem has been corrected.
Never mind, looks like an expired domain issue. Someone didn't remind
someone else.
To avoid such a problem:
* some registries allow for multi-year registration,
* some registrars allow for multi-year registration, and/or automatic
renewal, so you no longer have to think of it,
* automatic entries in your agenda software is nice, too
* automatic monitoring of expiration (through whois or, better, RDAP,
later is an example of a Nagios/Icinga/whatever plugin using RDAP).
Do you mean that there's a delay between when you're recorded as
having paid up and when everything is correct throughout the DNS
system? Yes, there is. Your domain expired, you corrected the problem,
but then there was an unexpected (by you) delay before the interloping
name resolution was gone?
If you meant something else, I'd like to hear a better description of
the problem. If not... well of course: that's how the DNS works.
There's propagation delay imposed by TTLs and refresh intervals before
old data is discarded. There are a handful of scenarios (e.g.
old-school browser pinning) where stale data can persist for months.
Don't let the domain expire before you renew it. Really don't.
foo.com doesn’t get paid up on time; expires, but is quickly
re-claimed and paid up again.
queries for bar.com suddenly show up as “this domain is
available” due to foo.com (which provides DNS for bar.com)
having briefly gone into the expired state. Users of bar.com
are (rightly) confused, as bar.com was never in a jeopardy
state.
We’ll see if Jeff confirms my suspicion of what happened
in this case. ^_^;
That’s exactly what happened, exacerbated by foo.com’s domain registration being held in the account of a now retired employee, so we got no notifications on it (his email was… somewhat personalized over 20+ years of managing it).
I still think that this is not the correct way for NetSol to handle this situation, particularly since the pages they put up look like phishbait designed by Austin Powers.
Date: Thursday, November 11, 2021 13:28:07 -0800
From: Jeff Shultz <jeffshultz@sctcweb.com>
Okay, so this is anecdotal, but since the domain belongs to me it's
more than a little annoying.
I got some calls that one of my domains, 2dpnr.org was going to a
page that said it was Network Solutions and that my domain was
available for renew or purchase.
I hit my registrar, DirectNic, and found I'm good through 2023.
They pulled up DNS checker and found that a bunch of DNS servers
were showing 208.91.197.132 as the IP for the domain. It's actually
in 64.130.197.x .
It depends on where you are (from my resolver, I get
64.130.197.11). This is because the name voyager.viser.net is not
stable yet. Depending on your resolver, it points to 64.130.200.16 -
which seems to give correct answers - or to 208.91.197.132 - which
replies even for nonexisting domain names.
Lesson: don't use a name as an argument to dig's @
I think 208.91.197.132 (Network Solution’s domain bucket) needs to go in everyone’s troubleshooting notebook as a sign there is an expired domain somewhere affecting whatever you have going wrong.
So yes, then.. A DNS Hijack by NetSol redirecting the hostname on an expired SLD
related to one of the individual nameserver hosts to a
faulty/non-compliant nameserver
of NetSol's that then publishes bogus RRs for domains that registrar
have no authority over.
That means instead of the 1 nameserver failing; the entire domain
breaks, even if there are multiple nameservers listed, and only 1 had
been accidentally allowed to expire.
DNSSEC would help here. NetSol's rogue nameserver wouldn't be able to produce
the signed zone if validation were required.
DNSSEC would help here. NetSol’s rogue nameserver wouldn’t be able to produce
the signed zone if validation were required.
Nope, they could just remove the DS since they are the registrar for that domain. DNSSEC only protects against a DNS provider going rogue, not your own hired registrar.
DNSSEC would help DNS for the non-expired domain because the rogue
server would not have the key.
To my mind, though, Netsol's server should not be responding with
authoritative answers to random domains that aren't assigned to it.
That it does makes me think it's a good candidate for black-holing in
the routing system.
"In interrupting the DNS resolution path of the registration, if the registrar directs web traffic to the domain name to a web page while the registration is still renewable by the RAE, that web page must conspicuously indicate that the domain name registration is expired and provide renewal instructions."
If it didn't meet that requirement, you could complain to ICANN about it.
(You're also more generally right that what Network Solutions is doing here is horrible. Decent registrars don't redirect traffic: they simply set the domain name to clientHold so that it doesn't appear in the DNS at all, because otherwise they're breaking your stuff -- and what's worse, breaking it in a way that may take some time to recover from even after you renew the domain name, due to DNS caching.)
To my mind, though, Netsol's server should not be responding with
authoritative answers to random domains that aren't assigned to it.
That it does makes me think it's a good candidate for black-holing in
the routing system.
To my mind, I simply don't understand why some people continue to use
Network Solutions, with the track record they have.
one aspect of this is that it's unusually difficult to migrate away compared to other registrars. Only Primary Contact accounts can request an auth code - normal "admin" accounts can't, and there's no indication about how to work around this; they unnecessarily delay issuing the epp code for 5 days; there are several prominent options for renewing the domain (can't change your mind if you do this), and only one for transferring (lots of options to change your mind). During the transfer process, several emails are issued, all which lead back to renewal. When it's all completed, the only way to formally close an account is over the phone.
Also, the exorbitant renewal pricing isn't available until you log in. And you will need to prepare for a shock if the domain expires (no notification to standard "admin" contacts either). I had this little gem from NetSol for an expired domain last year:
I.e. $36 for reinstatement and $40 for 1y renewal. The other option was losing the domain entirely.
There are plenty of other registrars which are completely super to deal with.
It is common that registrars repoint nameservers and redirect web traffic when a
domain's renewal has not been paid for (during 45-day grace period
provided by the registry),
probably more registrars do that than not.
The issue here is not with the expired domain, thus not addressed by
that ICANN policy...
The ICANN policy addresses interrupting the resolution path and
redirecting Web traffic
for expiring domains; there's nothing about other services on those
domains such as
DNS when the expired domain has a backup nameserver host of a
non-expired domain.
In this case, interrupting the resolution path would be fine (In case
the non-expired domain
have other nameservers),
But the redirection causes DNS instability and failures for domains
that are not expired, even if those domains have other nameservers,
and the non-expired domains get redirected to a web page falsely stating
that they are expired.
