It's important to remember that "just" DNS records are anything but "just" safe. Keep in mind that when you do this, you grant a third-party organization the ability to 'vouch' to anyone that they 'own' your domain or a URL at it, as long as the 'vouch' test supports http:// or https:// URLs.
This is the case for all web-hosting everywhere on the Internet. I host all of my domains through third-party providers, knowing and accepting the above-described risk. I consider it so low likelihood and of only medium impact if something ever occurs. The value is immense, the time spent is small, and the tradeoff worth it.
Imagine if someone phoned up your IT department and asked them to fix the MX record due to a mail server outage. Would you notice if your Received headers added a hop you weren't familiar with before? How long would they be able to record your company's email before someone noticed?
So I encourage taking DNS with absolute seriousness, and careful consideration of changes, and never simply assigning "just" 2 records to anyone, ever. Given 2 records, someone can do a lot more damage than any website hack ever could.
ps. "IN TYPE15" or thereabouts is another way to state "IN MX", to further convey why it can be very dangerous to follow instructions. Most admins would pause at an MX change, but most wouldn't think twice about a custom "TYPE15" record 'not supported by BIND yet', given sufficient verbiage.
Keep in mind that this is an A record (and a TXT one) not an MX record, the only thing they can do with it is change the content of the site (which is what you want them to do).
Tough I've known extremely incompetent IT support, I think even they would be suspicious of someone proving his identity by making a "this is me" html page.
This is a validation method supported by the major SSL certificate issuers, used primarily when approving a request by a third party (e.g. Akamai). They email you a hash, you put it in a webpage at a URL they specify, they approve the third party issuance.
The point is not whether or not this domain parking thing uses two DNS records that do or do not include MX. The point is that, given a social engineering opportunity (“free domain parking with JUST 2 records”), an attacker can do extraordinary things.
I still think that way too but I'm old. I remember back when domain names first opened up for registration in the early 90s and talking about it with a friend. We recognized the opportunity but thought it'd be unethical to exploit it. Now it's 25 years later and I still have my smug sense of moral superiority but am no richer for it.
The Benjamin Graham (who taught Warren Buffett) distinction between investment and speculation is: "An investment operation is one which, upon thorough analysis promises safety of principal and an adequate return. Operations not meeting these requirements are speculative."
Personally, I think it's helpful to think of it as a spectrum rather than as a necessarily binary distinction. Graham's definition is nice and succinct, but the problem comes with the word "promises". The safety of principal for anything cannot be guaranteed beyond all doubt.
"Promise" is not meant in the strict logical sense. "Promise" can also mean "to give cause to strongly expect", as in "the upcoming thunderstorm promises hail damage".
In this case, it probably means "the investor is reasonably sure of". No, it is not an exact definition, but we are dealing with human behaviour and value judgments here, not mathematical proofs.
Yep, I agree. That's why I like to think of it as a spectrum. Based on analysis, someone can believe one operation is more of an investment than another operation.
I know I was being pedantic, but I wanted to avoid making it seem simpler than I think it really is.
No, usually investment provides money for people that want to build something with it, and you get it (and a small profit, for the risk) back afterwards.
In this case, though, no one but you has a benefit.
Honestly depends on the situation I feel. If people are just registering up a bunch of valuable names then yeah I'm not a fan.
The other kind of person is (like me, so bias) the type who register domains with a project in mind but time or resources don't get funnelled to the project so the domain may as well be released back into the wild - In this case the domain still has however long it's registered for left on the registration and will likely be scooped up by a domain drop bot by the first kind of domainer. It's always nice for a failed project to at least break even through the domain sale.
When killing off projects I usually try to find someone who might like to own the domain and offer to push it to them gratis if they've got an account on the same registrar if the domain's going to expire within 6 months or so
> The other kind of person is (like me, so bias) the type who register domains with a project in mind but time or resources don't get funnelled to the project so the domain may as well be released back into the wild
The third type of person is one who comes up with - at the time - a hilarious sounding joke, registers http://www.cannedgoat.com, and then continues to renew it year-after-year for sentimental reasons.
Besides, who's going to buy cannedgoat.com off me? Might as well keep it from being a GoDaddy banner site.
That is not parking on my opinion. You purchased for a reason, an actual project, not just a "i could charge someone for this later" and are willing to give it to someone who will take over the project or similar
Exactly. I recently started a project that's not yet public (will take on the scale of years to get to that point), so the first thing that I did was to register the domain and the Github organization matching the project name. Would be extremely frustrating to find out that someone took it over a year after you started, and you have to go back and change the name all over the place.
I waited to register a domain matching the name I was using as a musician and it was scooped up six months later by a malware ad company. I now register anything I plan to use in the future, even if I'm nowhere near ready to start. However, the domains that I register aren't related to properties or people and I'm not grabbing them just to sit on them or resell them. People who do that are, to me, unethical bottomfeeders.
You could just place some forum, blog or whatever on such a domain. Of course there wouldn't be much or no content at all. But how do you want to prevent this? With a "there must be regular content updates" rule? No problem, just create some nonsense text with Markov chains or copy some wikipedia pages. Now you would have to add a "Content must make sense" rule. Much fun to enforce this.
I completely agree, DNS-parking is harmful. However, I can't imagine a system for banning or enforcing 'fair use' of a domain. How would it be financed and run?
I also can't imagine how you would legislate around the sales process of domains.
I've thought through a few options, but all paths lead back to a marketplace for domains as assets. In said marketplace, there will always be the equivalent of investment and speculation - so domain-parking is inevitable.
The best way to fight speculation is to fight scarcity, i.e. create many (sensible) top level domains like .cars or .shop to increase competition with .com domains and drive down prices. Then more speculators go out of business because the price per domain goes down while the cost of parking it is unchanged.
One possible system for ensuring domains would be fairly used is a google based one:
When you register a domain, it initially sits alongside a high entropy string, like mything.3ku23j9. You then get traffic and links to go to your domain. If you get sufficiently popular, google will show your domain as one of the first hits for "mything". At that point, you get the mything domain bare.
Perhaps, though the idea that if nobody squatted the domain would be there waiting for you isn't always true either.
There are a ton of good, not for sale, but underused, domains. Ones that are tied up with people that had intentions to use it, but never did. But, they still have the emotional attachment, and typically won't sell.
I agree with you. I think domain parking is a dirty thing. Most people see it as an "investment" though, but the reality, is that by squatting on a domain, your mostly just preventing others from using it. Very few would be willing to pay you for it.
I don't think all domain parking is harmful. Buying a known brand and extorting, sure.
But, I registered several <word>media.com names and sold them for $200 to $2k each. I just saw the trend of that style of domain. Didn't feel bad about it. It seems similar to buying land and sitting on it.
I struggle to find the added value in making a domain name more expensive that it would have been through a regular registrar. Do you provide additional services, such as curated listings of domain names you thought sounded good and were still available?
If I learn you're selling a domain just because it's not available for registration anymore, you are not adding value to my business, only increasing its costs.
Ahh. Yes, I just don't consider that "harmful". It is clearly opportunistic.
But, chances are that if I didn't buy it, someone else that planned on using it would have, and they wouldn't sell. The value add is that it's available to you at all, because I spotted the trend early.
The value you would add by making it available to me is value you would also add directly to the other parties intending to purchase and use it. So really, we're in the same boat as before as far as availability is concerned, except now I'm buying from you for a higher price.
It kinda bugs me, as do a few other things with the way we manage the name system. But I don't think there was ever any route we could have taken where the DNS namespace wasn't going to become either an opportunistic and polluted disaster or an unused relic.
A simple solution (with its own problems of course) is to charge $100 per year, rather than $10 per year, for each dot-com domain. This would destroy the economics of the parking business, except for the highest-value names, and thus would make a lot of names available for constructive use.
Interesting idea indeed, you could even have the price go up exponentially based on how many domains are already registered to a single entity/address/etc.
First domain? 1 a year. Second? 10. Third? 100. Fourth? 1000.
Careful. Pointing your A record to a third party allows that party to use HPKP [1] with a long expiry period and never give you the key, potentially nuking the domain (for anyone who has visited it before you sell it).
This is a pretty serious attack - is there really no way to mitigate it? An arbitrary HTTP header is pretty low on the totem-pole of trust, so why don't they periodically check DNS records for corroboration?
Yeah my only real experience selling domains are on sites like flippa who take either/both an upfront listing fee or a percentage of the sale price. If you're not doing the latter you can almost definitely charge more for unlimited domains :)
You may want to look into adding a CAPTCHA or some other kind of spam prevention system to the contact form. Spambots these days will fill in any contact forms with all kinds of spam.
If you're remailing those contact form responses through your server to the domain owner, these spambots will damage your IP reputation and legit inquiries might start getting blocked.
I'm curious, why do you ask your users to create an A entry for this? I think a CNAME/ALIAS entry to the domain of the service would be a safer choice in case you should be forced to change your IP address (e.g. if you change your hosting provider), which would currently force all your users to update their A entries. Also, using a CNAME domain would allow you to hide your IP address behind a CDN service like Cloudflare, which can be handy sometimes (e.g. for DDoS protection).
It's mostly due to ambiguity. Think of it like a directory, you can't have a file with the same name as a directory in a path, because operations on that name and path become ambiguous.
Zone SOAs are very much like directories on a filesystem.
Yes. Cloudflare does allow ALIAS style records. But in the case of Cloudflare you're actually changing your DNS over to their system. The original submission was about just making two changes to whatever the existing DNS server was you had.
Cool project. We do something very similar with an internally made lander for our domain portfolio, and it works well. Lots of serious buyers contact via e-mail listed on whois too.
One thing very useful is to have analytics, perhaps you could add a feature for users to input a Google Analytics tag (UA-000000).
Side note: for anyone who actually wants to sell/buy a domain in a private transaction, I highly recommend Escrow.com as an escrow service.
Thank you so much. I acquired blackmail.io as part of a, now defunct, project and had been meaning to put it up for sale. This was the perfect lazy solution for me :)
Tips for pricing your domain:
1. Think of how attached you are to the domain
2. Think of how much you think you'd be willing to pay for the domain in the open market
3. Think of how much the cleveriness of the domain name is
Add all these values together, and multiply it by 2.
Is there also a way to do it without the price? Putting a price on it directly will either cause people to not bother if it's too high for some side project or make it too cheap if some huge corp wants to buy it.
Hi, nice and simple site. Thanks!
Maybe in the future can you give analytics as to who is visiting the site? That way we can get an idea of the demographics of who is going to which domain? (paid feature maybe)
Great idea. Would you prefer to have basic analytics in the dashboard, or being able to add Google Analytics and have better analytics from GA dashboard?
you are selling and marketing simplicity 'just 2 records'. if you want to stick to the 'simplicity' audience, provide it to them without asking them to configure.
Cool idea. I hope you somehow confirm the listing on the dashboard, otherwise someone can just list some domains under your username to cost you money ;)
You can already set the price in the dashboard.
But the idea was to be able to manage your domain from your registrar without having to login on domdb.
This is the case for all web-hosting everywhere on the Internet. I host all of my domains through third-party providers, knowing and accepting the above-described risk. I consider it so low likelihood and of only medium impact if something ever occurs. The value is immense, the time spent is small, and the tradeoff worth it.
Imagine if someone phoned up your IT department and asked them to fix the MX record due to a mail server outage. Would you notice if your Received headers added a hop you weren't familiar with before? How long would they be able to record your company's email before someone noticed?
So I encourage taking DNS with absolute seriousness, and careful consideration of changes, and never simply assigning "just" 2 records to anyone, ever. Given 2 records, someone can do a lot more damage than any website hack ever could.
ps. "IN TYPE15" or thereabouts is another way to state "IN MX", to further convey why it can be very dangerous to follow instructions. Most admins would pause at an MX change, but most wouldn't think twice about a custom "TYPE15" record 'not supported by BIND yet', given sufficient verbiage.