hngopher.com

       [HN Gopher] Ask HN: Domain taken over temporarily during transfer?
       ___________________________________________________________________
        
       Ask HN: Domain taken over temporarily during transfer?
        
       I think I just encountered ephemeral DNS pirates or something.  Is
       it common?  Here is the story.  I was transferring a domain name
       from some registrar to AWS. The configurations etc. there were
       untouched for years (so it was always just "page doesn't exist").
       So the request went out, now "waiting for confirmation, can take up
       to 10 days etc.". For some cosmic reason I decide to check the URL
       of that domain in the browser. To my astonishment it loads and it's
       some crazy half-swedish half-turkish (I think) SEO bot page with
       some JPGed-out pics of belly-button and a working boot.  There is
       an email address in the footer - abada@goodprizwomen.com (maybe not
       abada but similar sounding). I whois my domain - all DNS lookups,
       Nameservers look ok. I whois goodprizwomen.com - it is registered
       with Alibaba domain service. I contact the support of my registrar,
       that I am transferring the domain from, who after some 15 minutes
       admits that they have no idea how that has happened or who are
       those goodprizwomen. My (now ex-) registrar expedites the transfer,
       it clears and everything looks good now.  So as I see this now -
       there are bots out there looking for domains with unlocked DNS,
       that they can take over for a couple minutes / days it takes for
       the transfer to clear. Ephemeral DNS pirates.
        
       Author : wellthisisgreat
       Score  : 5 points
       Date   : 2021-03-23 21:11 UTC (1 hours ago)
        
       | LinuxBender wrote:
       | There are bots that will check to see what zones are pointing to
       | route53 and will then check to see if those zones are registered
       | in route53. If not, they will register them and your domain is
       | hijacked. Set up your domain in route53 before moving it, if you
       | haven't. If AWS won't let you register the domain because someone
       | beat you to it, point the root servers back to your old name
       | servers and open a case with Amazon.
        
         | wellthisisgreat wrote:
         | Thank you, am I getting this right?
         | 
         | Moving example.com from registrar to AWS
         | 
         | 1. Register Hosting Zone in AWS (example.com)
         | 
         | 2. Initiate the transfer for example.com, get to the part where
         | they ask for Auth code
         | 
         | 3. Initiate the transfer on registrar side, get the Auth code.
         | 
         | 4. Enter the Auth code on AWS side.
         | 
         | 5. Done?
         | 
         | I am pretty sure that's what I did but after Step-4 that whole
         | thing with goodprizwomen.com happened. Or did I miss something?
        
       | csark11 wrote:
       | > Is it common?
       | 
       | It definitely is. Just like bots scanning the web for server
       | exploitations. If money can be made/extracted from it, you can
       | bet that there are bots trying to exploit that.
       | 
       | However, domain transfers should be safe if done correctly.
       | Sounds like that was not the case for you. Glad to know that it
       | was resolved. Domain name takeovers can be very costly to recover
       | from; if recoverable at all.
        
       ___________________________________________________________________
       (page generated 2021-03-23 23:02 UTC)