Old Webhosting Providers Who Hijack DNS?

linzeal asks: "Oneworld Hosting my old webhosting provider keeps hijacking my DNS records for my website Anarchists for Life and pointing it at another customer's website. I have talked to the owner of the IP block as well as my old web host a multitude of times to no avail. My new webhosting provider Trilucid has been very helpful and has even suggested legal action. Does anyone here have an idea on how to solve this problem short of that?"

How are they hijacking DNS records?

[nbvb]

How are they "hijacking" your DNS records?

Who's your registrar?? How can they update the DNS records for _your_ domain? Are you listed as the zone/technical contact?

If you gave them absolute control of the domain, then there's almost nothing you can do.

If you are the contact for the domain, update it with your registrar and make sure they're _NOT_ listed as the tech. contact!

Who's your DNS provider? Are they causing the problems?

Re:How are they hijacking DNS records?

[linzeal]

I'm the technical contact and have always been and Dotster have gone out of their way to try to help me as well with no success. When I switched providers each time it was I who updated the DNS records. Not one of my webhosting providers has ever touched the dns records to my knowledge.

Re:How are they hijacking DNS records?

[arbofnot]

The SOA record is messed up. Get TOMORROW2.NET to correct it and update the serial. The root servers know who to ask, but TOMORROW2.NET has the zone messed up.

Also ns[1234].tomorrow2.net are confused amongst themselves -- ns1 doesn't know who ns3, and vice-versa, plus ns1 does not responsd but ns3 serves an SOA record that points to ns1.ocdns.com. They need to fix this too.

Once all this is fixed, they have to update the serial numbers so the zone transfers will happen.

For those with an eye for the finer details:

----
[start with a root server]
> server d.gtld-servers.net.
Default Server: d.gtld-servers.net
Address: 192.31.80.30

> set type=soa
> anarchsforlife.org.
Server: d.gtld-servers.net
Address: 192.31.80.30

Authoritative answers can be found from:
anarchsforlife.org nameserver = NS1.TOMORROW2.NET
anarchsforlife.org nameserver = NS2.TOMORROW2.NET
anarchsforlife.org nameserver = NS3.TOMORROW2.NET
anarchsforlife.org nameserver = NS4.TOMORROW2.NET
NS1.TOMORROW2.NET internet address = 128.241.194.20
NS2.TOMORROW2.NET internet address = 128.241.194.21
NS3.TOMORROW2.NET internet address = 130.94.173.110
NS4.TOMORROW2.NET internet address = 130.94.173.111
> set type=ns
> anarchsforlife.org.
Server: d.gtld-servers.net
Address: 192.31.80.30

Non-authoritative answer:
anarchsforlife.org nameserver = NS3.TOMORROW2.NET
anarchsforlife.org nameserver = NS4.TOMORROW2.NET
anarchsforlife.org nameserver = NS1.TOMORROW2.NET
anarchsforlife.org nameserver = NS2.TOMORROW2.NET

Authoritative answers can be found from:
NS3.TOMORROW2.NET internet address = 130.94.173.110
NS4.TOMORROW2.NET internet address = 130.94.173.111
NS1.TOMORROW2.NET internet address = 128.241.194.20
NS2.TOMORROW2.NET internet address = 128.241.194.21
> set type=a
> anarchsforlife.org.
Server: d.gtld-servers.net
Address: 192.31.80.30

Name: anarchsforlife.org
Served by:
- NS1.TOMORROW2.NET
128.241.194.20
anarchsforlife.org
- NS2.TOMORROW2.NET
128.241.194.21
anarchsforlife.org
- NS3.TOMORROW2.NET
130.94.173.110
anarchsforlife.org
- NS4.TOMORROW2.NET
130.94.173.111
anarchsforlife.org

[that's what we wanted to see, so let's ask them]

> server ns1.tomorrow2.net.
Default Server: ns1.tomorrow2.net
Address: 128.241.194.20

> set type=a
> anarchsforlife.org.
Server: ns1.tomorrow2.net
Address: 128.241.194.20
[no response]
^C
> set type=ns
> anarchsforlife.org.
Server: ns1.tomorrow2.net
Address: 128.241.194.20

Non-authoritative answer:
anarchsforlife.org nameserver = NS2.TOMORROW2.NET
anarchsforlife.org nameserver = NS3.TOMORROW2.NET
anarchsforlife.org nameserver = NS4.TOMORROW2.NET
anarchsforlife.org nameserver = NS1.TOMORROW2.NET

Authoritative answers can be found from:
NS2.TOMORROW2.NET internet address = 128.241.194.21
NS1.TOMORROW2.NET internet address = 128.241.194.20
> set type=soa
> anarchsforlife.org.
Server: ns1.tomorrow2.net
Address: 128.241.194.20
[no response.]
^C
> server ns3.tomorrow2.net.
*** Can't find address for server ns3.tomorrow2.net.: Non-existent host/domain
[back to the root server, since ns1 doesn't know ns3]
> server d.gtld-servers.net.
Default Server: d.gtld-servers.net
Address: 192.31.80.30

> server ns3.tomorrow2.net.
Default Server: ns3.tomorrow2.net
Address: 130.94.173.110

> set type=soa
> anarchsforlife.org.
Server: ns3.tomorrow2.net
Address: 130.94.173.110

anarchsforlife.org
origin = ns1.ocdns.com
mail addr = root.ns1.ocdns.com
serial = 1005677141
refresh = 28800 (8 hours)
retry = 7200 (2 hours)
expire = 3600000 (41 days 16 hours)
minimum ttl = 86400 (1 day)
anarchsforlife.org nameserver = ns2.ocdns.com
anarchsforlife.org nameserver = ns1.ocdns.com
ns1.ocdns.com internet address = 130.94.173.122
ns2.ocdns.com internet address = 130.94.173.124
>
[but this is telling us to ask ocdns.com]

---

Here's a clue

[Gothmolly]

Whois on networksolutions.com

Registrant:
Chris Welsh
2792 W. Jasper Dr.
Chandler, Az 85224
US

Registrar: Dotster (http://www.dotster.com)
Domain Name: ANARCHSFORLIFE.ORG
Created on: 06-SEP-00
Expires on: 06-SEP-02
Last Updated on: 26-OCT-00

Administrative Contact:
Welsh, Chris koat@disinfo.net
2792 W. Jasper Dr
Chandler, Az 85224
US
602-254-6398

Technical Contact:
Welsh, Chris koat@disinfo.net
2792 W. Jasper Dr
Chandler, Az 85224
US
602-254-6398

Domain servers in listed order:
NS3.TOMORROW2.NET
NS4.TOMORROW2.NET
NS2.TOMORROW2.NET
NS1.TOMORROW2.NET

Re:Here's a clue

[linzeal]

These are the correct nameservers for my new provider

Registrar: Go Daddy Software (http://registrar.godaddy.com)
Domain Name: TRILUCID.COM

Domain servers in listed order:
NS1.TOMORROW2.NET
NS2.TOMORROW2.NET

but this is my old provider

Registrar: NETWORK SOLUTIONS, INC.

Organization: Netwrench
address: P.O. Box 880
Worthington, OH 43085 US

Admin contact: Hosting, One World
email: info@ONEWORLDHOSTING.COM
phone: 800 8460241
fax: 614 4363010

Tech contact: Hosting, One World
email: info@ONEWORLDHOSTING.COM
phone: 800 8460241
fax: 614 4363010

Nameservers: ns2.oneworldhosting.com
ns.oneworldhosting.com

ns2.owh.com appearently still has my information on it and somehow takes precedent from the one my registrar is pointing at.

Re:Here's a clue

[cmoss]

I am betting that you are looking in the wrong place. You probably copied the old DNS records to the new servers at NS1.TOMORROW2.NET, NS2 etc.

The whois records are pointing to NS1.TOMORROW2.NET, NS2.TOMORROW2.NET, NS3...,NS4...

Given that, there is no way ns2.owh.com is being used by the clients to look up your domain.
ONEWORLDHOSTING.COM is probably just re-using your old IP address and your new DNS servers still have the old records.

You new provider may be to inept to figure out what the problem is. A lawyer would be a waste of time and money. It is not a problem with your old provider it is a problem with your DNS records or your new provider.

BTW, the DNS SOA record on NS1.TOMORROW2.NET has ns1.ocdns.com listed. I can't do a zone transfer of your domain but I would not be surprised if your DNS records were setup to do a zone transfer from ONEWORLDHOSTING.COM and your new provider can't figure this out.

Get your records fixed at your new provider and you should have no problem.

The following query shows that data is being retrieved from your new providers servers and it has the old IP address.
$ host -a www.anarchsforlife.org
Trying "www.anarchsforlife.org."
;; ->>HEADER- opcode: QUERY, status: NOERROR, id: 26950
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;www.anarchsforlife.org. IN ANY

;; ANSWER SECTION:
www.anarchsforlife.org. 171572 IN A 64.177.5.173

;; AUTHORITY SECTION:
anarchsforlife.org. 171572 IN NS NS3.TOMORROW2.NET.
anarchsforlife.org. 171572 IN NS NS4.TOMORROW2.NET.
anarchsforlife.org. 171572 IN NS NS1.TOMORROW2.NET.
anarchsforlife.org. 171572 IN NS NS2.TOMORROW2.NET.

;; ADDITIONAL SECTION:
NS1.TOMORROW2.NET. 171672 IN A 128.241.194.20
NS2.TOMORROW2.NET. 171672 IN A 128.241.194.21
NS3.TOMORROW2.NET. 171672 IN A 130.94.173.110
NS4.TOMORROW2.NET. 171672 IN A 130.94.173.111

Received 205 bytes from 209.9.172.254#53 in 64 ms

Chuck

Re:Here's a clue

[linzeal]

I'll definately bring this to both the registrar's attention and my new web hosting provider. I know first hand how difficult DNS can be when I attempted to setup a simple DNS/DNS cache server once. Thank you very much and happy holidays. :)

If it's that important...

[mattboston]

you should contact a lawyer and have him send them a letter threatening legal action if they don't stop. For them to send a letter may cost you a couple hundred $$, but may be an easy way. If they continue, and you need to take them to court, you will definitely win and they will end up footing the bill for your legal costs. Unless, you still owe them money and that's why they are doing this.... Of course, you can just keep calling and emailing them daily.... then hourly... then every 5 or 10 minutes.... eventually they will get the point that you won't leave them alone till the resolve your problem.

Re:If it's that important...

[linzeal]

I can't afford a lawyer really, but I was thinking of having my current web hosting provider send them bills for my account since I can't really use it right now.

Use a thirdparty DNS site

[davidu]

You shouldn't really rely on a company who you are in contract with to provide you DNS service. When you leave, they have no incentive to keep pointing records for you or even make it easy for you to move.

It's much easier to use a third party DNS provider who is either really cheap or free.

There are quite a few cheap ones out there and a couple free ones, but of course, I won't cool my own. ;-)

-davidu

Re:Use a thirdparty DNS site

[clifyt]

I completely agree. If you are no longer with this company, get a new DNS host or PAY them.

Having said that, I've hijacked a few myself. Clients that decided not to pay any more or screwed me over some other way. Hell, I had one a few weeks ago that was just waiting for their registration to lapse so that they could buy it back (and had some broker providing for this)...they owed me a few grand for the work I did, and decided that it wasn't good enough (even though they hired someone to take the graphics I did and translate them to their print stationary and banners)...Fuck it...I reregistered the domain myself under one of those cheap $7 a year registrars and have it pointing at one of their competitors sites. If they want to bring in a lawyer, I'll give it over, but until I get a summons, it ain't moving unless I get paid (which would be FAR cheaper than finding a lawyer willing to do this).

So, back to the point...make sure that your old web provider was paid up, make sure they realize there are no problems between you and then and get the crap moved to your own site. I just took a look at that everydns the parent response mentioned, and this would be cool to use (and I'd consider something like this for the few domains that I have that I don't have on Register.com which has their own DNS server so I could finally get rid of my crappy little unstable DNS box I'm using now...don't even have a back up anymore).

clif

Re:Use a thirdparty DNS site

[linzeal]

I don't owe them any money. It is some fault with their secondary DNS server keeping old records and/or being brought up partially from old backups. I'm not sure. It is a recaccuring problem and the ipblock owners Alabanza have actually solved the problem off and on numerous times for a few days.

12/26/01 12:15:46 IP Block 64.177.5.173 Trying 64.177.5.173 at ARIN Trying 64.177.5 at ARIN Alabanza, Inc. (NETBLK-ALABANZA-BALT-4) 8309 Tinsley Rd. Baltimore, MD 21244 US Netname: ALABANZA-BALT-4 Netblock: 64.176.0.0 - 64.177.255.255 Maintainer: ALAB Coordinator: Cunningham, Thomas (TC12-ARIN) ipadmin@alabanza.com 410-779-1400 Domain System inverse mapping provided by: NS.ALABANZA.COM 209.239.47.252 NS2.ALABANZA.COM 209.239.47.201 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE Record last updated on 06-Oct-2000. Database last updated on 25-Dec-2001 19:55:00

Currently two places are attempting to use my domain name with one of the ip addresses that they "own". Only one of them is actually being pointed at by my registrar the other one is usurping it because of technical problems or worse. Would ICANN be a good place to contact?

Re:Use a thirdparty DNS site

[cmoss]

as near as I can tell he is not using his old provider to host DNS. The whois records point to his new provider.

Chuck

Re:Use a thirdparty DNS site

[davidu]

Contact me privately at support@everydns.net and I'll help you through this.

You are confusing a couple different issues/problems.

-davidu

Registar Can Solve this problem

[Elik]

The simple way to resolve this is by changing the DNS server where your domains point to. Currently, it points to tomorrow2.net which have 4 of them listed.

But from the cursory checking of that domain, it seems to belong to neither party unless it does belong to oneworldhosting.com, but not sure about it. But you can change it to point to your new hosting provider DNS so it will updates it properly and use the much higher serial number to override the old one that is floating around which they might consider the valid DNS which it isn't. It happens a few times and it is not much of an issue if you change the serial number to be higher than the old one that existed on the old DNS Server.

Re:Registar Can Solve this problem

[john_cotse]

See the problem with this theory is, even though you change the DNS at your registrar, if you are only running a locally known domain, for your local small-town community to see, and if you had that site hosted on a small town ISP, the one that won't give up the DNS.... well, if they still resolve that domain to their servers, and most people in that lil town use that ISP... then most people in that town will only get the old page... I've ran into this before. Go through legal channels, they have no legal right to highjack the site. .

Re:Registar Can Solve this problem

[linzeal]

Tomorrow2.net is owned or used by trilucid my current provider. It is the ns2.oneworldhosting.com server that still holds my domain information somehow and refuses to release it.

Re:Registar Can Solve this problem

[cmoss]

Eventually you should have oneworldhosting.com stop serving out your DNS information but it is only a problem for their customers if they are providing stale data.

You records at your new provider are using stale data. (maybe doing a zone transfer from your old providers master) Get your entire DNS zone from your new provider and that will help.

How do you update your DNS records at the new provider?

Confirm with them that they are not doing a zone transfer from your old provider.

Make sure any changes you make with them include a new serial number for the zone file.

Chuck

DNS

[s1qazjen]

Switch registrars: to networklsoultions.com, formerly internic.net. They were awarded the contract that internic once held. Which Verisign now holds. Manually remove all previus DNS Host records that you have information about. They are still there even when they tell you "this is all that is showing up". Host with a large provider. Verio, Verisign, ATT, SWBELL, Etc.

Re:DNS

stay away from network solutions. They overcharge and their customer service is terrible.

Re:DNS

[gopherdata]

Why anyone would want to switch to network solutions is beyond me. Network solutions has some of the WORST customer service around and charges about twice what most other registrars charge.

The DNS Info In Queston

[Nailer]

To save you all five seconds...

Trying "anarchsforlife.org."
HEADER opcode: QUERY, status: NOERROR, id: 23812
flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 4

QUESTION SECTION:
anarchsforlife.org. IN ANY

ANSWER SECTION:
anarchsforlife.org. 172800 IN NS NS1.TOMORROW2.NET.
anarchsforlife.org. 172800 IN NS NS2.TOMORROW2.NET.
anarchsforlife.org. 172800 IN NS NS3.TOMORROW2.NET.
anarchsforlife.org. 172800 IN NS NS4.TOMORROW2.NET.

AUTHORITY SECTION:
anarchsforlife.org. 172800 IN NS NS1.TOMORROW2.NET.
anarchsforlife.org. 172800 IN NS NS2.TOMORROW2.NET.
anarchsforlife.org. 172800 IN NS NS3.TOMORROW2.NET.
anarchsforlife.org. 172800 IN NS NS4.TOMORROW2.NET.

ADDITIONAL SECTION:
NS1.TOMORROW2.NET. 172800 IN A 128.241.194.20
NS2.TOMORROW2.NET. 172800 IN A 128.241.194.21
NS3.TOMORROW2.NET. 172800 IN A 130.94.173.110
NS4.TOMORROW2.NET. 172800 IN A 130.94.173.111

Received 241 bytes from 198.142.0.51#53 in 352 ms
[mikem@nailbox mikem]$ whois anarchsforlife.org
[whois.crsnic.net]

Whois Server Version 1.3

Domain Name: ANARCHSFORLIFE.ORG
Registrar: DOTSTER, INC.
Whois Server: whois.dotster.com
Referral URL: http://www.dotster.com/help/whois
Name Server: NS1.TOMORROW2.NET
Name Server: NS2.TOMORROW2.NET
Name Server: NS3.TOMORROW2.NET
Name Server: NS4.TOMORROW2.NET
Updated Date: 18-dec-2001

>>> Last update of whois database: Wed, 26 Dec 2001 17:04:50 EST

The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.

[whois.dotster.com]

Registrant:
Chris Welsh
2792 W. Jasper Dr.
Chandler, Az 85224
US

Registrar: Dotster (http://www.dotster.com)
Domain Name: ANARCHSFORLIFE.ORG
Created on: 06-SEP-00
Expires on: 06-SEP-02
Last Updated on: 26-OCT-00

Administrative Contact:
Welsh, Chris koat@disinfo.net
2792 W. Jasper Dr
Chandler, Az 85224
US
602-254-6398

Technical Contact:
Welsh, Chris koat@disinfo.net
2792 W. Jasper Dr
Chandler, Az 85224
US
602-254-6398

Domain servers in listed order:
NS3.TOMORROW2.NET
NS4.TOMORROW2.NET
NS2.TOMORROW2.NET
NS1.TOMORROW2.NET

Register a domain name at www.dotster.com

End of Whois Information

only at /. ....

can a DNS misconfiguration become "hijacking". Good work there Cliff, glad to see you're on top if it.

If that's not bad enough, only about two guys out of 20 had any clue what was going on in the first place. Get a lawyer?...that's rich...how 'bout a hostmaster with a clue?

His zone record was fucked up, but it's hardly hijacking.

seen this before

[flipper28]

The problem is that your old isp has your dns records in their system, but their web servers don't know about your domain (thus pointing it to the default or first one). You need to make sure that all the root servers point to the correct dns and ask your old isp to remove your zone from their configuation files (on masters and slaves).