It's that time of year again when CIRA holds it's elections for seats on the Board. As I never tire of relating: when I was on the CIRA Board, I got the opportunity to travel across the country and meet .CA domain holders from all walks of life. When the Board held open forums in various venues, the turnout was usually pretty good, and people had a lot to say. Then, near the end of the forum I would always ask the room: Who here voted in the last CIRA election? Very few hands would go up.

The .CA space is unique in that it is one of the very few top-level domains that provide direct member input via the public consultations and the Board elections. I think all interested parties should avail themselves of that opportunity.

Every year the CIRA members (that's pretty well anybody who holds a .CA domain name) can put one candidate onto the ballot, in addition to the slate of candidates proffered via the CIRA NomCom (Nomination Committee). The member nominees this year are numerous, and I recognize a few names there. It's a shame we can only show our support for one member nominee at this stage of the game.

So, who should you support from the members' side of the slate this year?

My overall number one choice is Zak Muscovitch, a domain name lawyer and all around advocate for domainer rights. I've had numerous dealings with him in the past and he's very plugged in and attuned to the domain name space. He's also written some groundbreaking articles about reverse hijacking.

If your main concern about the .CA space is around technical stability and security, I would look at Andrew Sullivan, a long time DNS guru who I've turned to for advice and guidance in the past.

And if you're looking for an all around generalist with a good head for numbers and a down-to-earth grounding then I see that Rick Anderson is running on the member's side of the ledger this year. He's been on the Board before and I thought it was well served by his presence.

Greetings from St. Lucia, where I'm here with the family for an end-of-summer vacation. I wanted to post about this topic before I left but I didn't get to it, but this article over at CircleID reminded me. The article discusses the ramifications and effects of the large, possibly record-setting DOS attack against DNSMadeEasy last weekend. (To clarify: DNSMadeEasy is a separate company, unrelated to easyDNS)

The article states "An attack on DNS is an attack on The Internet" and this much is true. As we always quip around here, "DNS is something nobody notices until it stops working".

I have to admit that in the early days of easyDNS I was oblivious to the possibility of DOS attacks. It simply never occurred to me. We were able to proclaim 100% DNS uptime since launching in1998 for a glorious 5 years and then on April 14th, 2003, it all ended as we got hit with a DOS that pancaked all four single-node nameservers and every domain on the system went dark for about 75 minutes. I nearly had a nervous breakdown, and then over the summer I thought long and hard about the ramifications and at the time surmised that the DNS hosting model was doomed.

Then we started looking at DNS anycasting but it took us another 5 years to get there. In the meantime we had another outage from another DOS: about an hour on Sept. 14/2005.  We added Prolexic DDoS mitigation within weeks of that attack and are happy to report we haven't had an outage since.

In the intervening years we also moved ourselves to a DNS Anycast architecture. While it is significantly harder to bring down an anycast architecture with a DOS attack, it can still happen. Usually instead of a complete and utter outage, you get "regional outages", which is basically a euphemism to deflect assertions of downtime: "Some users may experience regional outages….like North America and Europe" (credit to Steven Job for that bit of humour).

Some DNS Providers guarantee you that they will never go down and assert 100% DNS uptime in face of prior DOS attacks. In reality, every single DNS provider in existence for more than 5 years has had downtime. If the DOS attack that hit DNSMadeEasy last week really was 40 or 50 GIGS, and if it would have hit us, I hesitate to say "we would have stayed up".  In 2006  we got hit with an attack that was 20 to 25 gigs, and we didn't go down completely ("Some customers may have experienced regional outages"), but we sure felt it. Prolexic withstood the attacks and at the end of it we had to write a few enormous cheques to our providers to cover the bandwidth.

But I have long since backed away from my 2003 trepidations that the centralized DNS hosting model was doomed, for a few reasons:

1. DNS Anycast changes the game and drastically raises the bar for a DOS attack so that even if the resources can be mustered to do it, the duration of an outage is usually decreased as more numerous network carriers become aware of the problem and act to corral it.


2. DDoS Mitigation strategies have also improved. These days I think we are pretty well under a continuous state of low intensity DOS attack in one form or another. By low intensity I mean it doesn't bring us down anymore, but these attacks are about 10 to 20 times more powerful than the 2003 attack that did us in, so:


3. The DOS attacks that DNS providers routinely mitigate every day would probably level many non-professional, non-dedicated DNS setups.


4. The other benefits to using an specialized DNS hosting provider outweigh the isolated risks of DOS attacks. A good example of this is DNS Anycast: the DNS best practice that is simply not-viable for many organizations to implement on their own. Commercial DNS providers make viable through their economies of scale.

But this is the internet. If you elect to take part in it, there are certain unpleasant realities that will come home to roost. Like if you own a domain name, sooner or later it'll get joe-jobbed in a spam mailout. So to eventually you will get caught in the crossfire of a DOS attack against some target that has nothing to do with you but it's big enough to mess up one of your infrastructure suppliers. Like an empty bottle thrown at random into a crowd.

On the DNS side of things there are a few steps you can take to either not go down, even if your DNS provider does, or to make any impact minimal.

1. Use a DNS provider that allows third-party zone transfers. Either one that lets your slave your DNS zone from a primary nameserver outside of their own system (basically using a DNS provider as secondary DNS), or one that lets you designate other nameservers outside their system that can slave your DNS zone from it. Ideally, both.


2. Use two DNS providers. If you have the ability to setup  point #1 above with multiple DNS providers, then you are pretty redundant right there. I got an email from a large web services company after the DNSMadeEasy DOS who uses both theirs and our services. He said they experienced no downtime and using two DNS providers was still a lot less expensive than their previous setup.


3. Or, just use any third party nameserver, even one of your own. Have it slave your zone from your DNS host (or have your DNS host slave from it). Unless you are the actual target of the DOS, then, like a jet that can fly as long as one engine is firing, you'll be fine for the brief time your DNS provider may be down (or experiencing regional outages).

Being connected to the internet has varying degrees of importance to different organizations. For some, no downtime is acceptable (i.e. for DNS providers or web hosts, it's very very bad). Other organizations take a couple years to notice that their domain name expired.

Depending on the seriousness of your web presence you may want to also consider additional measures and be aware of a few things.

• Many top-level rootzones (.com, .net, .org, .biz and .info) make modifications in near realtime. People may be accustomed to things like nameserver delegation modifications to take a day to kick in. In fact a lot of user-interface verbiage probably still says as much ("please allow 24 to 48 hours for your nameserver delegation to take effect"). In these rootzones it's closer to 3 to 5 minutes. Use that. The bad guys (spammers, botnets, etc)  "fast-flux" their nameservers all the time to thwart tracing and reporting. It's a tactic you can take back from the black-hats and you can fast-flux your nameservers to provide a moving target in a DOS situation.


• Warm spares: have your DNS mirrored on third party nameservers, but do not add them to your nameserver delegation. If your DNS provider goes down, you then temporarily swap in your warm spares.


• For web hosts or other infrastructure suppliers that run DNS for their clients: do the above, except when you need to make a switch to your warm spares, you change the rootzone glue record for your nameservers: this way you do not need to make changes to each customer domain's nameserver delegation. The caveat here is you tend to only buy time: if the DOS is targeting you and you change-up your nameserver glue, the DOS may eventually (or sooner) follow you to the new IPs. Having said that, you can keep doing this and you may be able to diffuse the attack.


• Another overlooked fact: you can round-robin a nameserver glue record. We've tried it and don't find it near as effective as DNS anycast, but in a DOS situation, if you can add more warm spares to your nameserver glue records, then do it. Again, this diffuses the attack. "Regional outages" may indeed be a euphemism but it really is better than "everything is down hard".


• Here's one we learned the hard-way: don't have your nameservers in the same netblocks as your web interface and data storage, especially if you provide infrastructure services. If your nameservers are going to get clobbered you at least want to be able to get email and maybe provide a modicum of critical services to your users, something you can't do if your entire operation is within the same /24 that has been null routed by your upstream providers.

If I can perhaps add some comments to this theme: I would not wish a nameserver outage on any DNS provider. And you can believe me, when it happens, the people inside that company are tearing their hair out, suffering extreme mental anguish and pulling out all the stops to restore services. When I see a DNS provider taken out by a DOS attack and chatter on twitter, etc along the lines of "XYZDNS is down #fail #fail #fail" I want to thwap those people upside the head. Get a life. Do you think your DNS provider is out on the golf course while his business is being taken apart by a DOS?

While I am a businessman and we are a for-profit company, I do not relish gaining business at the expense of a DNS provider who's down because of a DOS attack. I'd rather gain customers on price, service offerings, customer support, our good looks, anything but a competitor going down because of a DOS. I guess because I've been there, I know how it feels. (Not all DNS providers take this view, in fact some of them pounce with glee when the opportunity presents itself, firing up the telemarketing crew to cold call the fallen provider's customers. If you're a customer of ours you have perhaps received such a call in the past).

DOS attacks are criminal acts. Get pissed off at the criminals who undertake them, not the people who are on the front lines of having to deal with them. Use these tips to stay online regardless of who your DNS provider is. I'm not advocating you stop using your existing DNS provider, but rather you modify your tactics so that instead of your DNS host becoming your single DNS host, it becomes more of a "DNS infrastructure management" role, that you use to setup and maintain multiple DNS structures (combining in-band nameservers from your DNS host with out-of-band nameservers outside their cloud), and warm spares.

I've been meaning to post this article for awhile, but everytime I almost got around to it, gold would have reversed higher like a bullet and I didn't want to come out and say "gold is in a bull market" while it's screaming to new highs, because then it's pretty self-evident.

So gold is on a serious pullback right now, one of those reversals where everybody is calling for an end to the gold bull market.

Because I've been invested in gold since around 2002, I often get asked where I think the price is going. To this I reply, especially over the last couple years, that I no longer attempt to predict anything. To digress briefly:

I was one of the people who believed the camp of pessimists that said a mega recession was approaching. It was a prediction that turned out to be correct, but when it finally happened I was still taken off-guard and surprised by some of the effects of it. For example, I thought gold would go UP during the onset of the Global Financial Crisis (GFC), instead, gold tanked (along with everything else) and the US dollar soared. In retrospect it made sense but at the time it blindsided pretty well everyone.

Continue reading "Here's the thing: Gold is in a bull market"

I'm posting this under "How to lose customers", but given the circumstances behind this post, perhaps I should post it under "How to lose employees". Now that the new easyDNS website is finally launched, I have been reviewing the content with an eye toward readability, clarity and general usability.

I came across an archived page that didn't "make the cut" when we launched the website, basically because it offended nearly everybody on staff and they made no bones about telling me. They felt that it went too far, it was too over the top and it was downright offensive.


Continue reading "Do Business With easyDNS...or the dog gets it."

That is the question posed by DomainSuperstar upon reflecting on the WSJ’s observation that the wealthy appear to be fleeing to tangibles such as art.

To his first question, will the wealthy start investing in premium domain names the same way they seem to be doing in art, I cannot guess. While I’ve made predictions in the past, and sometimes even happened to be correct, the main refinement to my overall investment methodology over the years since the advent of the Global Financial Crisis is that I cannot predict the future. Long story and certain to be the subject of other posts.

So who knows….maybe money does start flowing into premium domain names. I just don’t know.

What I can say however, is that there are indeed many parallels between art and domains. You can lose your shirt in both.

(continue reading)

Hat tip to TheDomains for reporting that Neustar’s DNS resolver service DNSAdvantage is blocking parked domains with the message

Warning!
For your protection, you have been temporarily blocked from accessing www.tackboard.com. The website has been blocked for the following reasons:

* Parked Domain: Site may contain excessive advertising including pop-up or pop-under advertising”””

We leave the merits of whether this is “good” or “bad” aside. Predictably domainers will hate this, privacy people will likely not like it either, anybody who has a vested interest in monetizing parked (or expired) domains won’t like it – but the average run-of-the mill web surfer who uses DNSAdvantage probably won’t miss all those parked pages in the least.

(continue reading...)

The odd story of Pacific Webworks (ticker PWEB) took another turn a couple weeks ago when a judge threw out Google’s claim that the company was behind those incessant “earn money from Google working from home” scams you see all over the internet. Now that they have this monkey off their back, they’re trading at a 1.02x trailing earnings.

(continue reading...)

As I mentioned in my article about domain investing, Live Current (ticker LIVC:OTC) hasn’t done a great job of championing the concept of building a new media company around a portfolio of “category killers”. We recently heard via DomainNameWire that the former CEO of Live Current has filed a lawsuit against the company, further adding to their woes.

(Continue Reading)

Not even sure why we did this other than "because we could", but try this:

Setup a txt record in your domain like this:



host IN TXT ""v=twitterstatus1 txthost twitterid"



And basically what happens is the last tweet from "twitterid" will be placed into the contents of a TXT record for "txthost" under your domain name.

Kind of like a tweet2txt or tweet2dns gateway.

So now in the above cases:



markjr@c3po:~$ host -t txt mark.jeftovic.net

mark.jeftovic.net descriptive text "Ok, about to announce tweet2txt or tweet2dns via the company blog...."

and



markjr@c3po:~$ host -t txt markwork.jeftovic.net

markwork.jeftovic.net descriptive text "Ok, the final word on DNS pricing is up (pricing for heavy use domains over 5 million queries per month) http://easyurl.net/dnspricing"



These get refreshed every 5 minutes.

This is of course, of no practical value at this point in time. But it opens the door to bridging the gap between your social network status and your personal domain's DNS and who knows, maybe somebody will do something interesting with that.

File under neat.

Gavin Brock posted a way to dynamically update your DNS for your (jailbroken) iPhone. This is the same Gavin Brock who wrote the DNS::EasyDNS Perl Module many years ago.

Introduction

This is the inaugural post of my new blog: The Web Value Investor, where I plan to write about applying a "value investing" methodology to web assets, internet companies and domains. Conventional thinking would suggest that the two are mutually exclusive. The Nasdaq bubble of 2000 and the current Web 2.0 phenomenon of "pre-revenue" companies gaining nosebleed valuations would leave us to believe this is no space for value investors. But there may be the odd value play to find out here in this space. Sometimes, value investing has nothing to do with publicly traded companies. We can approach any asset with a value mindset.

Continue Reading...

blackholes.uceb.org was an antispam RBL that shut down in 2008, but as with all RBLs, they tend to find their way into mail server configs and then ossify there.

It looks like whoever ran uceb.org decided that two years was enough and to let the domain lapse. Yesterday, the domain's registrar put the domain in a "pending delete or resale" status:

Domain ID:D84712302-LROR

Domain Name:UCEB.ORG

Created On:21-Mar-2002 11:13:47 UTC

Last Updated On:27-Mar-2010 08:19:20 UTC

Expiration Date:21-Mar-2011 11:13:47 UTC

Sponsoring Registrar:Network Solutions LLC (R63-LROR)

Status:CLIENT TRANSFER PROHIBITED

Status:AUTORENEWPERIOD

Registrant ID:DOMAIN-RESALE

Registrant Name:Pending Renewal or Deletion

and then, as is pretty standard operating procedure in cases like this: they wildcarded the domain's DNS.

That means for anbody who was still referencing blackholes.uceb.org in their mailer config, it wasn't doing much damage (or good) since July, 2008…until yesterday. Then they probably started rejecting ALL email because all addresses within *.blackholes.uceb.org now return true….

A bunch of years ago I had an idea for an espionage/action/thriller story where a bunch of mercenaries planned a coup d'etat against the regimes of either Columbia or Cameroon for the sole reason of gaining control over the country's top-level domain registry and making billions off of typo-squatting .COM.


Truth did kind of mimic fiction (minus the coup d'etat part) when Kevin Ham cut a deal with Cameroon to wildcard .CM root. Well now Columbia has decided to overhaul it's .CO root level domain and open it up to second level registations for non-locals.


.CO is being marketed ostensibly as 'Associated globally with the words "COmpany,""COrporation" and "COmmerce"', but let's face it, the activity in this TLD is going to be driven primarily by the fact that it's a typosquatter's wet dream for .COM and a goddamn headache for everybody else with a net presence built mainly under .COM.


As we've observed before (here and then here), most registrars like to whip their customer base into a frenzy to "grab your name" under every TLD that tries to tart itself up as some pseudo-generic and trots itself out as the latest "must-have" domain. Most of them aren't "must-haves" and a lot of them are quite frankly, a waste of time and money.


So it is with a heavy heart I have to come out and say this. If you're operating a serious net presence on .COM, you probably should go out and get the .CO version of your name, as much of a royal pain in the ass as that is/will be. Not to mention expensive. The base cost on a non-Columbian Sunrise claim will be somewhere north of $250 (non-refundable) and for landrush there will be a small non-refundable "application fee" but the first year registration will be over $200. Then after landrush, the cost will settle down to a more digestible level, only about 3 times the wholesale base cost of an actual .COM.


Nice work if you can get it.


We don't want to make a bad situation worse, but we won't work for free either, so we'll try to keep our markup reasonable.


What I am interested in is what our members think of this. If you have a few moments, please take the following survey on whether you will participate in .CO. For each response we'll donate $1 to the charity of your choice.


Feel free to comment as well.



Continue reading ".CO Domain Registrations are Coming. Will You Participate?"

From the earliest days of my investment education, I always liked Eric Sprott and his Sprott Asset Management. Sprott and his team are proven money managers and his Markets at a Glance commentaries are a great no-nonsense source of valuable insight.

As a tech guy, I was intrigued when I found some Sprott Asset Management 13G filings with the SEC that showed Sprott was taking a few positions in some (*gulp*) internet companies. Imagine that. Namely, Israeli start-up IncrediMail Ltd. (MAIL), an easyDNS customer Points.com (TSX:PTO) and Pacific Webworks Inc. (PWEB).



So the interesting one here is PWEB, but we have to take a bit of a tangent.




Continue reading "Sprott ditches stake in alleged Google-scammer."

My band has re-released our perennial family favorite "Have a Parkdale Hookers Christmas" on the band website. Phil had it re-mastered at the Laquer Channel and if I may say so, it sounds pretty kick-ass.



Seasonal Greetings to all.