LOLDNS

There is some lengthy backstory that brings us here, but believe me, it's boring. And also believe me when I tell you that I needed to set up some MX records on my old domain--vincefalconi.com--but when I went to add the domain in DigitalOcean, it told me the entry already existed. Three times I looked at my tiny list of two domains in my DNS panel, convinced I was overlooking the thing that plainly was not there.

Listen, you and I both know you know what I did. But you and I both know why we're here. So I'm going to keep writing and you're going to keep reading.

I opened the domain in a tab. Got a warning that the TLS cert was bad and assumed that was because it was somehow getting this site's cert by mistake. No. No no no.

The domain was redirecting to a fake landing page for a well-known software product and linking to what I assume was malware. Don't click weird links. And if you do only do it once. I'm not a role model.

I did a little dig-ging and saw the domain, which I still controlled, was pointing to a DigitalOcean resource I did not control.

See, we both know. Go on.

Midway through 2019, I moved this site from vincefalconi.com to this clever tattooed.dev domain we're meeting on today. At some point in late 2022, chasing the high of perfect Lighthouse scores, I moved my site to Netlify and thought "Oh, let me shutdown everything in DO, no need in running that server anymore, might as well clean up the DNS, too..."

So I deleted the DNS records. All of 'em.

I left vincefalconi.com pointing at DigitalOcean's nameservers, without anything in DigitalOcean configured to respond.

If you're unfamiliar with DNS, I suggest checking out Julia Evans' wonderful explainer zines and comics. Start with this one. For our story, here are three things about DNS I would like you to understand:

First, nameservers tell computers where a domain should route. If a domain is pointed at a nameserver, but the nameserver isn't configured to respond to requests for that domain, nothing happens until someone tells it what to do by way of DNS records. There's nuance, but that's the gist of it.

Second, generally speaking, when using a hosted DNS service like DigitalOcean's, your DNS records are not editable by others but they are lumped together with everyone else's records because their nameservers are not account-specific. Everyone uses ns1.digitalocean.com, etc; you do not get vinces-awesome-DO-account-ns1.digitalocean.com, etc.

Third, you can add records for any domain you want, even if you don't own it. Nothing happens unless someone points their domain at your nameserver, and DNS has no reason and no reliable method of ensuring the author of a record is in control of the domain it's routing.

Combine these three ideas and gasp with me, won't you?

Someone found my old domain was still pointed at DigitalOcean but returned no DNS records, so they added one for it and that's how you get malware. If you clicked the link. Which I didn't do. And neither did you. Because we are making good choices for ourselves.

DigitalOcean was great to work with to get control of the DNS records. I didn't think I'd hear back because my account is pennies by comparison, but they had it resolved same day. This is not sponcon.

Do you have a bunch of domains just sitting somewhere, not doing anything? It's probably a good idea to take a few minutes and make sure they aren't pointed somewhere you don't control. And if the domain is truly inactive, I don't see an issue with just removing the nameserver entries for it entirely, but our situations are not the same.

If you find that your domain's DNS records have been hijacked, my humble recommendation is to report it to whatever service is hosting the records and follow their guidance. I wasn't worried about breaking anything because vincefalconi.com was low traffic even before I stopped using it, so I changed the domain's settings in my registrar while I waited on DO to intervene. You may not have that luxury, so it's best to work with the people and the service closest to the records.