Ongoing abuse of afraid.org domains


#1

There’s been two threads recently that are the result of a bad actor taking advantage of the fact that afriad.org domains are “shared” unless you pay:

  1. Weird behavior of rate limit
  2. Unknown Certificates against my domain

It seems that somebody is just mass generating certificates with random shared domain names with 100 SANs.

This seems like a bit of an abuse problem because of a few factors:

  • At least in one case, domain owners might not be aware that their domains can be used by others users, and are getting locked out of their own domains (in a rate limit sense)
  • The rate limit system is being subverted, the effective rate limit for this type of approach is multiplied by a large factor thanks to the availability of domains
  • The PSL has proven to be an ineffective tool for managing shared domains. Not-so-recently it’s become increasingly impossible to get listed.

I wonder where the best place for this to get addressed is?


#2

How do you mean “shared” and “their domains can be used by others”?

Do you really mean that if I register example.afraid.org (for example) and point the DNS A record to 127.1.2.3, another user can come and point that same hostname to, e.g., 127.4.5.6 ?

Or do you “just” mean, another user can register example2.afraid.org, so the base domain is shared?


#3

So, afraid.org provide free DNS hosting.

If you have a domain osiris.org, and use their authoritative nameservers on their free plan, then I, as an afraid.org user, can use (as in, create DNS records under) az.osiris.org for myself.

If you pay, you can make the domain “fully private”/unshared.

https://freedns.afraid.org/faq/#3


#4

There are actually people paying to register their own domain name, but use afraid.orgs free DNS servers? That doesn’t make any sense to me, honestly.


#5

Based on their registration/zone stats and the fact that this issue is coming up, I suspect that many users do not realize that their domains are shared.


#6

Well, if you read the about (https://freedns.afraid.org/about-us/), the whole “FreeDNS” project is about sharing…

If you don’t like the idea of sharing, don’t use FreeDNS of afraid.org :stuck_out_tongue:

By the way, afraid.org isn’t listed on the PSL, so using its services for Let’s Encrypt is a “gamble” anyway.


#7

Hi @_az

I agree, it’s a type of abuse / spam, perhaps phishing. There is a third thread (yesterday):

But: As written there:

But: This is a feature of afraid.org, not a bug.

So people shouldn’t use this service if they want to control their own domain.


#8

Why wouldn’t it? Just because you’re paying for one thing doesn’t mean you want to pay for something else. But this seems like a strikingly misguided (or just plain dumb) “feature” on afraid.org’s part.


#9

It’s a cost thing that comes up when the domain name reseller is crap, and either does provide an interface at all (they exist for some strange reason) or provide a horrible one. Over 10$ a year sounds small, but it isn’t so small when you add up all the about 10$/year and apply conversions into local currencies in much of the world and add in the administrative costs of dealing with the invoicing in small scale commercial settings.

Yes, I know the service does have value and that 10$/y is probably a fair price.


#10

That isn’t really the strange part.

This is the strange part… Why choose afraid.org for such a thing, when CloudFlare offers free authorative DNS services too? If I had to choose between some strange, unknown sharing-site or a global, well respected and probably well operated free DNS service, I didn’t hesitate.


#11

Probably because it’s the first Google search result for “free dns”


#12

I still don’t get it. When would you need afraid.org? Don’t have most places where you register a domain have their own DNS? I own a handful of domains but never needed to provide my own DNS.


#14

This domain doesn’t use afraid.org as name server:

nslookup -type=NS <redacted>.

<redacted>       nameserver = ns1.arvancloud.net
<redacted>       nameserver = ns2.arvancloud.net

So why do you think this is the same problem?


#15

I deleted the post you’re replying to. It was spam :frowning:


#16

I use the dynamic DNS service because I don’t have a fixed IP at my ISP.
In afraid.org registered free users can set share notify in preferences, which allows you to refuse sharing your domain. It’s not automatic, just respond to a notification email.
Just looking at the registry shows my domain has 5 hosts in use ???
WTF, I’ll find out what this means !!!

Osiris, Letsencrypt does work with afraid.org and has for quite a while (for me).


#17

Basic rule of thumb is separate the operators of your DNS registrar, your DNS name server operator, and your webhost, so one company cannot unilaterally kill your whole stack easily.


#18

@asteroza Well, if this is the only reason I don’t wholeheartedly agree with that. Every part is crucial. So instead of having one point of failure, you now have multiple parties which could do you harm if they wanted to. I’d rather suggest spending a couple bucks more and use reputable services you can trust. Extreme cheap or free services like afraid.org is just the opposite.
From a security point of view it’s true. If that one provider get’s hacked they have everything from you.


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.