Never buy .xyz

HumanPerson@sh.itjust.works to Selfhosted@lemmy.world – 140 points –

I just wanted to post this here because I want to help you all and hurt gen.xyz as much as possible. I had a .xyz domain through njal.la which I used to host jellyfin, homeassistant, and other basic things for friends and family. My domain recently became inaccessible without any notice. After a while of troubleshooting, I found that it had been reported to xyz as abuse, and they must have done zero investigation whatsoever before serverholding my domain. I thought about opening a ticket with xyz to get my domain back, but realized that I no longer wish to buy from some shitty company that will take down any site without warning. Bought a .com domain since they are somewhat reputable, and I would advise everyone here to never buy a .xyz domain. Angry rant over.

53

Just wanted to say in case others see this, you can buy a .xyz domain from reputable places (maybe for a higher cost). I believe the OP is talking about the specific site 'gen.xyz'.

I have an xyz domain with Cloudflare, host many things on it (like Jellyfin), and haven't had any issues yet.

Edit: as many have pointed out, my understanding of registrars was wrong and gen.xyz actually owns all xyz tlds. Sleep in fear if you own one I suppose

The thing is that gen.xyz is the registrar itself, i.e. the highest authority for this tld. If they blacklist domains, you're screwed.

gen.xyz controls all .xyz domains, even yours. Doesn't matter where you registered it.

Cloudflare can still go bad, but its usually for high-capacity users who are using way more than the average. I haven't seen any homeserver users get hit with any trouble, but I've seen a couple small businesses have bad situations with Cloudflare, although it honestly seems like the minority.

Cloudflare has issues but for most its probably fine.

From what I've seen/heard, if you follow the ToS (usually by not proxy-ing hosts that shouldn't be proxied or are in violation if they are) there's nothing to be afraid of ¯⁠\⁠_⁠(⁠ツ⁠)⁠_⁠/⁠¯

I bought from njal.la. they were almost entirely unhelpful but pointed me to the site for the tld. It appeared through their wording that gen.xyz who owns the xyz tld was responsible for taking the domain down. I bought my new domain through porkbun tho.

Njalla just buys domains from major registrars on your behalf and owns them on your behalf. Godaddy, Tucows, etc. It was the owner of the entire .xyz space (gen.xyz) who shut your domain down. Njalla is just passing along the info. Porkbun will do the same.

I know, but they didn't pass much info. They told me it was serverhold and nothing else. They could have at least said it wasn't them that did it.

Since its servhold, you may be able to remove the offending content (for a short time, anything public-facing) and then contact reg.xyz to get it unsuspended. You're right though that's not very good customer service.

On a related note, it's possible a misconfiguration allowed some of the contents or index to be shown publicly and it got caught in a search engine and was taken down in an automated DMCA sweep. I believe .xyz is an American registrar so have to respond to DMCA but could be wrong on that. I like to stay with any .TLD that archive uses.. md, ph, etc.

https://help.sav.com/hc/en-us/articles/11933048624923-Resolving-serverHold-on-Your-Domain

How expensive can "reputable" be. I got danhab99.xyz for like ¯⁠\⁠(⁠°⁠_⁠o⁠)⁠/⁠¯ $20/year?? Who cares

Namecheap is reputable and WAY cheaper than that. Been using them for years.

This is all news to me. I thought .xyz was owned by Google after they became Alphabet and had that ABC.XYZ site years ago.

Love when I see stuff like this and get to learn something new

Locks can happen by registrar (I.e.: ninjala, cloudflare, namecheap etc.) or registry (I.e.: gen.xyz, identity digital, verisign, etc.).

Typically, registry locks cannot be resolved through your registrar, and the registrant may need to work with the registry to see about resolving the problem. This could be complicated with Whois privacy as you may not be considered the registrant of the domain.

In all cases, most registries do not take domain suspensions lightly, and generally tend to lock only on legal issues. Check your Whois record’s EPP status codes to get hints as to what may be happening.

I'm on a new domain now anyway. I will be more careful on this one, but I suspect they just didn't look into it. I do really appreciate that you seem to be both knowledgeable and not an asshole. That seems to be a rare combination to find in this thread.

That’s the main difference between lemmy and early reddit. Reddit had good info from knowledgeable people, and moderation. Here it seems most are 8 years old with 0 knowledge talking shite. Voting to “prove their point”. Like downvoting your reply.

Sorry to see you got downvoted for saying something that Reddit did better than Lemmy. I think a lot (though probably not the majority) of lemmings as well as people invoiced in open source can't take criticism, especially of an open source project they care about. It is unfortunate as it negates a lot of the benefits of open source / free software.

I don’t care about internetpoints, and I’ve given up hopes for lemmy as a platform. There's too many subs compared to people, so people are smeared too thin out.

Reddit had soul back then. It was fresh, new, different. Lemmy is just a bleak copy of Reddit, missing quality content and people.

Sounds like an issue with your registrar more so than the domain authority?

Do you have any information to distinguish that?

Does anyone here know if they are the same entity?

I didn't get the domain through gen.xyz, they are the registry (not registrar) for the xyz tld. They are the ones who control every xyz domain which is why I warned against them.

They are indeed the registrar. Would have expected more.

They may be a registrar, but not the one I used. They were the registry that locked my domain.

I received so much spam and abuse of my network from .xyz domains that they are fully blocked in every conceivable way from being accessed or accessing my network.

I mean, a jellyfin server is typically full of copyright protected material. I also wouldn't expect them to notify you in advance, however they should still send some notice when they stop providing the service you've paid for.

It typically is, and I won't comment on whether mine is, but that isn't enough reason to take it down. I was quite careful about who I gave access to, as well as making sure people had secure passwords. It is highly unlikely that anyone got in and saw any copyright violation before reporting it.

Yeah, dude tried to open his own personal Netflix and is surprised it got taken down.

From post history he managed to keep it up for less than a month.

I'm betting by "friends" he meant either online friends he's never met, or people he wanted to impress.

So they gave zero fucks and handed it out to more people. Like, just the idea that you're giving it to so many people that you actually buy a domain?

There's a reason everyone isn't already doing it already.

I kept it up for more than a year. By friends I mean like 3 people I know in real fucking life, and I made them all set secure passwords. Way to assume the worst about people, it is a very healthy attitude to have.

This whole thread is depressing to read, full of corporate bootlickers putting blame on you.

Eh while it sucks, registrars and web hosts get so many abuse reports that sometimes they just err on the side of caution and don't investigate as thoroughly as you'd like.

Of course it also depends a lot on various things like what type of complaint, how much money you spend with them, account history, complaint source, etc.

They should be able to tell you what they had a problem with and give you a chance to fix it.

Also, don‘t use it for any mail servers. Spam Assassin gives a negative score by default on *.xyz domains. Stupid as shit, but I had to learn the hard way.

Xyz domains always look sketchy, sorry.

Agree. I just got it for fun and because it was cheap. I used it for my disposable e-mail addresses but now switched to .org

I know someone who had a Minecraft server which used a .net domain (most Minecraft servers do use .net, even one I hosted did) and he renamed it once and used an .xyz domain and it suddenly looked like a sketchy Russian porn site

Shit. I have my peraonal domain hosted on .xyz for email. Guess time to migrate. Any TLD suggestions?

Most email providers will automatically put emails coming from .xyz to spam. I'd advise against using any "new TLDs", if you can. But if you must, avoid those that are frequently used for spamming. A lot of spam detectors will already score your emails as suspicious just for the TLD.

See for example, https://github.com/apache/spamassassin/blob/trunk/rulesrc/sandbox/pds/20_ntld.cf

No wonder why some reported my mail fall into spam dispite I rarely sent any. God. I had it for almost 10 years already, and migrating would be painful.

Most of the entire internet cannot run without Cloudflare for a reason. Just buy directly from the source.

Cloudflare is not the source…

You can buy .xyz domains from places other than gen.xyz. I have mine from namecheap and I haven't had any issues in like 10 years with them.

I had mine through njal.la. It was the registry itself that locked it though. I switched registrar too after njalla took a long time to respond to my question with a vague, unhelpful, and short response.

I have mine through namecheap too, although the name server is from cloudflare now. The only issue i’ve had was some shitty forums preventing registrations from anything that wasn’t @gmail.com

Yeah the cheaper the domain the more likely it is for abuse to occur and your own domain to be lumped into that category.

It cost the same as my new .com one. It was the registry (not registrar) that took it down.