TLDs from donuts inc are a huge risk
I love donuts inc TLDs. they’re fun, easy to remember, and can give your business a memorable domain name. But unfortunately a combination of donuts inc doing no due diligence on abuse reports and a policy of removing domains after less than 10 abuse reports makes them nonviable for businesses hosing any third party content, and a huge risk for any business worried about malicious abuse reports from competitors and disgruntled users or employees.
I’ll describe two scenarios in detail. The first is the one I found myself in, and the second is why I won’t ever use a donuts inc domain for a business or client again.
Hosting 3rd party content
I run a service that makes it super simple to put a local web app on the internet. Try it now, start a web app listening on port 8080 and run ssh -R 80:localhost:8080 localhost.run , you’ll get a domain on the internet that you can connect to to browse your local app from anywhere. Most peeps use this to develop web apps locally or test webhooks.
The vast majority of my users are awesome, but a small number peeps use this service to put up phishing campaigns. I have automated machinery that mitigates this, but some last a few hours, and this is where my problems started.
I started receiving regular phishing complaints from a bank. I took this seriously and deployed an interstitial page in front of all free domains that made it clear to browsers that what ever was behind this domain was not their bank. I was quite pleased with this, the phishing reports stopped almost immediately, and the bad actor moved on from my platform quickly.
But then, without warning, my domain disappeared off the internet. donuts inc had placed my entire domain on serverHold. I checked my emails, re-read all the phishing reports, and no where had I received reports or warnings from donuts inc. They had done this silently, without any discussion or warning.
I checked this with my registrar, AWS Route53, and they took 8 days to even check the whois record, which is another concern, but when they finally checked on the serverHold I found out that donuts inc had received just 8 phishing reports, all for domains that were removed within 4 hours of going live on my platform, before silently placing the entire domain on serverHold.
I have been told by AWS that donuts inc will likely permanently remove my domain from the internet if there are more reports, and given my business involves hosting 3rd party content it is likely that I will have more phishing reports to deal with in the future.
Malicious actors
This is the most concerning attack vector and the reason that I believe donuts inc TLDs are nonviable for business. Given donuts inc does not do due diligence on abuse reports and will remove domains with low numbers of abuse reports your business is open to malicious abuse reports.
Imagine for a minute that you have a difficult customer. Maybe they have made unreasonable demands of you, or maybe they have abused your service, and you’ve had to remove them from your service.
If your business uses a donuts inc domain they could file fictitious abuse reports against pages on your business website and have you removed from the internet without warning.
In conclusion
So many sites host third party content, and as I have discovered this class of site will at some point experience abuse.
And even if you don’t host third party content, a fictitious abuse report is such an easy attack vector, and one that effectively blows up your store front on the internet either for multiple days or potentially forever.
donuts inc’s handling of abuse reports is far too much of a risk to take for anything that you need on the internet.
So which TLD is safe? Honestly, I have no idea yet. If anyone has any suggestions that they know with certainly have more sane abuse policies I would love some suggestions, comment on the article or drop me a message on twitter. I will update back here when I find a safer home for localhost.run domains.
