I wouldn't have cared much about Domain Name Register just a week ago, but after what happen at Zoho, and all the horror story in the comments section from namecheap and others, Cloudflare Registar couldn't come at a better time.
I really wish Cloudflare at least made $1 or $2 Gross Profits per domain. Who paids for Domain Register Support? I would much rather be a "customer" than I am not sure where they are making money from my Domain.
P.S - If those were wholesale price, do other companies get heavy discount for signing up in bulks? How do other companies made money when they are selling it for $0.99 or $6.99
Last time I looked at their Terms of Service it appeared that losing your Google account would cause you to lose access to all services. It's not good to put all your eggs in one basket. With that being said, I've used Google Domains as well and haven't had any issues with it.
Using an independent registrar is basically your only insurance in order to keep control of your domains. So it's like putting your nuts in a vise with a RNG controlling the lever. Who wouln't like to save a few cents though ? =)
This. I lost access to an email address and when Google asked me to check email for accessing it from a new device, I could no longer get in. It asked me when I signed up but of course I couldn't answer it properly.
And it's another step to showing what you're related to, to Google. It would be better if you want Google to build up your online figure on behalf of you.
Aside from the price, one very good reason to be interested in CloudFlare as a registrar compared to Google Domains is that CloudFlare supports CNAME flattening [1] so that you can use a CNAME instead of an IP address for an A record (AKA "ALIAS" on DNSimple or Route53).
I'm using Google Domains right now, but have been using CloudFlare to host my DNS for ages for this reason alone. I'll think about transferring my domains to them when the time comes to take one service out of the equation.
I second this. I have my domain instantfloppy.net hosted on GDomains and use Cloudflare for DNS but I'm going to transfer "mid-November" for sure. I wholeheartedly trust Cloudflare. They've shown their commitment to privacy and I don't understand what their endgame is but I want to believe they support a better Web.
Note that if you're cnaming to some thing that is doing dns based load balancing or Geo targeting, introducing flattening in the middle may reduce the ability of your provider to do those things.
If you want dns based load balancing on the root domain, you really have to delegate that domain to your DNS based load balancing service.
Otherwise, set up a couple stable IPs to redirect to a subdomain and nothing else. (I'm comfortable putting two quality machines in different data centers for this, but you can use a load balancer it you have access to quality load balancer). If all of your published urls have www (or m) and all of your inbound links have it too, it's not really a big deal if the root domain is unreachable for some time in the event of a server/load balancer/datacenter failure.
Would it really be that hard to update DNS so that CNAMEs on non-leaf domains actually worked? Sure, IoT devices might never update, but I’m not sure that actually matters.
If you got the rfc changed today, I suspect you wouldn't be able to reliably use it for about 20 years. 5 years for everybody to pick it up in new software, 5 years for new hardware to not be shipped with the old software, and 10 years for all the old software and hardware to die out.
And all for what? So you can cname example.org instead of www.example.org? Doesn't seem worth it. Also, consider that in 20 years, we're likely to consider IPv6 only servers, and a host can more easily offer you a IPv6 ip that they can commit to serving your traffic for a long time on. It's a lot harder to be flexible with IPv4 addresses.
FYI: You should never use any personal accounts for any company account. There have been horror stories about AWS accounts associated with Amazon retail accounts too.
> How do other companies made money when they are selling it for $0.99 or $6.99
Private Whois, Email, Hosting, SSL, etc offered as up-sells
Article actually addresses this:
"With a good idea on how to build a more secure registrar we asked our customers what they hated about their current registrar. Two phrases kept coming up: "bait and switch" and “endless upsell.”"
With GDPR in effect, it seems a lot of registrars are giving private Whois away for free now, and Let’s Encrypt is cannibalizing SSL certs, not leaving a lot of opportunity for upselling high margin services to offset razor thin domain margins.
I anticipate consolidation, most likely around providers like Cloudflare, Google, and Amazon, where their costs are minimal and it’s a loss leader.
> I really wish Cloudflare at least made $1 or $2 Gross Profits per domain.
It makes sense not to charge for something that is not your core product and drives the customers to your core product, when that something is a low-margin business, and your core product is a high-margin business.
Namecheap is crappy even in the day-to-day context. I had a domain that I had registered with them for about 3-4 years. Suddenly I started getting notices that I needed to verify my contact information, due to their policies about "new" domain registration. Every time they sent the reminder, the deadline moved back accordingly. Only it didn't - the domain was shut down on the first date.
Even transferring out was a hassle. I had privacy service, and namecheap sends the confirmation email to the proxy address, and not your actual contact address. They also spam filter the service so aggressively that you won't receive their transfer confirmations...sent FROM namecheap. Luckily, the transfer completed at the end of the window.
Their hosted email stinks, too. They spam filter it pretty hard and nothing you can do can effectively whitelist emails.
My impression is that they focus on not doing anything actively evil too often, and respond to just enough social media posts to give the impression they're responsive.
I neglected to mention this happened only a few months ago, after the domain had been quietly and happily registered for several years. Unless you're saying ICANN changed the rules recently, but I'm having trouble finding a record of that.
There was a requirement in 2014 (I think?) and recently they updated it in 2017. I think people that weren't meeting guidelines started getting notices from registrars around that time. A few clients of our had this happen to them from everyone from GoDaddy to Network Solutions to NameCheap. Some organizations that had their emails set to go to a person that no longer worked at the company were having their domains suspended...but it was all because of ICANN.
I got a free domain with Github student pack from Namecheap. Just my personal experience, the person I talked to seemed very helpful and kind. However, the multiple rounds of talking to a real person to register a domain makes me think they don't have nearly enough automation which is a red flag.
If you are using PrivateInternetAccess, you can't login to your NameCheap account. As in, your valid username and password will be rejected. This happens even if you have 2fa enabled. I reset my password twice (even though I _knew_ the original because I use a password manager) before I opened a support case, and they confirmed that they block legitimate logins if they detect you're using a VPN.
I wanted to move off of them, but everyone else is worse. CF Registrar is interesting, but there is precedent for CF revoking its services from non-abusive customers before (whatever that alt-right site was) so I don't think I will support them either. I heard Gandhi is good so I might check them out.
> CF Registrar is interesting, but there is precedent for CF revoking its services from non-abusive customers before (whatever that alt-right site was) so I don't think I will support them either.
Don't make claims that CF secretly support your politics, I guess. I think that's enough of a corner case not to worry about.
Gandi is good, I think the site upgrade is done now so there won't be much clunkiness for new domains. They're more expensive than most, but I've had no problems. I only use their DNS though, I can't comment on mail, mail forwarding or hosting.
Gandi are nice to you until you move your domain somewhere else, at which point they will immediately drop the privacy on your whois record until their version expires, as a nice parting gift. I complained to their support when that happened and they basically lied to my face, pretending to see only the new registrar's whois. Caveat emptor.
I've had the opposite experience with them. Things not working correctly, and a beyond useless support, who can only be contacted by email and often takes 24-48 hours to respond to even simply queries. I would stay away from them.
It's sad domains are stupidly expensive. They don't need $10+/year to maintain a domain. The sad reality when such an infrastructure is governed by a tree structure with no one to override.
Gandi's "No bullshit" slogan is far from correct. I had someone harassing ICANN on me with a domain they wanted, and Gandi kept requesting identity verification every other day. They wouldn't keep it on file, and locked my account.
That may have caused my headaches with Namecheap once actually. I've stopped using PIA due to the IP ranges being so abused, the final straw was my gmail getting randomly disabled for using that VPN (wasn't even logging in from different PC).
That was a pretty awful site and the ceo did say that it was kind of the wrong decision but the right choice so I support them 100% on that. They still have lots of bad customers who they still handle.
I love Namesilo and have been using them for over a year with no hiccups.
However, they were acquired by a Canadian investment firm earlier this year [1]. Till now there's been no change and things are still running smoothly — I just hope that continues.
Also, on closer inspection today, I realised that Namesilo does indeed increase renewal fee after the first year. The fee stays the same thereafter, and it's still the cheapest around, but it's worth keeping in mind.
I caught onto this when I realised their registration price is actually below the wholesale cost for .com domains, according to this Cloudflare blog post.
I might move my domains to Cloudflare when they make this available.
They are $8.99 for me for 1 year at a time. I have 7 domains with them but I didn't opt into their "discount program" (which required pre-funding your account at least $50 instead of using a CC / PayPal on demand). That's the one that drops them to $6.99 as seen here: https://www.namesilo.com/Support/Discount-Program
It does mention the renewal price is $8.89 (which is about the normal price) if you click the renewals tab.
I don't think I would put this into the same category as a bait and switch tactic that other vendors do. This one is all spelled out on the page and it's not part of the check out process. You have to go out of your way to discover and opt into the discount program.
I didn't opt in to the discount program. I have never preloaded anything.
I checked today and it was actually pretty difficult to find what the renewal prices would be. Partly because the website is awful.
I didn't say it's a bait and switch. Even the renewal prices are outrageously cheap. I have no bad feelings towards Namesilo. My intent to move to Cloudflare is not because I'm unhappy with Namesilo.
I also moved to namesilo last year after several years of goDaddy -> namecheap -> godaddy renewal pong. For 6 domains its just not worth my time to change (which they rely on to fleece you.) Worked it out I spent about 1hr to change, $7-$8 with coupons, so $7.50 avg, or $1.50 vs namesilo per domain. That's $9 for an hour, no thanks - namesilo from now on.
I used to use namecheap for all my stuff but they went a bit downhill. Their API was worse than useless and so rate limited I couldn't use it for Lets Encrypt DNS challenges in the end, so moved them all.
I wonder what the coverage is from CF for 'odd' tlds? I've got a .je domain that I had to register with gandi.net as no other big ones supported it.
After I moved my domains from Namecheap I wanted to close the account, rather than leave it dormant, and it took a week as support were so anal about the fact I had 1) some 'free' SSL certificates I had no intention of ever using and 2) 0.56UKP in my account I didn't care about but they wanted to transfer via Paypal to me. I appreciate the thorough nature of this, but i'd rather just close the account.
Am I just misremembering, or was there a time where the only way to register a .je was direct through island networks? I used to live there, and recall the domains always being a bit of a pain.
It seems like it was just a handful of users who posted their story multiple times. The users highclass, ethanwillis, kweks all had multiple comments only about namecheap on a thread that wasn't directly about namecheap.
Can I get more horror stories to confirm those are real? It's unfortunate because namecheap used to have the exact opposite reputation: https://news.ycombinator.com/item?id=3396606
I switched to namecheap during the godaddy exodus. Multiple times in the last 30 days they have disabled domains due to requiring whois contact verification. In one case the same domain being disabled 3 times in a row. Each time I'm assured it will not happen again and yet it does. And when it happens, not only do they change your DNS servers but they wipe out all your host records if you use their DNS service so you have to either rebuild your zone or stay online with support for hours while they restore everything. I've also had them revert a domain's DNS servers so that is is parked on an "expired" domain landing page before the domain was expired. I have a client that has also had their domain repeatedly switched to whois validation required this year. The only explanation I've been given is that it was a "system glitch" and won't happen again.
Seems likely that some of the issues might have been related to them switching from being an Enom reseller to their own direct ICANN accreditation but I'm still planning on migrating my domains out.
I have used them for years and never had a problem. However, they are slowly creeping their prices upward. .com is now a little over $13.00 and they just this year made domain proxy (hiding your contact info on whois) free.
I have been moving my stuff to porkbun.com. They are US based and $8.84 for a .com. Cloudflare is an interesting offering, although as of right now, it's not actually launched and it appears that you are required to be routing all your traffic through cloudflare to be able to use their registrar service. I don't know if that is a permanent requirement or just for now though.
it appears that you are required to be routing all your traffic through cloudflare to be able to use their registrar service.
Why do you say this? You can already use their DNS service without routing your traffic through Cloudflare, so it'd be weird that domain registration required that.
I've had namecheap for about 5 years, no complaints other than their 2FA requiring their own app for TOTP instead of supporting Authy. Moving to Cloudflare Registrar when it's released.
Biggest problem with them is the 2FA. I had to let my domains expire with them after I lost my phone and couldn’t login back. I just want to use freeOTP to get my 2FA codes and nothing else.
I had one of the worst customer support experiences I can remember with Namecheap that also involved private information disclosure. It was immediately after they had launched a "redesign" of their system (actually, a Frankenstein of some pages being new, the majority of the system being ancient).
It seems like they had a bug where in some cases they discarded the WHOIS information provided and used the billing details instead. Not only did they disclose private information, they endangered a white label contract I was working on.
Bugs are understandable, especially after redesign work, but the biggest problem came afterwards – customer support were useless. First they insisted it was user error and I simply hadn't entered the right details (I'm 100% certain that's not true). Then they claimed that they were unable to update the WHOIS information because they were just a reseller, so they had to forward my support request on. They refused to take responsibility and couldn't get anything done.
At this point they were taking weeks to respond to every message, even after promising a response within 24 hours. I even asked them for a response even if it was just "we asked again and no reply" which they agreed to then ignored. They wouldn't provide contact details for support at their supplier, they wouldn't escalate to anybody who could do anything, their whole attitude was to ignore me as much as they could and (presumably; I have no evidence of this) email their supplier once in a while when I annoyed them enough.
Meanwhile I had no explanation to give to my client, for over a month. We gave up on the domain.
Once I stopped chasing, Namecheap never bothered following up. Namecheap could never fix the problem.
Until that point, I had recommended Namecheap many times. Now I warn people away from them. Now I hesitate to recommend any service until I've used their customer support. I still see plenty of glowing recommendations for Namecheap. I wonder how many of them are from people who have never had to use their customer support.
Just had a follow up from Ted.
He says that legal received a complaint but ignored it, and perhaps the leak vector was via historical whois data.
Historical whois data says otherwise. Hard to draw a firm conclusion apart from the facts.
If someone really wanted to sue you, it's pretty cheap to issue subpoenas (<$100). The provider can quash the subpoena on the customers' behalf[1] but I don't know any who does.
I am considering moving to CF.
The problem that I just learnt is that essentially any SaaS provider has an AUP that says: If anyone accuses you of IP Infringement, you're gone. In theory, this seems fine - because unless you're a Bad Person, you'd never infringe someone's IP.
In our instance, our service providers received a swath of C&Ds electronically, alleging IP infringement.
Within 24 hours, our various services providers had disclosed personal information, cut off services, blocked payments.. all based on an unfounded email.
The legal system is based on due process. This process should be respected. If my service provider gets a legitimate subpoena, I expect them to react.
However, I don't expect them to divulge personal information and cut off services based on an unfounded email. It's really, really nuts how quickly you can lose your business / take down someone else's business..
Some things off the top of my head (personal experiences):
1. Have had them turn off private WHOIS for all (hundreds of) domains "by accident".
2. I haven't figured out a way to export a list of domains after their UI revamp some years ago.
3. At some point they started setting DNS records for newly purchased domains to their landing page with a 30 minute TTL, which makes setting up something on the fly impossible, unless you use their API:
4. Their API is flaky at best. I wrote a script to register domains and set NS records and was forced to write a loop to set NS records up to 10 times until they got set properly.
I ran into this same issue a few days ago where I needed to enter a long DKIM key into AWS Route53. Some providers might handle it differently, but this is a inherent DNS protocol limitation. You can split the string into multiple substrings, seperated by a space. Etc "long string..." => "long st" "ring...".
They also apparently support 2fa using just their app. REALLY wish they'd allow 3rd party.
They used to be amazing but recently their site has been slow and buggy with support trying to be helpful but ultimately falling short. Their prices seem to have also gone from being really good to just normal.
I don't think there is a bulk discount but prices vary by tld.
Base rate for a .com is around $8 plus a small icann fee. If anyone is selling it for .99, they are simply eating the cost in order to earn a long term customer.
In this case with cloudflare, I'm sure the point is, like their other products, to offer the free service as a gateway drug to their profitable enterprise products. They have an Enterprise registrar service that is pretty pricey.
Do cloudflare want to be registrar for other foreign TLDs in the future?
I would love to see them support TLDs such as .dk, .de, .it etc. That way both me and my clients could begin consolidating domain registration in one place, instead of using expensive and shitty domain registration management services. Harder ones, like Tonga (.to) or Greenland (.gl) would be nice to have as well, but I don't think it's feasible (or possible even) to integrate with all countries.
Any chance of allowing more TLDs for the registration process? My TLD of choice for e-mail (.Industries) is considered illegitimate when attempting to register for Cloudflare.
Is there an e-mail? I tried looking, but the contact form I found required me to register, and thus looping back to my original problem.
Could it be I'm using an alias of Cloudflare@mydomain.industries?
Edit: Attempting "cf@domain.industries" and receiving the same error. Assuming you're accepting .industries registrations, it could very well be my corporate firewall blocking requests to something. I'll attempt again this evening from home.
I'm still in line myself, but any idea if transferring a .bot TLD is possible? Right now amazon seems to only allow Encirca to be the registrar for those domains since it's not technically in any kind of open access right now.
Presumably, but they have a poorly-articulated point -- Cloudflare has an incredible potential for (even unintentional) destructive effect based on their extreme consolidation and centralization of internet technologies. I think a terrific example of this is when they put a DNS server on 1.1.1.1 (in historically unused address space which was assigned to APNIC for research purposes), got a certificate for the IP address, then added that certificate to the Chrome HSTS preload list, meaning people who ended up on captive portals on 1.1.1.1 (and there are a _lot_ of them) couldn't access the internet, because instead of observing what people _actually_ do and paving the cowpaths, they took the point of view that acting against the standards was punishable, and the people being punished are nontechnical folks visiting hotels and airports who are using a modern browser (it has since been removed from the preload list, but if you're foolish enough to visit the site you'll still get HSTS-poisoned).
An even better example, of course, is Cloudbleed, but I guess we've all agreed to pretend that never happened?
Thank you for articulating these points, agreed. They seem to have an insatiable desire to "become" the internet. I also find it bazaar that their CTO submits every single one of their blog posts to HN. This is the 16th Cloudflare blog post they've posted to HN this week. You would think they might have a marketing budget.
457 upvotes and 212 comments in less than 20 hours would suggest there is legitimate interest in this announcement.
You are correct that their CTO has submitted 16 posts this week (not all of them from their own blog), but I don't see the harm in that: less than half of them attract any comments at all and quickly slip beneath the waves.
Also, to be fair, it has been an unusually busy week, as they had a "Crypto Week" during which they announced something genuinely interesting each day, and their 8th birthday was a fair excuse for a navel-gazing post.
Yeah, that's also why I don't like this.
Cloudflare showed a lot of positive things, but also what you just mentioned.
Centralization and the 1.1.1.1 preload thing. Cloudbleed was bad, but I'm not sure it wasn't just "a bug" like every big company had, this just happened to have a big fallout.
On the other hand, 1.0.0.0/8 is routable ip space on the internet. I get that it sucked, but, would people have stopped "squatting" for lack of a better way to say it had they not added 1.1.1.1 to the preloaded list?
I have used dozens of different registrars over the past two decades and found Fabulous.com to be by far the best on price and technology. Unfortunately, they now have no plans to support the new CDS and CDNSKEY protocols which would be handy for anyone managing a large number of domains.
What Fabulous do have, however, is an "Executive Lock" feature, which is an optional additional layer of verification that the domain owner must go through before a domain can be transferred away from his account. They also support U2F, which allows the use of hardware tokens such as Yubikeys.
Domain protection features such as these are vital if a registrar does not want to be swamped with jacking attempts and the PR disaster of actually losing domains.
I am surprised that Cloudflare has not already followed the fine example of companies such as Dropbox, Github, and Google by supporting U2F. A quick search shows that Cloudflare customers have been publicly asking for this for at least 3 years. When they introduced TOTP 2.5 years ago, they stated that they would support U2F "shortly".
In the context of being a domain registrar, supporting U2F would be even more useful, dramatically reducing the number of domain jacking attempts. Proper support would encourage customers to associate TWO hardware tokens with their account, each stored in a different location. Supporting only one, as AWS have recently done, leaves them wide open to social engineering, with impersonators claiming to have lost their one key.
Yeah, very surprising. Perhaps companies lose the ability to get this stuff done as they grow larger.
An even more shocking example is Transferwise, supposedly a cutting-edge star of the "fintech" scene. They use SMS-based codes, a wildly insecure form of OTP. Over a thousand employees and they cannot even implement some sort of app-based TOTP (such as Google Authenticator) to protect their clients' money.
Transferwise is quite low risk in this regard. They don't have a balance or anything like that, it's only moving money between 2 accounts in a transactional manner.
>We want to keep things simple and we're not trying to compete on price but security. We will never be the cheapest domain name registration service but we'll always be the most privacy centered one
You sign up with email or XMPP+OTR, they send mails PGP signed + encrypted (using info from key server or the key you uploaded), they have app based (TOTP) 2FA and they accept various cryptocurrencies.
There's no bullshit and so far the support has been quite good.
Their DNS (currently) supports: A, AAAA, CAA, CNAME, MX, NS, PTR, SRV, SSHFP, TXT (also "Dynamic" and "Redirect")
It's run by some of the Pirate Bay founders and they're still making fun of legal threats. ;)
I like and use Njalla, but you should be aware of what you're getting into:
> When you purchase a domain name through Njalla, we own it for you. However, the agreement between us grants you full usage rights to the domain.
It's not at all unlikely that they will eventually be shut down very hard. Please do not use them (or, as long as I'm here, any ccTLD, but that's another story) for any serious/long-term purpose.
> When you purchase a domain name through Njalla, we own it for you.
What? I was under the impression that this practice, although common in the past (especially with dodgy registrars), wasn’t even allowed anymore? I’m pretty sure that at least some TLD registries (like IIS for .se and .nu domains) disallow this practice completely, for good reasons.
Who would shut them down? Is this something the ICANN prohibits? Is ICANN even involved here, as Njalla is (to my knowledge) not an ICANN-accredited registrar? They simply buy the domains from an actual registrar and let you use them.
I don't know why buying something and then leasing it to someone else would be an illegal thing to do. I guess they made sure it's not illegal in Nevis, at least.
It's more the scenario that the country to which the company, or it's officers, belong/reside in, may take a disliking to their customers (perhaps for unlawful acts), and because the company is seen to own the domain, and either won't or can't hand over the details of the end customer, the company could be liable for those things.
Even if the company obeys every lawful direction on cancelling/handing over domains and whatever customer details they have - they may be seen as facilitating unlawful behavior, and so that in and of itself can be an unlawful act.
While Cloudflare appears to be doing things that are meant to help everyday people, I can't help but be suspicious. This is an organization that sticks with the "we don't host" bullshit line when web sites serve up Trojans which pretend to be Adobe Flash installers. While there's more subjectivity involved with dealing with hosting the content of spammers, there is zero subjectivity involved with clear and obvious phishing sites.
First, anyone with the tiniest modicum of common sense can tell that these pretend Flash sites are absolutely not in the slightest way legitimate content.
Second, providing services in any way, shape or form is, in fact, hosting. Providing DNS? It's hosting. Providing a cached version of the site? Hosting.
So if they want to be in the business of pretending to be not-hosting, then they have to stop providing services that without which web sites would cease to function. Are they now going to claim that they're not providing meaningful services to domains registered through them, and therefore they should not be responsible for people who are doing illegal things?
On the contrary, decisions by not-my-actual-server-host to get involved in content disputes is what would drive me away as a customer. What having the tiniest modicum of common sense would tell you is that holding each middleman responsible for content they pass through is ridiculous. It is definitely a way to enforce a level of censorship that didn't work when you went to the true source of the data. Hosting someone's DNS, passing their data over your pipes, building the keyboard they type with, registering their domain, etc is not the same as supporting the content. I think you're intentionally confusing the issue by equating hosting one type of service with another.
These things are not connected. You're a customer of Cloudflare by choice. If you use Cloudflare to hide your nefarious activities, then you SHOULD be inconvenienced by Cloudflare. Otherwise, you deserve no privacy so people can contact you / your actual provider properly.
Building a keyboard is one thing. Providing ongoing services for illegal activity is something entirely different. You're being disingenuous by trying to conflate those two things.
If someone hosts illegal / abusive content, then anyone that person pays to facilitate that content should be obligated to do something about that content when that party is made aware.
Illegal where? In the country where the site is hosted? In some country where Cloudflare operates? In the country of the user? In the country where the Cloudflare user resides?
I appreciate that these decisions can seem easy, but broadly do you want a private company deciding what can be on the internet, or do you want that decision made by a judge with due process?
That's completely different really. They just stopped proxying their traffic. Daily Stormer could continue on, assuming they pay enough to handle the traffic.
Turning off your domain name is a different story. You are sunk until you can regain control of it.
1) We can't remove content we don't host. Only the host can remove that content.
2) If you have located malicious content please do tell us about it -- cloudflare.com/abuse -- and once we confirm your report we can place a warning interstitial in front of that content and notify the host. The interstitial protects users in the interim while the host takes action to actually remove the content they are hosting.
This is awesome! Charging the exact same price as the registry wholesale price.
NameSilo, as far as I know, comes very close to the registry pricing and offers DNSSEC, nameserver registration and other APIs with the registry.
This could totally throw all registrars out of competition for the price of registry wholesale price. You just have to hope CloudFlare wouldn't overstep their role as a registrar if you only register the domain from them.
I currently use NameSilo. Don't forget they also offer free whois privacy for life.
My only complaint with them is their DNS records are only updated once every 15 minutes.
This makes doing automated API based DNS based LE challenges annoying because you need to sleep your script for 15 minutes to ensure the update got pushed.
Also, I'm surprised Cloudflare omit talking about whois privacy in the blog post. Makes me wonder if they plan to sell that for some amount of money.
We actually didn't talk about WHOIS Privacy because it's becoming less and less of a relevant feature in the post-GDPR world. We do support it, free of charge.
Cloudflare is also the largest authoritative DNS deployment in the world, and changes propagate in closer to 15 seconds than 15 minutes.
I don't have the answer to that yet. On the one hand it's a bit far afield of what we normally do. On the other a lot of people seem to get it from their registrar and rely on it.
The ideal situation would be if we could find a way to do email forwarding which wasn't just as good as what they do, but was exciting and meaningful. We'll keep thinking about it and let you know on our blog.
If you want to blow everyone away then I think you should start with giving free real inboxes for everyone (maybe with some sane limit, or a way to pay per month to increase it), and then introduce email forwarding in the future (because I'm sure some people will still want that feature even with real inboxes available).
If you GA'd with:
~$8 .com addresses, N real inboxes, free whois guard and a top notch DNS record API.
That's a compelling offer and I'd very likely switch from namesilo if that were the case.
To be honest, anything less and I'd stay with namesilo because the 15 minute timer can be worked around by using my web host's name servers (digitalocean pushes updates in a few seconds). I couldn't live without either email forwarding or a real inbox.
It's compelling to you, but managing email infrastructure is a huge burden - users actively spamming, compromised users spamming, RBLs, security, myriad email clients - there seems to be little synergy here with the rest of Cloudflare's infrastructure (DNS + a big proxy stack).
I say this as both someone who worked at a hosting company doing managed email a long time ago, before the industry had consolidated to the extent it has now, and as an ex-employee.
At wholesale registrar pricing, N real inboxes - is that attracting the right kind of users at scale? At least with their current freemium + addons model, it's fairly hands-off, with the hopes of capturing rapidly growing startups in the process. I don't think you can replicate that with email at all.
I mean being able to set up zackbloom@cloudflare.com as a proper inbox that can send and receive mail without forwarding to another email. Having a web interface for it would be cool but I think a lot of people could also configure existing email clients to access it (at least at the start).
Google Suite is something like $5 / month per domain name so offering that as a free feature would be a pretty big deal.
Google Suite starts at $5 per email address per month; I think asking for free email accounts is beyond the product offering of domain registration/renewal.
And they probably want to reserve usage of their domain for email so you know it's a staff member you're dealing with, which is why google gives away gmail.com addresses, not google.com addresses.
Here are three less expensive email options for you:
To be fair he was asking for exciting and meaningful ways to make it better.
> And they probably want to reserve usage of their domain for email so you know it's a staff member you're dealing with, which is why google gives away gmail.com addresses, not google.com addresses.
These inboxes would be for your custom domain that you registered, not @cloudflare.com for everyone. I used that for his because it sounds like he works there.
Yours would be x13@whateverdomainyouregistered.com.
Most places and projects I've worked in the past 10 years or so have used GSuite or similar for inboxes, and Amazon SES or similar for programatically sending email. Those that didn't (shared-hosted websites on CPanel installations seemingly do still exist in 2018) had access to webmail in the hosting panel or as an installable application.
Yeah right now I use email forwarding and SES to send emails (which required setting up an address that belongs to my domain, such as user@exampledomain.com).
In this case I forwarded that email to my gmail account and it all works, but it's not perfect.
In either case, having at least email forwarding or an inbox is essential for a lot of common things you'd want to do on a domain. Forwarding works ok to avoid $60 / year for Google's offerings but has some limitations.
This is coming at it from the POV of just setting up a VPS to host some sites and wanting to accept email from your domain name without paying any more than what the domain cost to register.
I think this use case is super common, especially on HN.
No one thought Let's Encrypt would step up and offer a top tier free SSL solution. If it can be done for SSL, it can be done for real inboxes. :)
Zack, please DON'T waste time on email, focus on security.
The category of customer who consider the flaky email solutions provided by registrars to be worth using, and who are unaware of how to hook their domains up to free forwarding at services such as Mailgun, are unlikely to ever buy your higher-margin services.
Your introduction of at-cost domain registration will already blow everyone away, you do not need email for that, but high-value domain owners will worry that the service will not be sufficiently-resourced to protect their domains. Those are precisely the domain owners you want because they are more likely to end up paying for your other services.
So, try to finally get U2F support in place before you spread your legs for mass domain registration. Real, proper U2F support that encourages users to associate TWO different hardware tokens with their account will save you from the tsunami of domain jacking attempts you are about to experience.
The point of having two different hardware tokens, kept in separate locations, is that it becomes far more unlikely that your support will ever have to deal with them. As long as they can continue to access their account with one, they will have time to buy and associate a replacement.
Meanwhile, any hacker attempting to socially engineer your support would be left with the tough job of having to explain how they managed to lose both tokens at the same time - they won't bother, they will move on to some other registrar that is too dumb to implement U2F.
You save your staff a world of hassle, you protect your reputation from a potential PR nightmare, and the high-value domain owners will be more than happy to bear the $95 cost of two Yubikeys. You just have to make it possible and gently encourage users in that direction.
The registration cost for domains is trivial (for most common TLDs): $8/year or $35/year - how much is $27/year worth to you and your company?
The primary cost for domains is potential downtime. How much does a day of downtime cost you and your company? I don't want to think about it either.
The next most significant cost is labor - your time and your business' delays when dealing with the registrar over service and support issues.
Both of these problems are solved with available, responsive, highly effective support. If it goes down, you want to reach someone right away who has the skill to quickly solve the problem and who is empowered to do whatever is necessary to bring it back up. And for lesser issues, quality support means you spend less time solving problems, which not only saves you time and frustration but reduces delays for your work that depends on the problem, and for other people depending on you and people depending on those people. It's the difference between spending days trying to communicate with someone who turns out not to understand the technology anyway, and then you have to figure out a solution yourself and coax them into implementing it, and communicating with someone who answers immediately and says 'I got it', explains the tech to you - and you don't bother to remember it because they already know it.
I don't see support, the most important capability of a registrar (besides basic competence) IMHO, mentioned in Cloudflare's announcement. What is the support story?
We provide email support to all of our customers. I believe free customers see a response within 8 hours on average (we have teams in SF, Austin, London, and Singapore, to cover every timezone). That 8 hours can become as little as 30 minutes for customers who also subscribe to our Pro or Business plans, or use our Custom Domain Security product.
Thanks for the update. For comparison, I pay ~$35/year and get skilled, empowered, responsive phone support within maybe five minutes of calling. I've never needed them to pull off a miracle so I don't know how truly empowered they are.
I would never use Cloudflare. They hide spammers and refuse to do anything about them. The same mass spammer will register site after site for months, sending snowshoe spam, and cloudflare refuses to do anything. At one point this was taking up about 80% of our incoming spam, and most of it was getting through spam filters due to the snowshoeing. You could see the same registration info for hundreds of domains over months, all sending spam, but cloudflare doesn't give a shit.
The only solution I found was to put a 15 minute delay on all incoming email from a cloudflare domain, then do a second check of the blacklists. This solved the problem, as the sending ips (not cloudflare) tended to get blacklisted within 15 minutes.
In my mind if you're hiding people's websites behind your "cloud", you have a responsibility to kick off the spammers.
I'm familiar with that. I'm referring to the hosting of the domains in the From line of the emails, which is what cloudflare is hiding. They're helping the spamvertised domains hide.
If you've ever ran Postfix on a public-facing MX host, you're probably familiar with so-called "restrictions" like "check_client_access", "check_recipient_access", and "check_sender_access".
There are also several other (seemingly lesser known) restrictions available, such as "check_sender_a_access", "check_client_mx_access", and "check_helo_ns_access" (plus similar variations you can likely think of) that you can use to take action based upon things like the IP address(es) listed in the A RR for the client MTA's hostname, the hostname(s) listed in the MX RRs for the client MTA's IP address, and/or the authoritative DNS servers of the domain name provided by the client MTA during the HELO/EHLO phase.
Imagine a spammer that had hundreds of domain names, all of which used her own DNS servers, jack.ns.example.com and jill.ns.example.com. Using check_sender_ns_access, for example, you can quickly and easily reject all mail where the domain name in the envelope from address uses one of these authoritative DNS servers.
If you get creative, you can come up with some really effective combinations that are actually pretty simple.
Well, this is the problem with cloudflare...you can't block cloudflare because there are so many legitimate domains hosted there. The 15 minute delay followed by a second blacklist check is the best solution I've come up with (it seems to work almost 100% of the time from what I can tell).
Why use a homebrew Perl script for this when Postfix (and likely most other MTAs) has features available that can do this for you?
Want to block all mail from any domain name that's hosted by Cloudflare? That's simple enough (and doesn't require taking a shower afterwards, unlike when writing Perl).
Just grab the plain-text version of the file that contains the list of Cloudflare's IP address ranges [0], create a CIDR table [1] containing those ranges (followed by a "REJECT"), and add an instance of "check_sender_a_access" to your "smtpd_sender_restrictions" [2].
(Bonus points for taking a couple of minutes to write a shell script that runs once per day from cron, grabs the latest version of this text file, adds " REJECT" to the end of each line for you, and triggers a reload of Postfix if there were any changes to the IP ranges that it needs to know about.)
Well, I definitely don't want to block any mail from cloudflare hosted domains, as I have many customers using cloudflare dns. I just want to delay it 15 minutes so that I can then do a second blacklist check. Does postfix do that?
>and doesn't require taking a shower afterwards, unlike when writing Perl).
I wouldn't say that. perl is about the best scripting language IMO, and is available on all systems.
I wrote my own spam filter because I want to have full control over how I deal with spam, and generally it works very well.
Postfix's "zombie blocker", postscreen [0] (which ships with Postfix), offers that functionality -- and more [1] -- out of the box.
In the worst case, where you have some unusual, specific need that hasn't been designed for, you can -- quite easily -- easily create your own policy daemon [2] (even in Perl; see the example) and/or milters [3].
> I wouldn't say that. perl is about the best scripting language IMO, and is available on all systems.
Oh, I agree; I was mostly teasing. I first started using Perl c. 1995 (and later, for writing CGI scripts, when CGI became a thing) and it is still the scripting language I reach for 95% of the time for basic sysadmin stuff.
> I wrote my own spam filter because I want to have full control over how I deal with spam, and generally it works very well.
I certainly can't fault you for that. Take a look at the greylist.pl script that ships with Postfix. It is an example of a policy daemon that implements greylisting (not meant for production; for greylisting, use postscreen instead). It's been several years ago but, after looking at that, I was able to implement my first policy daemon (which reached out to a MySQL server) in about 20 minutes and, after some testing, put it into production shortly after that. It's amazingly simple.
I'm not sure what MTA you are currently using but I would certainly recommend looking into Postfix. Back in the 90s, I was a hardcore, bigoted sendmail guy ("Give me sendmail or give me death!") but at some point I started looking into Postfix and have never looked back. Among other things, I manage mail systems at $work (an ISP) and I'm "very anti-spam". I occasionally need/want to do some unusual things policy-wise (WRT accepting or rejecting mail) and Postfix can itself handle 95% of it. For the other 5%, I tweak AMaViS or write my own policy daemons.
N.B.: My personal mail server (currently) runs on FreeBSD, where I use OpenBSD's "spamd" [4] for greylisting. Personally, I prefer and use that over postscreen (it stops upwards of 90% of remote mail systems from even getting to talk to the "real" MTA!) but on my (CentOS) Linux-based mail systems, I now just use postscreen (previously, I had a "standalone" OpenBSD box running "spamd" sitting in front of Barracuda appliances (as a transparent SMTP proxy). postscreen is really simple to get up and running -- and even more so if you're already using Postfix! -- and a very minimal, basic postscreen configyration will stop the majority of "zombies", hijacked PCs, blacklisted hosts, etc., from getting through to your actual SMTP server.
While I'm sure few of us would have controversial domains, let's remember that Cloudflare have removed the DNS records of sites that they didn't like in the past[0].
That's misleading. They removed the records of one site. Not "sites". And they did it because that site was claiming that CloudFlare providing them services meant that CloudFlare secretly supported their (hate-based) ideology.
And it's also worth pointing out that CloudFlare wasn't the only company terminating services for Storm Front. GoDaddy dropped them, then Google dropped them (and their YouTube account), then Tucows dropped them after just a few hours, and then finally CloudFlare dropped them.
Or to put it another way, CloudFlare has dropped one single site. Pretty much any other competing service will have dropped numerous sites. CloudFlare's dropping of The Daily Stormer is really only interesting in that it was a violation of CloudFlare's previously-stated policies of only dropping clients that are breaking the law.
You failed to mention that the decision to drop them was made unilaterally by the CEO, and he said it was because he woke up in a bad mood that day. That was why people were talking about it; all you have to do is get on the bad side of someone at the company and they'll try to effectively erase you from the internet, and people will defend it by saying "it's a private business, they can't be forced to host anyone". It was a very visible case of a gatekeeper to a large portion of the internet showing that they're willing to decide what information people can see.
> all you have to do is get on the bad side of someone at the company and they'll try to effectively erase you from the internet
This is such ridiculous hyperbole and willfully ignores the reality of what Storm Front is and what they stand for. The CEO absolutely made the right call and Cloudflare has done just fine since then.
I've been trying to watch these issues and not seen anything that suggests they won't do it again. If you have some evidence of this, please post it.
In fact I think it more important to point out that the incident proved they can and will do such a thing, and will have less of an argument should someone stick a piece of paper to their head and tell them to do it more often.
I like cloudflare and appreciate all these cool things they are doing with with other's (Google's, Micorsoft's and Baidu's ?) money... however the old playbook of get big and entrenched then start to bleed your captive customers is getting rather old.
Wall street pressure has made godaddy much worse in my experience, and I have seen nothing that says cloudflare has done anything to prevent these things from happening again.
Whichever registrar is keeping stormfront as a customer is likely more resilient. (would like to know which (tucows?) reseller is the one.)
As I have mentioned elsewhere, I hope cloudflare is already setting up ways to split their company into cloudflare US, cloudflare CA, cloudflare UK, cloudflare JP, IN, etc etc.. as I think it's the only way to prevent mass takedowns that are likely coming in the future.
Equating cloudflare tech with nazi bouncers, and killing. Needing to be used to shutdown sites.
with things like this:
>> Cloudflare has built “edge servers” – data centres that store content locally. There are 30 in Europe, including one in London and one in Manchester. The British government cannot regulate the worldwide web, but it could enforce the law in Britain. The anti-fascists at Hope not Hate begged ministers to make Cloudflare’s British operations comply with anti-Nazi legislation.
>> Cloudflare, by contrast, is enabling men who want to kill, not argue.
There was a time when the tech was not easily understood, and the argument of dumb pipes was kind of legit. It seems that time is over, in no small part because tech has not been sticking to their principals (imho).
Thanks for the source. Still, I'm getting mixed signals from that article, I guess he did what he did and regretted it? Have they taken steps to prevent something like that from happening again?
Very true, but the risk of using them should be weighed against the risk of not using them. Don't forget that pretty much all other registrars were much more eager than Cloudflare to shut down Daily Stormer, and expose you to Zoho-type risk that Cloudflare claims to mitigate.
I didn’t, but I can provide some advice since I see this type of comment and nobody really gets advice on this kind of thing. Your comment wasn’t inflammatory — it was factual. However, it only contained a fact, and in that fact, the wording sounded like you were being not only factual, but perhaps a little too stuck to your guns.
Controversial comments on HN are generally appreciated as long as they have both commentary and supporting evidence. The commentary part is key. Many of us have read HN for years and are very well aware of these events. Thus, posting about them isn’t news to us — it’s just noise. A new take on it or an interpretation from you is always welcome, but just “spreading the news,” is somewhat the antithesis of Hacker News in the comments.
For the record, when I posted that comment, its score was in the negative, and now it's positive again. So I guess it was just a matter of waiting for more people to read it.
That decision I support. An actually terrible idea they had though was to forward abuse complaints directly to the accused site owner, complete with personal information about the reporter:
But my biggest concern is that CloudFlare is centralizing the internet way too much. If most connections to smaller websites are proxied through CloudFlare, the web becomes very centralized: all your connections go either to other giants like Google/Facebook/Netflix, or to Cloudflare.
I have to admit, the cloudflare CEO unilaterally dropping a site - even a site as abhorrent as Daily Stormer - gave me pause. Still makes me a bit wary about cloudflare. It wasn't so much that they dropped the nazis, but more of how they did it.
I really wish I could find a good solution for generic wildcard forwarding of email my registrar provides
I'd move everything to CloudFlare instantly if I could find a way to get *@mydomain.com for all mess of domains without having to run my own email server or pay a bunch of money per domain.
I like their service, but given all the freebies that don't generate revenue, I can't help but wonder if they are going to be around for another 5 years before transferring my domains to them.
> CloudFlare has raised more than $72 million in funding, with a $50 million round in 2012, valuing the company at $1 billion. That last slug of equity is still in the bank, says Prince; the company says it just had its first cash-flow-positive quarter with revenue, estimated to be around $40 million by year-end, growing 450% year over year.
I am a customer of Namecheap and Cloudflare too, and though I'm a happy Cloudflare customer, Namecheap has given me no reason to leave.
That being said, the company I work for I think I will begin transferring over to Cloudflare as a registrar, simply because we have hundreds of sites already on Cloudflare's NS, and moving them over to Cloudflare is much easier to sell than moving them over to Namecheap, which is something I had pitched but could never justify.
This sounds great. Hopefully the TLD coverage is extensive, I dislike having my domains split across multiple registrars based on their supported extensions.
We want to help you consolidate those! Full list here for TLDs supported at launch, but we're busy working to add more before then.
https://www.cloudflare.com/tld-policies/
I wonder if the best approach would be to target registries with the most domains on CloudFlare? But my personal wish list includes .ca, .is, .to, .eco and .software :)
Likewise, .sh domains are pretty popular but an incredible pain to deal with. I managed to transfer mine to Hover, but it's expensive and buggy (you can't update your registration address, for example; you get an "internal server error").
I think this is pretty great. Apparently a .com is going to run you only $8.03 right now.
I already use Cloudflare for some things, and like to keep my web presence diversified, so I probably won't move my main domains to Cloudflare just to maintain "separation of powers", but there's definitely some "own the other TLDs of these"-type domains that I have which I may hand off to Cloudflare to save money.
I hope you don't mind me ranting a bit about custom domains
> Custom Domain Protection for Cloudflare Registrar, available on the Enterprise Plan, protects your organization from domain hijacking with exclusively out-of-band verification of any changes to your Registrar account.
This is what keeps me locked into Google and other services. I just can't trust my custom domain, if I'm targeted by any semi competent attacker it WILL be hijacked. That you're offering this service only makes my suspicions stronger. I want to use your services but that's a showstopper. It's not your fault, of course, all registrars face the same issues. You need so many different factors to make the process secure it's not even funny, and you said it yourself: "That, obviously, doesn't scale".
A few years ago one of my customers domain was stolen by contacting the registrar support (one of the big ones, always recommended around here). They even had a scan of his passport. With so many data leaks, even from your own government, how do you even protect against these kind of things? His life for the next few months were living hell.
I'm sorry to hear that, it sounds horrible. We had a very similar situation several years ago which led to the development of our original Registrar.
All I can tell you is the 'custom' in Custom Domains refers to the idea that you can set whatever security policy you would like. That includes restricting who can change your domain to a list of people you can count on one hand who each have a personal relationship with you. If you want a policy which requires a photo of you with today's newspaper in it to change a domain, that's probably something which can be arranged.
Just to clarify for readers, this is the Custom Domain plan, which is the Enterprise version of the Registrar we are launching today.
Anyone here know if Cloudflare plans to let non-customers to transfer their domains to Cloudflare? Especially, if it's a personal domain? I purchased a domain from GoDaddy and host a blog. But they have been up selling and charging me needlessly. I imagine it's a headache for Cloudflare to support personal domains like GoDaddy does, but I really hope they do.
domains.com is owned by Godaddy AFAIK and they charge you to transfer domains between those two services.
I couldn't find a single mention of this fact anywhere on the internet. The only way to confirm is to go to 'Legal' link at the bottom of domains.com(WHOIS is set to private) and it takes you to a page with the domain www.secureserver.net which is owned by GoDaddy.
For the last ten years+ I've done all my domain-stuff through Dynadot, and all that time I have been mystified that these guys aren't far better known than they appear to be. Prices are decent, comprehensible, and stable. UX is okay. Not spectacular, but absolute useable. Great flexibility with whois records. I have needed support once in those ten years, and that was my own bloody fault for having forgotten which birthday I signed up with. Even so, help was prompt, polite, and efficient.
Looked in at the competition from time to time - NameCheap, GoDaddy, whoever - just to see what I might be missing out on. The experience was always sobering and ugly to look at, and every time, I ended up dragging my new domain over to Dynadot.
I am excited about this announcement, and look forward to a registar who takes security seriously.
> But why should registrars charge any markup over what the TLDs charge? That seemed as nutty to us as certificate authorities charging to run a bit of math. When we see a broken market on the Internet we like to do something about it.
That is not a broken market, it's actually free-market economics and business. Charging a markup for a service litterally is how many companies operate. I don't have a problem with it, and because it's a free market it allows CloudFlare to disrupt it.
.中国 is the country-code top-level domain for China, and has its own set of country-specific rules that they have devised.
Emoji is illegal according to the IETF IDN specification. Some naive clients allow it (i.e. don't follow the standard) but ICANN rules prohibit registries allowing registration of labels that are disallowed by the standard.
If you convert unicode to punycode it's fine? So displaying punycode TLD as unicode is fine as well? If all previous has been true then unicode being displayed as unicode can't be wrong.
I sure hope that when they go live that don't force people to use Cloudflare's nameservers.
As I've mentioned before I use Uniregistry and I'm quite happy with them, but at the end of the day, how do you trust your domain register when uncertain things that often have no written policy happen (someone impersonating you to hijack your domains, someone filing bogus abuse/UDRP notices to get your personal information despite using a WHOIS privacy service, etc.)
I'd be curious what other users think of the second part.
I've been shy of purchasing a domain name for years ever since I did an availability search on a registrar's site only to discover that the domain had been "reserved" a few milliseconds before my search and would therefore cost more.
It was so obviously shady that I just backed away and have been waiting ever since for some other naming system to become viable.
Meanwhile, this announcement is a ray of sunshine from behind the Cloudflare. (Sorry for the pun! I coudn't resist.)
CloudFlare doesn't say they wouldn't do the same (although I believe they won't).
I don't really believe when people claim the registrars registered the domains themselves when they typed it in a search box. For example, it costs the registrars around $8 to register a .com, even for themselves. They make $1-2 profit from a purchase, and I would say spending $8 hoping the same user who searched it will be locked in is a risky gamble.
Sure, one can out a real human to assess the domain searches and try to lock users in, but it's still a gamble.
It was years ago and I can't remember the details, but I remember I used some registrar's domain-name-availability widget and somehow the name had been "reserved" (not registered) in a way that meant they would change me more money, and I was somehow able to find some other thing that showed the reservation had happened right around the moment I searched.
I'm sorry I can't give better details, but I remember clearly the sense of "Now that's pretty fishy..."
What about email hosting? Gandi includes 5 email accounts with every registration, while most other registrars charge for each account. Email is a basic need.
I wouldn't be surprised of they just offered you referrals to Google Apps and Outlook 365. Email is a mess, no one in their right mind would try to get into that business. I guarantee you there are thousands of email servers out there that some small providers want to kill off but can't because it's legacy and impossible to force customers off.
It is a basic need, but they are pretty distinct features. Registrars today sprinkle features such as email hosting, authoratice DNS hosting, email forwarding, SSL certificates (lol, I know), web site builders, etc for more profit.
I really hope CloudFlare registrar will be a proper stripped down registrar. They offer you domains for the wholesale price, and it's too much to ask for email hosting.
I am mainly using italian company Tophost to register my domains, and domains usually cost cost 5.99€+ vat. And they're still making profit from that. So I kinda call bs on this "no added fees".
OTOH, I have to say that Tophost is not the prettiest or the coolest, but so far I had no real issue and the price is low.
However, it's nice to see another player joining the game.
Regarding the $0.99 domain... Didn't it sound alarming that you pay a domain so little?
> “I love my domain registrar.” Has anyone ever said this?
Yes, pretty much every Hover customer?
(Most people don't even care about this, but) they were late with DNSSEC support though, and I transferred to Google Domains because of that, using a VPN because it wasn't officially available in my country. After a couple years, Google Domains told me to GTFO, went back to Hover and now they did have DNSSEC support :)
This sounds great but i’m surprised more people aren’t recommending AWS as a modern “upsell free” alternative? Their prices are good, can be secured with TFA, solid APIs, etc. That specific part of the management console isn’t amazing but it’s powerful and if you’re using it a lot you should probably automate, right?
I have a number of domains with Namecheap and these comments are worrying me. Thinking about moving over but is there an easy way to port all records? Some of domains have multiple txt and mx records associated with them and a bunch of other values that would be a pain to manually rezone.
I don't care much about the price, but if Cloudflare can operate a domain registrar that doesn't suck, it will be enough for me to move. All domain registrars I tried universally sucked, some less than others, but still.
As a big company, they pay their processor(s) far less than you or I pay Stripe or Ayden.
For the marketing dynamite of being the only $8.03 "at-cost" registrar, they are going to take a payment processing hit of around ten to fifteen cents per domain. They could shift that cost to the price, but then they would lose those invaluable bragging rights.
The point is not that customers save a few cents, but the absolute transparency of paying exactly the registry cost + the ICANN tax. The simple math of $7.85 + 18 cents implicitly suggests that you are dealing with an utterly fair company: not a penny more, not a penny less. $8.03 will gain the attention of the big companies they want to attract in a way that $8.13, $8.18 or $8.20 never could. In this context, $8.03 is actually a far more powerful price than $8.
There are plenty of other costs associated with running a registrar, not just payment processing fees, but the whole thing is intended as a loss-leader to attract new users and coax their existing, non-paying users into a paying relationship. From there, with a credit card on file, it becomes far easier to sell them higher-margin services.
It will also deepen their relationship with their existing paying users, making it a lot harder for competitors (present or future) to lure them away.
When you consider the cost of customer acquisition through normal marketing channels, positioning themselves as the only "at-cost" registrar is a stroke of genius. Reminiscent of Apple disrupting the phone business, Cloudflare have chosen to disrupt a particularly messy, flaky industry that no customer loves. If they manage to pull this off at the $8.03 price, it will catapult Cloudflare to a whole new level.
This is actually incredible from a standpoint that most people and businesses have a very limited number of domains, making margins of say $2 a year on 5 domains moot.
Yeah, it is not about the $10 that the 5-domain company might save, it is about trust, about Cloudflare positioning itself as a fair dealer that is not out to nickel and dime you.
Of course, once that relationship has been established, Cloudflare is in prime position to eventually make hundreds or thousands of dollars per year from that company.
We'll support 224 TLDs at launch! Full list here:
https://www.cloudflare.com/tld-policies/
And you'll be able to redact your personal information from Whois with us, too.
This is a pretty extensive TLD List, specially considering CloudFlare has to directly deal with the registries than being a reseller of some commercial registrar (like enom).
Most of them are from Donuts, who have a huge number of TLDs. In fact, looks like the only non-Donuts domains are com, net, org, and info, so only four registries.
It's not surprising, dealing with all the various registries (especially for ccTLDs) is probably one of the harder things to scale when spinning up a new registrar. Even Amazon Route53 uses resellers for some TLDs.
U2F allows you to secure your account with hardware tokens, such as Yubikeys.
Cloudflare does support "soft 2FA", which is two-factor authentication using apps, which is good, but could be vulnerable if a remote hacker gets hold of your 2FA secret by, for instance, compromising your password manager.
If you are keeping it only in the app but lose or break your phone, you will have to go through a verification process to regain access to your account. This process is, itself, a huge target for hackers.
For protecting domains that are important to your business - and, indeed, protecting your Cloudflare settings - nothing beats having two hardware tokens associated with your account, each located in a separate, secure location. They are inexpensive, do not need to be recharged, are almost impossible to break, are easily hidden and, if you lose one, you can use the other until your replacement arrives.
Our Custom Domain Protection is even more secure than MarkMonitor, but the overhead of doing that also makes it almost as expensive. Our at-cost standard domain service includes as much security as we can build into it without a large human component being required (2fa, etc.).
I've been trying to find a registrar with more-than-normal security without much luck. I want a registrar that will stand up to a sophisticated social engineering attack using leaked documents and personal information etc. The big names like MarkMonitor start at like $50k, mid-range ones like CSC leave me with an uneasy feeling given they do so many things with a clunky web UI and over email. I don't really even know any other options in this space.
One option that could scale well with the standard service is allowing customers to upload photo ID / business registration etc and locking down the account so that customer support can never touch anything. Should the customer lose their password / 2FA etc, then they would need to physically go to an office location for ID verification (and a $xxx inconvenience fee). I've had some limited success implementing this system with conventional registrars but I would be more comfortable if it were an actual product offering.
I really wish Cloudflare at least made $1 or $2 Gross Profits per domain. Who paids for Domain Register Support? I would much rather be a "customer" than I am not sure where they are making money from my Domain.
P.S - If those were wholesale price, do other companies get heavy discount for signing up in bulks? How do other companies made money when they are selling it for $0.99 or $6.99