- Topic Starter mikeyboy
- Start date
- Replies: Replies 33
- Views: Views 1,608
Did you recently acquire this name and transfer it in?
It is unusual because name servers change automatically when the domain goes through TBR.
However on transfer in they do not and you have to manually change them.
However on transfer in they do not and you have to manually change them.
DomainRecap
Member
- Joined
- Nov 23, 2020
- All Topics
- 68
- Posts
- 5,410
- Likes
- 3,103
I'd contact WHC and see if this is one of those strange domains that can be in multiple accounts at the same time (as expired/cancelled), and the prior owner changed the NS (probably by calling WHC) without realizing he no longer owns it.
I think Frank closed most of the loopholes, but there can still be problems here and there.
I am going to bet that the WHOIS registrar in 2023 (prior to the TBR run) was WHC.
I think Frank closed most of the loopholes, but there can still be problems here and there.
I am going to bet that the WHOIS registrar in 2023 (prior to the TBR run) was WHC.
rlm
Bonfire.ca
Well that's scary AF. Whois says:
Updated Date: 2025-03-26T21:11:47Z
Creation Date: 2023-08-30T19:00:05Z
Registry Expiry Date: 2025-08-30T19:00:05Z
Good thought, but wrong guess. The domain was with Namecheap.com prior to dropping in 2023, so it does not sound like a previous WHC customer account conflict unless it was from even prior to that. The domain was previously regged from 2014-2023.
So for a nearly 2 year old domain, the fact that someone other than the owner could change nameservers, well that's pretty messed on and sounds like a huge security flaw.
Furthermore, WHC displays the AUTH code rather than only sending it by email to the registrant email. So presumably a person that could change the nameservers could also retrieve the auth code - and boom - your domain is gone.
Displaying the auth code inline is convenient and should in theory be secure assuming the account itself is secure. But this incident is suggesting that their accounts may not be so secure, or their system architecture allows for something like this to happen if it is some misconfiguration issue on their end, or their support people screwed up and it was the result of a social engineering hack, or ??? There must be some explanation. WHC certainly owes you that.
Please report back as to what the explanation is.
Sounds like a good time for me to go round up any stray TBR domains and consolidate them back to my main registrar... Much easier to keep tabs on everything that way.
Updated Date: 2025-03-26T21:11:47Z
Creation Date: 2023-08-30T19:00:05Z
Registry Expiry Date: 2025-08-30T19:00:05Z
Good thought, but wrong guess. The domain was with Namecheap.com prior to dropping in 2023, so it does not sound like a previous WHC customer account conflict unless it was from even prior to that. The domain was previously regged from 2014-2023.
So for a nearly 2 year old domain, the fact that someone other than the owner could change nameservers, well that's pretty messed on and sounds like a huge security flaw.
Furthermore, WHC displays the AUTH code rather than only sending it by email to the registrant email. So presumably a person that could change the nameservers could also retrieve the auth code - and boom - your domain is gone.
Displaying the auth code inline is convenient and should in theory be secure assuming the account itself is secure. But this incident is suggesting that their accounts may not be so secure, or their system architecture allows for something like this to happen if it is some misconfiguration issue on their end, or their support people screwed up and it was the result of a social engineering hack, or ??? There must be some explanation. WHC certainly owes you that.
Please report back as to what the explanation is.
Sounds like a good time for me to go round up any stray TBR domains and consolidate them back to my main registrar... Much easier to keep tabs on everything that way.
rlm
Bonfire.ca
FYI, here is that old WHOIS record as it was going into TBR at the time:
Domain Name: torontohealth.ca
Registry Domain ID: 17283671-CIRA
Registrar WHOIS Server: whois.ca.fury.ca
Registrar URL: Buy a domain name - Register cheap domain names from $0.99 - Namecheap
Updated Date: 2023-08-23T21:28:19Z
Creation Date: 2014-06-12T21:20:19Z
Registry Expiry Date: 2023-06-12T21:20:19Z
Registrar: Go Get Canada Domain Registrar Ltd.
Registrar IANA ID: not applicable
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Domain Status: clientTransferProhibited EPP Status Codes | What Do They Mean, and Why Should I Know? - ICANN
Domain Status: pendingDelete EPP Status Codes | What Do They Mean, and Why Should I Know? - ICANN
Domain Status: serverHold EPP Status Codes | What Do They Mean, and Why Should I Know? - ICANN
Domain Status: serverRenewProhibited EPP Status Codes | What Do They Mean, and Why Should I Know? - ICANN
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: REDACTED FOR PRIVACY
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: REDACTED FOR PRIVACY
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext: REDACTED FOR PRIVACY
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext: REDACTED FOR PRIVACY
Registrant Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name
Registry Admin ID: REDACTED FOR PRIVACY
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext: REDACTED FOR PRIVACY
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext: REDACTED FOR PRIVACY
Admin Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name
Registry Tech ID: REDACTED FOR PRIVACY
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: REDACTED FOR PRIVACY
Tech State/Province: REDACTED FOR PRIVACY
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: REDACTED FOR PRIVACY
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext: REDACTED FOR PRIVACY
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext: REDACTED FOR PRIVACY
Tech Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name
Registry Billing ID: REDACTED FOR PRIVACY
Billing Name: REDACTED FOR PRIVACY
Billing Organization: REDACTED FOR PRIVACY
Billing Street: REDACTED FOR PRIVACY
Billing City: REDACTED FOR PRIVACY
Billing State/Province: REDACTED FOR PRIVACY
Billing Postal Code: REDACTED FOR PRIVACY
Billing Country: REDACTED FOR PRIVACY
Billing Phone: REDACTED FOR PRIVACY
Billing Phone Ext: REDACTED FOR PRIVACY
Billing Fax: REDACTED FOR PRIVACY
Billing Fax Ext: REDACTED FOR PRIVACY
Billing Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name
Name Server: dns101.registrar-servers.com
Name Server: dns102.registrar-servers.com
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
For more information on Whois status codes, please visit https://icann.org/epp
%
% Use of CIRA's WHOIS service is governed by the Terms of Use in its Legal
% Notice, available at http://www.cira.ca/legal-notice/?lang=en
%
% (c) 2023 Canadian Internet Registration Authority, (http://www.cira.ca/)
Domain Name: torontohealth.ca
Registry Domain ID: 17283671-CIRA
Registrar WHOIS Server: whois.ca.fury.ca
Registrar URL: Buy a domain name - Register cheap domain names from $0.99 - Namecheap
Updated Date: 2023-08-23T21:28:19Z
Creation Date: 2014-06-12T21:20:19Z
Registry Expiry Date: 2023-06-12T21:20:19Z
Registrar: Go Get Canada Domain Registrar Ltd.
Registrar IANA ID: not applicable
Registrar Abuse Contact Email: abuse@namecheap.com
Registrar Abuse Contact Phone: +1.6613102107
Domain Status: clientTransferProhibited EPP Status Codes | What Do They Mean, and Why Should I Know? - ICANN
Domain Status: pendingDelete EPP Status Codes | What Do They Mean, and Why Should I Know? - ICANN
Domain Status: serverHold EPP Status Codes | What Do They Mean, and Why Should I Know? - ICANN
Domain Status: serverRenewProhibited EPP Status Codes | What Do They Mean, and Why Should I Know? - ICANN
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: REDACTED FOR PRIVACY
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: REDACTED FOR PRIVACY
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: REDACTED FOR PRIVACY
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext: REDACTED FOR PRIVACY
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext: REDACTED FOR PRIVACY
Registrant Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name
Registry Admin ID: REDACTED FOR PRIVACY
Admin Name: REDACTED FOR PRIVACY
Admin Organization: REDACTED FOR PRIVACY
Admin Street: REDACTED FOR PRIVACY
Admin City: REDACTED FOR PRIVACY
Admin State/Province: REDACTED FOR PRIVACY
Admin Postal Code: REDACTED FOR PRIVACY
Admin Country: REDACTED FOR PRIVACY
Admin Phone: REDACTED FOR PRIVACY
Admin Phone Ext: REDACTED FOR PRIVACY
Admin Fax: REDACTED FOR PRIVACY
Admin Fax Ext: REDACTED FOR PRIVACY
Admin Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name
Registry Tech ID: REDACTED FOR PRIVACY
Tech Name: REDACTED FOR PRIVACY
Tech Organization: REDACTED FOR PRIVACY
Tech Street: REDACTED FOR PRIVACY
Tech City: REDACTED FOR PRIVACY
Tech State/Province: REDACTED FOR PRIVACY
Tech Postal Code: REDACTED FOR PRIVACY
Tech Country: REDACTED FOR PRIVACY
Tech Phone: REDACTED FOR PRIVACY
Tech Phone Ext: REDACTED FOR PRIVACY
Tech Fax: REDACTED FOR PRIVACY
Tech Fax Ext: REDACTED FOR PRIVACY
Tech Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name
Registry Billing ID: REDACTED FOR PRIVACY
Billing Name: REDACTED FOR PRIVACY
Billing Organization: REDACTED FOR PRIVACY
Billing Street: REDACTED FOR PRIVACY
Billing City: REDACTED FOR PRIVACY
Billing State/Province: REDACTED FOR PRIVACY
Billing Postal Code: REDACTED FOR PRIVACY
Billing Country: REDACTED FOR PRIVACY
Billing Phone: REDACTED FOR PRIVACY
Billing Phone Ext: REDACTED FOR PRIVACY
Billing Fax: REDACTED FOR PRIVACY
Billing Fax Ext: REDACTED FOR PRIVACY
Billing Email: Please ask the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Other contacts of the queried domain name
Name Server: dns101.registrar-servers.com
Name Server: dns102.registrar-servers.com
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
For more information on Whois status codes, please visit https://icann.org/epp
%
% Use of CIRA's WHOIS service is governed by the Terms of Use in its Legal
% Notice, available at http://www.cira.ca/legal-notice/?lang=en
%
% (c) 2023 Canadian Internet Registration Authority, (http://www.cira.ca/)
You can activate 2nd factor per account and additionally per domain at WHC.
So in theory you need a password, get through account second factor, attempt to change nameserver and be asked for autheticator code again.
It does not correlate with the above but the security at WHC is there if you take advantage of it.
Forgot to mention, nameservers display on the same line as your domains if you activate the column plus all whois data is shown immediately when you click on a domain.
There really is a lot of security there but like always it depends on the user activating or using it to its fullest potential.
There really is a lot of security there but like always it depends on the user activating or using it to its fullest potential.
rlm
Bonfire.ca
Security is only as good as the weakest link. So if the UI security is high, but the system is vulnerable elsewhere such as at the support or even server level, well then its all for naught.
rlm
Bonfire.ca
I presume you've asked WHC to investigate??
DanCarls
RedTagDomains.ca
I let the domain drop, and had it pointed at Atom. I also had it registered at WHC i believe.Explain this one. Plus I have never used Atom
Last edited:
I had the sneaking suspicion that it what happened, I remember seeing a domain I picked up once and looking at it and the name server was still pointed to where the previous owner had it pointed. No idea how that happened though because I thought WHC points the domains to the auction during that process.
A little bit of a head scratcher.
Checked on domain purchase from 2023 and they change nameserves after purchase:
- parking1.whc.ca
- parking2.whc.ca
rlm
Bonfire.ca
That can't be. As shown in whois, the domain was dropped in Aug 2023 from Namecheap. The only possibility is if you picked it up in TBR at WHC in Aug 2023, then later sold it to
@mikeyboy as a push, where he must have not updated the nameservers after he took control. So that's the big question, who picked it up in TBR in Aug 2023, you? Or Mike?Sponsors who contribute to keep dn.ca free.
 |
 |
 |
 |
 |
 |
 |