Never buy .xyz (sh.itjust.works)
submitted 1 month ago* (last edited 1 month ago) by HumanPerson@sh.itjust.works to c/selfhosted@lemmy.world

I just wanted to post this here because I want to help you all and hurt gen.xyz as much as possible. I had a .xyz domain through njal.la which I used to host jellyfin, homeassistant, and other basic things for friends and family. My domain recently became inaccessible without any notice. After a while of troubleshooting, I found that it had been reported to xyz as abuse, and they must have done zero investigation whatsoever before serverholding my domain. I thought about opening a ticket with xyz to get my domain back, but realized that I no longer wish to buy from some shitty company that will take down any site without warning. Bought a .com domain since they are somewhat reputable, and I would advise everyone here to never buy a .xyz domain. Angry rant over.

top 50 comments
sorted by: hot top controversial new old
[-] peskywarrior@lemmy.world 100 points 1 month ago* (last edited 1 month ago)

Just wanted to say in case others see this, you can buy a .xyz domain from reputable places (maybe for a higher cost). I believe the OP is talking about the specific site 'gen.xyz'.

I have an xyz domain with Cloudflare, host many things on it (like Jellyfin), and haven't had any issues yet.

Edit: as many have pointed out, my understanding of registrars was wrong and gen.xyz actually owns all xyz tlds. Sleep in fear if you own one I suppose

[-] viking@infosec.pub 64 points 1 month ago

The thing is that gen.xyz is the registrar itself, i.e. the highest authority for this tld. If they blacklist domains, you're screwed.

[-] SaltySalamander@fedia.io 34 points 1 month ago

gen.xyz controls all .xyz domains, even yours. Doesn't matter where you registered it.

[-] OpticalMoose@discuss.tchncs.de 24 points 1 month ago

Thank you for that explanation. My regex impaired ass thought he wanted to hurt generation[x|y|z].

I'm like "what'd we ever do to you?"

[-] HumanPerson@sh.itjust.works 15 points 1 month ago

No, I'm in that category too lol.

As is everyone born between 1965 and 2015, which is quite a few people.

[-] SnotFlickerman@lemmy.blahaj.zone 16 points 1 month ago

Cloudflare can still go bad, but its usually for high-capacity users who are using way more than the average. I haven't seen any homeserver users get hit with any trouble, but I've seen a couple small businesses have bad situations with Cloudflare, although it honestly seems like the minority.

Cloudflare has issues but for most its probably fine.

[-] peskywarrior@lemmy.world 10 points 1 month ago

From what I've seen/heard, if you follow the ToS (usually by not proxy-ing hosts that shouldn't be proxied or are in violation if they are) there's nothing to be afraid of ¯⁠\⁠_⁠(⁠ツ⁠)⁠_⁠/⁠¯

[-] HumanPerson@sh.itjust.works 9 points 1 month ago

I bought from njal.la. they were almost entirely unhelpful but pointed me to the site for the tld. It appeared through their wording that gen.xyz who owns the xyz tld was responsible for taking the domain down. I bought my new domain through porkbun tho.

[-] Syn_Attck@lemmy.today 3 points 1 month ago

Njalla just buys domains from major registrars on your behalf and owns them on your behalf. Godaddy, Tucows, etc. It was the owner of the entire .xyz space (gen.xyz) who shut your domain down. Njalla is just passing along the info. Porkbun will do the same.

[-] HumanPerson@sh.itjust.works 3 points 1 month ago

I know, but they didn't pass much info. They told me it was serverhold and nothing else. They could have at least said it wasn't them that did it.

[-] Syn_Attck@lemmy.today 7 points 1 month ago

Since its servhold, you may be able to remove the offending content (for a short time, anything public-facing) and then contact reg.xyz to get it unsuspended. You're right though that's not very good customer service.

On a related note, it's possible a misconfiguration allowed some of the contents or index to be shown publicly and it got caught in a search engine and was taken down in an automated DMCA sweep. I believe .xyz is an American registrar so have to respond to DMCA but could be wrong on that. I like to stay with any .TLD that archive uses.. md, ph, etc.


[-] Kiwi@lemmy.world 5 points 1 month ago

That’s not how domains work.

[-] danhab99@programming.dev 2 points 1 month ago

How expensive can "reputable" be. I got danhab99.xyz for like ¯⁠\⁠(⁠°⁠_⁠o⁠)⁠/⁠¯ $20/year?? Who cares

[-] surewhynotlem@lemmy.world 3 points 1 month ago

Namecheap is reputable and WAY cheaper than that. Been using them for years.

[-] LifeInMultipleChoice@lemmy.world 6 points 1 month ago* (last edited 1 month ago)

This is all news to me. I thought .xyz was owned by Google after they became Alphabet and had that ABC.XYZ site years ago.

Love when I see stuff like this and get to learn something new

[-] chiisana@lemmy.chiisana.net 42 points 1 month ago

Locks can happen by registrar (I.e.: ninjala, cloudflare, namecheap etc.) or registry (I.e.: gen.xyz, identity digital, verisign, etc.).

Typically, registry locks cannot be resolved through your registrar, and the registrant may need to work with the registry to see about resolving the problem. This could be complicated with Whois privacy as you may not be considered the registrant of the domain.

In all cases, most registries do not take domain suspensions lightly, and generally tend to lock only on legal issues. Check your Whois record’s EPP status codes to get hints as to what may be happening.

[-] HumanPerson@sh.itjust.works 18 points 1 month ago

I'm on a new domain now anyway. I will be more careful on this one, but I suspect they just didn't look into it. I do really appreciate that you seem to be both knowledgeable and not an asshole. That seems to be a rare combination to find in this thread.

load more comments (3 replies)
[-] Toes@ani.social 30 points 1 month ago* (last edited 1 month ago)

Sounds like an issue with your registrar more so than the domain authority?

Do you have any information to distinguish that?

Does anyone here know if they are the same entity?

[-] HumanPerson@sh.itjust.works 10 points 1 month ago

I didn't get the domain through gen.xyz, they are the registry (not registrar) for the xyz tld. They are the ones who control every xyz domain which is why I warned against them.

[-] viking@infosec.pub 5 points 1 month ago

They are indeed the registrar. Would have expected more.

[-] HumanPerson@sh.itjust.works 4 points 1 month ago

They may be a registrar, but not the one I used. They were the registry that locked my domain.

[-] blackstrat@lemmy.fwgx.uk 22 points 1 month ago

I received so much spam and abuse of my network from .xyz domains that they are fully blocked in every conceivable way from being accessed or accessing my network.

[-] TWeaK@lemm.ee 22 points 1 month ago

I mean, a jellyfin server is typically full of copyright protected material. I also wouldn't expect them to notify you in advance, however they should still send some notice when they stop providing the service you've paid for.

[-] HumanPerson@sh.itjust.works 10 points 1 month ago

It typically is, and I won't comment on whether mine is, but that isn't enough reason to take it down. I was quite careful about who I gave access to, as well as making sure people had secure passwords. It is highly unlikely that anyone got in and saw any copyright violation before reporting it.

load more comments (3 replies)
[-] johntash@eviltoast.org 21 points 1 month ago

Eh while it sucks, registrars and web hosts get so many abuse reports that sometimes they just err on the side of caution and don't investigate as thoroughly as you'd like.

Of course it also depends a lot on various things like what type of complaint, how much money you spend with them, account history, complaint source, etc.

They should be able to tell you what they had a problem with and give you a chance to fix it.

[-] earmuff@lemmy.dbzer0.com 19 points 1 month ago

Also, don‘t use it for any mail servers. Spam Assassin gives a negative score by default on *.xyz domains. Stupid as shit, but I had to learn the hard way.

[-] Flax_vert@feddit.uk 9 points 1 month ago

Xyz domains always look sketchy, sorry.

[-] earmuff@lemmy.dbzer0.com 4 points 1 month ago

Agree. I just got it for fun and because it was cheap. I used it for my disposable e-mail addresses but now switched to .org

[-] Flax_vert@feddit.uk 4 points 1 month ago

I know someone who had a Minecraft server which used a .net domain (most Minecraft servers do use .net, even one I hosted did) and he renamed it once and used an .xyz domain and it suddenly looked like a sketchy Russian porn site

[-] umami_wasbi@lemmy.ml 9 points 1 month ago

Shit. I have my peraonal domain hosted on .xyz for email. Guess time to migrate. Any TLD suggestions?

[-] hertg@infosec.pub 12 points 1 month ago

Most email providers will automatically put emails coming from .xyz to spam. I'd advise against using any "new TLDs", if you can. But if you must, avoid those that are frequently used for spamming. A lot of spam detectors will already score your emails as suspicious just for the TLD.

See for example, https://github.com/apache/spamassassin/blob/trunk/rulesrc/sandbox/pds/20_ntld.cf

[-] umami_wasbi@lemmy.ml 3 points 1 month ago

No wonder why some reported my mail fall into spam dispite I rarely sent any. God. I had it for almost 10 years already, and migrating would be painful.

[-] kilgore_trout@feddit.it 8 points 1 month ago

If you live in Europe, .eu

[-] rickyrigatoni@lemm.ee 16 points 1 month ago

If you live on the Cook Islands you get to use .co.ck!

[-] Lemzlez@lemmy.world 5 points 1 month ago

.eu and your local tld are often quite a bit cheaper too!

[-] tills13@lemmy.world 5 points 1 month ago

Buy your country's local domain and support the local economy.

[-] umami_wasbi@lemmy.ml 1 points 1 month ago* (last edited 1 month ago)

Any UK registrar recommended?

load more comments (2 replies)

You can buy .xyz domains from places other than gen.xyz. I have mine from namecheap and I haven't had any issues in like 10 years with them.

[-] HumanPerson@sh.itjust.works 8 points 1 month ago

I had mine through njal.la. It was the registry itself that locked it though. I switched registrar too after njalla took a long time to respond to my question with a vague, unhelpful, and short response.

[-] dinckelman@lemmy.world 2 points 1 month ago

I have mine through namecheap too, although the name server is from cloudflare now. The only issue i’ve had was some shitty forums preventing registrations from anything that wasn’t @gmail.com

[-] slazer2au@lemmy.world 9 points 1 month ago

Yeah the cheaper the domain the more likely it is for abuse to occur and your own domain to be lumped into that category.

[-] HumanPerson@sh.itjust.works 8 points 1 month ago

It cost the same as my new .com one. It was the registry (not registrar) that took it down.

[-] contrefeu@akko.contref.eu 2 points 1 month ago

@HumanPerson @selfhosted Thanks for the heads up, several times I was this close to buy one. Glad I didn't.

[-] ipkpjersi@lemmy.ml 1 points 1 month ago

Yeah I use .com for my seedbox.

load more comments
view more: next ›
this post was submitted on 14 Jun 2024
143 points (78.7% liked)


37939 readers
512 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.


  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.


Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago