Today I’m proud to introduce the public alpha of GitBook Lens — a new semantic search tool powered by AI.
Lens indexes the content of documentations hosted on the platform, and provides an interface to ask questions. It’ll scan your documentation and give you a simple, semantic answer using OpenAI — with clickable references if you want to dive deeper.
While Lens is in open alpha, anyone can activate it at no extra cost.
We also provide an API to integrate GitBook Lens in your website / application.
We are working on multiple aspects of the products that should cover a lot of this (improved i18n, SEO, faster rendering)!
Would love to get your feedback on what you would like to see improved exactly on our SEO friendliness and i18n support. We have an open GitHub community for feedback; https://github.com/GitbookIO/community/discussions
And for anyone, if you are interested in building a "A SaaS to host product guides ", we are hiring engineers/designers/builders: https://jobs.gitbook.com/ :)
We use Cloudflare to serve HTTPS traffic for all custom hostnames configured by our users.
When a user configures a custom hostname, they point their DNS via CNAME to one of our domains (which, at the end of the chain points to Cloudflare). We then request Cloudflare (using their Cloudflare for SaaS product) to generate an SSL certificate for this hostname and serve the traffic properly.
When users move away from GitBook, they often don't remove their content from GitBook and only change the DNS on their side. We don't request to remove the hostname from Cloudflare for SaaS until the content is deleted from GitBook, as the goal is to avoid breaking links for URLs that are still pointing to GitBook.
We'd expect Cloudflare to always use the DNS setup of the domain as the primary factor for deciding where to route the traffic.
We don't know the rationale behind why Cloudflare routing continues internally routing the traffic to GitBook when the domain is no longer pointing to the GitBook hostname. But it is not us doing that intentionally.
Our support can help unblock this situation by manually removing this domain from our Cloudflare for SaaS. You can reach out at support@gitbook.com.
Thanks for the reply! I figured from this thread that it wasn't anything malicious from Gitbook's side and more of a Cloudflare bug, so it's good to hear your explanation!
Edit: Oh also, I did remove the domain from Gitbook so you should really remove it at that point no?
We only remove the domain from Cloudflare when the content is deleted. The main reason is to avoid broken links when users update their domain on GitBook.
Ex:
1. You configure docs.mycompany.com with your GitBook space
2. You share links to docs.mycompany.com on social medias
3. You update the domain to docs.anothercompany.com
4. It's better if the docs.mycompany.com links can continue working until you remove the DNS entry
In summary, we want the users to decide through their DNS config when GitBook should serve the content or not to avoid breaking links without an intentional action from the user.
Unfortunately, because of how Cloudflare doesn't use the DNS configuration to decide where to route the traffic, it causes issues atm. We'll look at what we can do on our side to mitigate this.
We don't host user content under the gitbook.com, or at least we've stopped doing it a few years ago.
User content is stored under *.gitbook.io, similar to GitHub.
Google blocked all domains that contained "gitbook" in our account, even ones that are used for some infrastructure and are not accessible by the public. We don't know the exact reason for this, maybe they've blocked gitbook.com because we still have some redirect for content that was hosted under it years ago.
And yes we are going to make changes to host our status page under another domain.
That’s really important to add to the story! I think that makes the rest of the story more troubling. Especially knowing that domains unrelated to the apparent user phishing code were affected.
You might think of adding it to the post-mortem doc so that others don’t assume what I did.
I'm curious how you feel about CloudFlare as a registrar not allowing GitBook to use an external root nameserver.
Being forcibly stuck on CloudFlare's own nameservers only sounds very nefarious, and isn't a limitation I've ever heard of with any other registrar. For instance, it would break my tooling that uses my host's APIs to control DNS records through their nameserver.
I'd be very appreciative if eastdakota or jgrahamc could elaborate on what possible reasoning there is for this restriction as well.
Cloudflare sells the domain at cost. I think the idea is that its an extra service meant for their customers, not a service for the general public. As they are a DNS provider, their customers will use cloudflare nameservers. If they didn't, they would no longer be customers.
That does make sense. If I were using Cloudflare I suppose it would be a no-brainer, and if I were Cloudflare and didn't want people not routing their traffic through me on my registrar, that would be an excellent way to discourage it. If they're forced to offer to everyone as part of being a registrar, then the combination of all of the above is my answer. Thanks!
Exactly, huge red flag. Google domains it's risky because they can ban your entire Google account including personal Gmail and any linked business ones. Can be pretty bad I'd say.
I'd like to interrupt all the sanctimonious blathering in this thread to note that Cloudflare domain registration terms and conditions are almost a verbatim copy of Google's, and includes the same unilateral cancellation clause for phishing.
Cloudflare: "Cloudflare and Registry Operator may deny, cancel, suspend, transfer, redirect or modify the Registrar Services or a Registration, or place any domain name(s) on lock, hold or similar status, as either deems necessary, in the unlimited and sole discretion of either Cloudflare ... for distributing malware, abusively operating botnets, phishing, piracy, trademark or copyright infringement, fraudulent or deceptive practices, counterfeiting or otherwise engaging in activity contrary to applicable law."
Google: "We may in our sole discretion, deny, suspend or cancel any registration or transaction, or place any domain name(s) on registry lock, hold or similar status if ... engaging in spam, phishing, or other deceptive practices."
I think the primary issue with Google Domains here is not that they have these kinds of terms, but that they enforced them in a particularly incompetent way. The original report of the phishing site was over a week old and had already been resolved, when google shut down the domain. Hopefully the people at Cloudflare are a bit better at their jobs.
Oh, I don't know that we have enough unbiased information to conclude what you concluded. One of the first comments posted in this thread today was "Is it related to the countless phishing pages hosted on your service?" from which we can deduce that the phishing problem on Gitbook is well-known to random members of the public.
The topic at hand is where to move a domain out to, and whether said company is one that can be relied upon to act ethically and responsibly. I don't see the difference.
I thought Cloudflare was more about saying "we were wrong to try to be the world's speech police, and will never again bow to public pressure and take away DDOS from literal Nazis" and then taking down 8chan and other literal Nazis anyway because of public pressure.
Think you should investigate other options such as the known brand protection/domain asset management companies (MarkMonitor, CSC, easyDNS or their European equivalents)
EDIT: I see you're moving to Cloudflare, but I wish you the best of luck
How did you arrive at choosing Cloudflare? It's clear Google Domains has broken processes not conducive to running a business centered on user content. How do you know Cloudflare does not suffer from similar broken processes?
I doubt CloudFlare Registrar would be better in terms of customer support—unless said customer has an Enterprise plan—as their prices are just the registry + ICANN fee, no surcharge for them to make money.
Doesn't seem conducive to great customer support, but maybe I'm wrong cause I've never had to contact them.
As a former domain registrar, I would get the authcode, unlock the domains, and transfer them away as soon as possible. It's been a while since I read the RAA (https://www.icann.org/resources/pages/approved-with-specs-20...), but it's rather extraordinary to put a domain on clientHold, which is what I assume they did to you, outside of non-payment or some kind of legal dispute.
I'd be interested to know what this heavy handed policy was, assuming Google Domains gave you that information. I hope it wasn't something egregious or frivolous as I've seen with other parts of their organisation.
I don't understand why you got downvoted. Google's customer support is notoriously non-existent (perhaps except for stuff that brings in money like AdWords). They admit themselves that it's a business decision: https://www.seroundtable.com/google-support-staff-limits-139...
Because it's about as helpful as saying "you shouldn't have moved to Los Santos if you value safety" to someone who's bleeding on the street having just been mugged.
The same message could also be worded more like "once you get past this, I'm sure you're already considering moving registrars. But please let us know if the support you're receiving from them is as bad as (my experience / reputation / etc.)".
Or better yet, "here is a reputable site reviewing registrars for reliability and customer service" (I don't know if there is such a site, there really should, but it's unclear how it would make money).
According to whois, google.com, amazon.com, github.com, microsoft.com, netflix.com, reddit.com, baidu.com, youtube.com, twitch.tv and wikipedia.org all use MarkMonitor [1]
apple.com, twitter.com and ocado.com use CSC Corporate Domains [2]
I have no idea what such services charge, but they're all "call for pricing" and none of those companies would blink at spending $10k/year on their domains.
Not every well known brand uses such a service, though. bbc.com uses tucows, stackoverflow.com uses name.com and ycombinator.com uses gandi. facebook.com uses RegistrarSafe, a subsidiary of themselves, and almost every domain registrar is registered with themselves.
At my last job, we called MarkMonitor after NetworkSolutions' lack of admin security got our domain hijacked. I don't remeber the prices exactly, and I'm sure they've changed, but from what I recall, the per domain year prices were about 10x normal prices, like $100/year for .com, but they also had a mininum annual spend of I think $10k/year; to get the 'super lock' domain service was about $1000/year available on a small selection of TLDs. They were also pretty dismissive on the first call until they looked us up and you could hear the dollar signs spinning in their eyes. They were very easy to work with and professional after that though. This was while they were owned by Thompson-Reuters, they've since been sold to private equity.
Google.com was registered long before Google Domains was created. Lots of other more modern Google domains---even .google ones---are registered with MarkMonitor as well. Google Domains doesn't compete with MarkMonitor for large businesses with extremely valuable domains.
That to me is a downside since that means that that is not a core part of their business. Financially, it makes no difference to them if I use their service or not.
I would rather pay a little extra to a company that has domain registration as a core part of their business and actually makes a profit from me.
And domain names are cheap. Even if you pay twice as much as the cheapest service, it still will not make any difference in your bottom line.
The counter is it's also risky to use a company that only does Domain Registration since it's a very low margin business and thus the risk for them shuttering is higher -- or they'll try to make it up with various erroneous fees
I know the concern of putting all your eggs in one basket is real, but since CF's business is literally to take over your domain DNS and slap on some add-on services, adding domain registration in-house seems like a good fit.
> The counter is it's also risky to use a company that only does Domain Registration since it's a very low margin business and thus the risk for them shuttering is higher
You can avoid this issue by going with a registrar that focuses on bulk domain sales (eg. internet.bs in my case, but there are more, like eNom I think?), as they have a high-enough volume that they can easily stay afloat even when charging reasonable prices and without aggressive upsells.
It's mostly the consumer-focused "$1 for the first year" registrars like GoDaddy that you want to stay away from. Those are the really problematic ones.
> but since CF's business is literally to take over your domain DNS and slap on some add-on services, adding domain registration in-house seems like a good fit.
Sure, if you want to send all the traffic of all of your users through a man-in-the-middle US-based company with a very dubious past and a questionable business model revolving around basically centralizing the internet.
It's not a great recommendation to make. It also raises the question of why they seem intent on killing off the registrar market by offering "at cost" (which honestly isn't much lower than what aforementioned internet.bs charges anyway).
How about mixing the two? Buy your domain at the cheapest registrar you can find. Pay for 9 years. Then as soon as you can transfer to some registrar you have more long term confidence in. You might have to purchase another year there to do this.
Net result: You get the domain at your preferred registrar, but you get 90% of the savings you would have got if you had it at the cheap register.
Ah yes that's true, I always seem to group .io in with the new crowd of TLDs in the sense that it became trendy "recently"; and I only mentioned .io domains since GitBook uses one, "gitbook.io".
.io isn't just "Indian Ocean", it is British Indian Ocean Territory. The location of the Diego Garcia military base (jointly operated by US and UK). The British expelled its indigenous population (the Chagossians) to make way for the US military. The territory is claimed by Mauritius, and the International Court of Justice in 2019 ruled (in a non-binding opinion) that the UKs separation of the territory from Mauritius was unlawful.
Some random British company convinced IANA to let it run the .io domain for their own profit. Their operation of it has nothing to do with the interests of its exiled inhabitants (the Chagossians), the British territorial and military authorities, or the US military presence which constitutes the the territory's raison d'etre.
I think it likely that, one of these days, something is going to happen to the .IO ccTLD operators. Their rights to it are very dubious, and someone else (the British government, the government of Mauritius, the Chagossians) could end up wresting it from them.
What makes me uneasy about Cloudflare's registrar service is they force the use of Cloudflare's nameservers unless you have an "Enterprise" plan (paying a monthly fee for what amounts for some registry EPP calls?!) and given how they sell at cost I can't imagine the customer support in case of similar issues to this being good.
> Namecheap dumping personal info without informing their customer
Something similar happened to me – Namecheap dumped the wrong (private) information into WHOIS immediately after a redesign of their systems. It definitely was not user error.
Dealing with Namecheap's customer support to try to resolve this was possibly the worst customer support experience I've had in 20+ years in the tech industry. Lots of lies about getting back to me the next day, passing the buck, blaming everybody but themselves, extended periods of flat-out ignoring me, and eventually a complete inability to fix it.
I've been a happy user of Hover ever since, but I'm unable to recommend them – ironically because nothing has ever gone wrong with them. I used to recommend Namecheap until that nightmare happened, then I found out just how shockingly useless they are when it comes to customer support and privacy. Ever since, I only recommend services where something has gone wrong so that I know they are capable of resolving problems well. I regret ever recommending Namecheap and don't want to make the same mistake again.
I have used hover for years and quite like them. The customer support was awesome when I had an issue with getting a .com.au domain setup for a business. Australia has some extra requirements for domains that I wasn't familiar with. I also like to have my domains separate from everything else so if I move hosts/email providers it's easy.
They have their own accreditation for .COM/.NET/.ORG/.INFO/.CA (and maybe a few others) else they fallback to Tucows OpenSRS system, which is decent except in the case of needing advanced features like DNSSEC (for certain TLDs) where they seemingly have a "Half Life 3" type schedule of deploying new features
Cloudflare Registrar had some issues at one point but they had more to do with a broken system that assumed the domain was purchased elsewhere than anything else, if I remember correctly. Their support apparently handled that case very well.
I haven't used them personally, but I've read a ton of rave reviews about gandi.net. Namecheap also talks a good talk, and Cloudflare has a good reputation.
GoDaddy answers their phones with real people, but they are completely powerless to actually help you. You can escalate all the way to the office of the CEO (who doesn't answer their phones) and they won't lift a finger to help you. I had been a customer for over ten years with several domains, and they still wouldn't help me with a three-figure billing error. What kind of business fights a decade-long customer over an interest rounding error for them?
Because 99% of people don't realise that their domain registrar holds the keys to their business's entire internet presence.
They can switch off your website/email at any time, with no real consequences apart from a little bit of bad PR if you have enough social media followers or post in the right forums where their staff hang out.
They can also do a shitty job of securing your domain, and let it get stolen/hijacked. The attacker then gets to set up their own MX records and collect all the password reset emails they triggered on every other important site, and pretty much own anything you doin't have 2FA set up on.
Anyone who doesn't think customer support from their business domain registrar is a thing worth paying for, most likely hasn't evaluated the risks properly.
That may be true for a given service, but I'd wager closer to 99% of people have used customer support for something in the past. It'd be foolish to disregard it when you know you've needed it before, even if not for that same service category.
So the person who posted this as a "Show HN" isn't a contributor? That's not just bad form, that's a violation of the Show HN guidelines. It looks like the submitter has a history of doing this.
You have a good understanding of what we are doing :)
With snippets:
* You can save Slack thread as a new document in GitBook; the document will be generated by a LLM (it's not a plain dump of the messages).
* You can record your work on VS Code (+ audio), and we'll translate it as a document (snippet)
With Insights:
* We analyze content (we have customers with more than 10000 pages in their docs) and identify contradictions or duplicate
* We don't auto-fix them yet, but it's planned ;)
With AI Search:
* We leverage LLM and a vector database to provide complete answers with sources to natural language questions