Tell HN: Domain interests exposed on namecheap and godaddy?

3 pointsdrdd6y ago5 comments

Two weeks ago i searched for a couple of domains i had in mind at namecheap.com for a project i wanted to work on. One domain that i liked was areact.com but i was not sure if i had the right name for my project so i did not bought it. I searched today for that same domain out of curiosity and i discovered it is owned by godaddy and registered from 15 november of 2019. I only saved this domain name in my icloud notes along with a collection list of potential domains and it is impossible to claim that my history was recorded anywhere since i am a cyber security researcher and i take measures for my privacy and personal data online.

This story proves that our data is not safe, even from namecheap, godaddy, DNS spoof or Internet Service Providors!

So what i have in mind is that always when searching for a free domain i must look with a "dig" command to a encrypted dns server that claims that it has no LOGS like using dnscrypt client from dnscrypt.org or using a unix system to redirect all 53 udp port connectons to a local server with dnscrypt, or finally using also a vpn to avoid spoof on public networks and ISPs. And of course avoiding programs unreliable for privacy protection on our computers.

I would like to know what you think of this?

5 comments

NamecheapCEO6y ago

From our side, we do not, nor have we ever monitored and registered our customer's domain searches. The easiest way to test this is to try and replicate it. I've seen similar complaints pop up from time to time and I've even offered a US 50k reward to anyone that would like to try to prove that we are involved in this in any way. Our customers are our business and we are not here to try to take advantage of them or their ideas. That being said, our domain search is absolutely safe.

a3n6y ago

Do you query verisign? Maybe godaddy subscribes to a "service" from verisign?

jolmg6y ago

> So what i have in mind is that always when searching for a free domain i must look with a "dig" command

The domain can be registered and still not have its DNS setup, so a command like "dig" gives no guarantee that it's available. The better way is to use the whois command to check if it's registered.

> to a encrypted dns server

Unless you believe that your ISP is giving out this info to godaddy, there's really no point in the encryption.

What I do is check a domain with the whois command, and if it's not registered, then I'll check for the general prices of that TLD by checking with different registrars for the price of a domain like randomcrapdfjalijdflijasdlfijasldjf.com if .com is the tld I was going for.

Anyway, the moment you put the actual domain you want to buy into a registrar's text input, you must consider that there's a very real risk that in a few minutes the price may rise, so you better have already determined what price is acceptable for you before you input that.

octosphere6y ago

This is why I don't give registrars (or other actors) enough time to register a domain behind my back, so when I want a name, I do no prior research in advance of buying the domain, and buy it 'on the spot'. The same idea can be applied to something like Amazon where shoppers often research the items they want to buy, only to realize a week later the prices have all been hiked when they go to buy.

buboard6y ago

a 6 letter .com domain ... how long had it been free? you should have got it right away

j / k navigate · click thread line to collapse