
Tell HN: Domain interests exposed on namecheap and godaddy? - drdd
Two weeks ago i searched for a couple of domains i had in mind at namecheap.com for a project i wanted to work on.
One domain that i liked was areact.com but i was not sure if i had the right name for my project so i did not bought it.
I searched today for that same domain out of curiosity and i discovered it is owned by godaddy and registered from 15 november of 2019.
I only saved this domain name in my icloud notes along with a collection list of potential domains and it is impossible to claim that my history was recorded anywhere since i am a cyber security researcher and i take measures for my privacy and personal data online.<p>This story proves that our data is not safe, even from namecheap, godaddy, DNS spoof or Internet Service Providors!<p>So what i have in mind is that always when searching for a free domain i must look with a &quot;dig&quot; command to a encrypted dns server that claims that it has no LOGS like using dnscrypt client from dnscrypt.org or using a unix system to redirect all 53 udp port connectons to a local server with dnscrypt, or finally using also a vpn to avoid spoof on public networks and ISPs. And of course avoiding programs unreliable for privacy protection on our computers.<p>I would like to know what you think of this?
======
NamecheapCEO
From our side, we do not, nor have we ever monitored and registered our
customer's domain searches. The easiest way to test this is to try and
replicate it. I've seen similar complaints pop up from time to time and I've
even offered a US 50k reward to anyone that would like to try to prove that we
are involved in this in any way. Our customers are our business and we are not
here to try to take advantage of them or their ideas. That being said, our
domain search is absolutely safe.

~~~
a3n
Do you query verisign? Maybe godaddy subscribes to a "service" from verisign?

------
jolmg
> So what i have in mind is that always when searching for a free domain i
> must look with a "dig" command

The domain can be registered and still not have its DNS setup, so a command
like "dig" gives no guarantee that it's available. The better way is to use
the whois command to check if it's registered.

> to a encrypted dns server

Unless you believe that your ISP is giving out this info to godaddy, there's
really no point in the encryption.

What I do is check a domain with the whois command, and if it's not
registered, then I'll check for the general prices of that TLD by checking
with different registrars for the price of a domain like
randomcrapdfjalijdflijasdlfijasldjf.com if .com is the tld I was going for.

Anyway, the moment you put the actual domain you want to buy into a
registrar's text input, you must consider that there's a very real risk that
in a few minutes the price may rise, so you better have already determined
what price is acceptable for you before you input that.

------
octosphere
This is why I don't give registrars (or other actors) enough time to register
a domain behind my back, so when I want a name, I do no prior research in
advance of buying the domain, and buy it 'on the spot'. The same idea can be
applied to something like Amazon where shoppers often research the items they
want to buy, only to realize a week later the prices have all been hiked when
they go to buy.

------
buboard
a 6 letter .com domain ... how long had it been free? you should have got it
right away

