I stopped using them a while ago but for a different reason. I used to use their website to check availability/whois for domains that I was interested in buying. If it was available I didn't buy it at the time but until I finished the website/app whatever I was going to put there, this took me a few months obviously. It happened to me that when I was finally ready the domain had already been sold to someone else. This repeated five times during six or so years. Now, I know, "someone else could have thought the same thing" but I find it very hard to believe that it happens so often. These domains were a bit of niche words that were not hot topics at the time, some of them using fairly uncommon TLDs (like .one). Another weird thing is that they were always registered to someone living/or doing business at India, and it was a fairly simple landing page with a "contact me" link. I'm a bit superstitious so I don't think it was a coincidence.
Now, I don't think this is a GANDI problem per se, but my theory is that they share this information (who is looking for which domains) with marketers or something like that, or maybe it was a rogue employee trying to make some money squatting domains. I would have expected this from BigDaddy or similar sharks, but from a company whose motto is "no bullshit" I had much better hope. Anyway, I decided to move (to namecheap if you're wondering) and surprisingly the problem went away.
Domain registrars giving away domains to squatters when people search for them is a time honored practice. The advice I've seen is to not search for the domain first, just register it outright from the start. The domain registration business is run with all of the integrity and customer focus of TicketMaster.
Really? I may have just found myself a new hobby. Search for incredibly unique (and worthless to me) domains to see if I can get people to squat on them. Heck, it could be a game ... I could get all my friends to make bingo boards ... or maybe see if I can think of some scrabble like rules.
They buy domain X and then they put generic advertising, maybe keyword based, on a cheap bulk hosted site. They measure for a few days - is this bringing in lots of revenue? If not, they cancel the purchase, using a "grace period" available to users of the registry in case of mistakes - the purchase is unwound and they are refunded the fees. Domain X is now available again.
In principle this is forbidden for major TLDs but it's still possible and unscrupulous vendors help them do it, albeit it may now attract a fee if you do it enough that the TLD registry detects you tasting.
I am sure, in the past, one of the domain registrars took the liberty of actually registering your searched domain, deliberately, so that you had to go through them to get the domain later on? - I can't remember who it was, but it was an automated process.
I know it was very shortly stopped once people complained, but it goes to show that it has been done before.
Getting rich off domain's - sounds like a solid business plan!
I've got no evidence except anecdptes, but I've heard claims that GoDaddy used to do this a lot. For this reason I've only searched a domain I was going to immediately buy, otherwise I'll do a whois lookup to see if it's registered.
Within this, was the comment that reminded me which company it was I was talking about (https://news.ycombinator.com/item?id=2327152) - Network Solutions used to do this - and there is a Wiki link in there which gives the process a name! TIL! :)
I remember something about registrars doing this so the domain you wanted wouldn't get snatched by someone else while you were in the process of buying it. Made more sense back in the time when far more basic names were available and such collisions were probably common for high-value domain names. Now it's two people finding the same needle in a haystack.
>The advice I've seen is to not search for the domain first, just register it outright from the start. The domain registration business is run with all of the integrity and customer focus of TicketMaster.
What if you don't want to cough up $10-$20 on a whim? Would doing a whois (using the NIC's whois site) suffice?
I've had this same scenario happen before, and since then I just issue a `whois` from the command line to bypass any potential frontend interception. Not sure if that is 100% full proof either though.
I have used whois cli since the early 2000s because I did not trust the registrars as domains I just searched ended up being registered. Never had that issue again since then.
i use host -t NS cooldomain.example as a pre-filter. If a domain has NS records, it's definitely registered, although there are some registered domains without NS records (makes them pretty much nonfunctional, but if that's what the registrant wants, it's their business)
If I understand the domain name infrastructure correctly, that would imply that it's the registrar who is collaborating with the squatters. A command-line whois query would still have to query the servers of the registry for a particular domain (others on this thread speculate that it may be the domain registry that shares data with the squatters).
Curious about this as well. When you query the servers of the registry [gandi, namecheap, godaddy] for a particular domain example.com, doesn't it update the one of the datetime fields for last queried?
Then again, the squatter would have to know what to search. Isn't it against rules for domain registrars to publish their recent query history [private or public]?
Any more light on this subject would be greatly appreciated!
They never had a real "no bullshit" policy. When I had my domains with them, I had been asked to verify my identity 34 times in 12 months. 34 separate fucking times. Because "ICANN says so" or some stupid shit (their words, not mine). It stopped the moment I moved to Google Domains, where they asked once and never again.
EDIT: And, to make things worse, each time I was threatened with the "confiscation" of my domain, and the round trip on the tickets was so high that each instance took 2-3 days to resolve. Frustrating as hell.
Since you're giving a anecdote, let me do the same. I have about 30-40 domains with Gandi, and have been using it for about ten years. I don't remember ever verifying my identity, but guess I most have done it at least once. I have not been asked to verify anything for at least the last five years of using it.
Disclaimer: I don't work there or have any relationship, except I'm a happy customer
His anecdote does say something though. It suggests that Gandi has a "if we have a bug, it's your problem not ours, sucks to be you" policy, which is exactly what has happened with this data loss issue as well.
Actions speak louder than words. Google famously has a "we don't have bugs, you just don't know how to use it, talk to the hand" policy for example. It is better to learn about the policies due to minor issues rather than major. OP learned of it early on and moved away with little trouble. Others did not learn until now and stayed, and now they are SOL.
I’m a gal, but exactly. I really wanted to support a company at the time who was supporting the community (they were a freenode sponsor), but I just hated dealing with the stress and potential that my domains could just disappear over night.
On the other hand, i've started using them more for DNS because the one time I forgot my password (typo in password manager I think) they made it very difficult for me to reset it, asked for pieces of ID, phone number registered in my name etc...
This is at the time of the stories of other registrars giving customer second and third chances to guess their PIN, or credit card or whatever mechanism they had, and resulting in domain hijacking.
>They never had a real "no bullshit" policy. When I had my domains with them, I had been asked to verify my identity 34 times in 12 months. 34 separate fucking times. Because "ICANN says so" or some stupid shit (their words, not mine).
Can you elaborate what the "verification" entails? There is an ICANN requirement[1] to validate whois information, although I've only been asked to validate email (at another registar, not ghandi).
Wanted photos of passports, but they would always reject the first one for an unknown reason. The second one would always go through, but I do not understand why they wouldn’t just keep it on file. It was more than twice a months usually, and that was absurd.
Jeez. Like most experiences I suppose, it's hit and miss. They've promptly resolved every problem I've had and I've bought plenty of domains through them.
Gandi was deploying the ID verification as a bullying tactic long before anything like that was mandated by ICANN. (Not that ID verification is even mandated now)
I've heard that this isn't actually the registrar's fault, it's the registry's fault. So your TLD is sharing the "is registered" query with other parties. That said, everything about the domain registration industry seems designed to appear sketchy as all hell, so who knows.
WHOIS and DNS requests are made to nameservers run by the registry (not registrars), it's possible for the registry to front-run domains if they intend to.
This happened to me with GoDaddy and Namecheap before, which is why I switched to using Gandi for all my domain searches... Now I'm regretting it!
But as @Jasper_ said, this could be a problem with the domain name registry selling/leaking that info (AKA all their 'is_available' queries), and not the registrar.
I was always told that Namecheap does not engage in this practice.
It's a single data point, but I instructed a client to search for domains on Namecheap last year since they were undecided. I just didn't want them to use GoDaddy, and I warned them why. They settled on a domain but registered it months afterwards. It was still available.
It could be your local DNS resolution that is leaking to bad actors. It would be kind of stupid and self defeating for registrars to undercut their own customers. I would expect that some have done this in the past, but would be very surprised if it is done at Gandi with their knowledge... and undoubtedly French law would not smile kindly on such behavior.
Although the current issue with the irrecoverable data loss is terrible, I thought (in this case, at least) that they were surprisingly honest. They straight up said the data is gone (a VERY hard thing to publicly admit), and informed people they need to restore from their own backups. That seems pretty No Bullshit to me, no?
I stopped using them a while ago but for a different reason. I used to use their website to check availability/whois for domains that I was interested in buying. If it was available I didn't buy it at the time but until I finished the website/app whatever I was going to put there, this took me a few months obviously. It happened to me that when I was finally ready the domain had already been sold to someone else. This repeated five times during six or so years. Now, I know, "someone else could have thought the same thing" but I find it very hard to believe that it happens so often. These domains were a bit of niche words that were not hot topics at the time, some of them using fairly uncommon TLDs (like .one). Another weird thing is that they were always registered to someone living/or doing business at India, and it was a fairly simple landing page with a "contact me" link. I'm a bit superstitious so I don't think it was a coincidence.
Now, I don't think this is a GANDI problem per se, but my theory is that they share this information (who is looking for which domains) with marketers or something like that, or maybe it was a rogue employee trying to make some money squatting domains. I would have expected this from BigDaddy or similar sharks, but from a company whose motto is "no bullshit" I had much better hope. Anyway, I decided to move (to namecheap if you're wondering) and surprisingly the problem went away.