Hacker News new | comments | show | ask | jobs | submit login
How To Keep Your Domain Name Searches Safe From Poachers (domainsherpa.com)
111 points by mcyger on Apr 4, 2011 | hide | past | web | favorite | 81 comments



If you're concerned about frontrunning, use http://instantdomainsearch.com. It was written by YC alum Beau Hartshorne, and I can personally vouch for his trustworthiness. We use it every batch to find new names for startups.


Typing in a domain name and clicking "search" on instantdomainsearch.com immediately takes you to the GoDaddy website which shows the domain name you typed in and quotes a price for it.

GoDaddy is allegedly one of the biggest domain frontrunners, so I don't see much value in instantdomainsearch.com. imo the domainsherpa.com suggestions on domain search are far superior.


"Typing in a domain name and clicking "search" on instantdomainsearch.com immediately takes you to the GoDaddy"

That is not exactly correct. Doing a search returns data from instantdomainsearch.com itself. Only once it is returned do you have the option to go to a registrar like godaddy, among others (or just take that name to a registrar of your liking), to actually register the domain.

I have used instantdomainsearch.com many, many times myself to great success.


By reading their FAQ it appears that they use DNS NS records (not WHOIS) to check whether a domain is registered or not. That's relatively safe from leaking.

They are showing suggested alternative domains for sale through BuyDomains.com. It's possible they have a database of available domains, but they may also be using an API which would leak searches.


>>That is not exactly correct

Why is it not correct ?

When I click the search button, it takes me to the GoDaddy site. Did you really try clicking the Search button on instantdomainsearch.com ?


You are in fact correct. Typing a name and then clicking on the Search button will take you to GoDaddy.

But you do NOT need to click on the Search button at all to use the site. I used in the past and I did not even notice there was Search button.


Exactly right, hence the instant part. I never noticed it either.


The autocomplete shows data that seems to be from instantdomainsearch, but clicking the search button or pressing <enter> opens a new window with a GoDaddy page. Unexpected and undesirable.


You don't need the search button. Instantdomainsearch shows you availability on the fly, as you type each letter. That's the whole point.


Perhaps only the 'instant' part of the search -- covering only exact matches ending in .com/.net/.org -- is private, and GoDaddy is used for a more general search?


Same goes for www.whois.sc that links to www.cheap-registrar.com - a reseller of GoDaddy domains.


I just bought a domain through said service and today received an email asking me to scan a copy of my passport or similar, or they may cancel the order. Is this common practice?


If this is not a requirement of the the domain zone, it's seems like just their fraud filter got angry at your order.


It's not hard to launch terminal and type whois <domain>. Just do it and have a much higher likelihood that your new names and business concepts are safe.

Note that you're not guaranteed they're safe because it's trivial for an ISP to sniff all port 43 traffic, but it's a lot better than giving your unregistered name to someone who has a conflict of interest.


If you don't have a terminal to hand, you can go through nametoolkit, i.e., www.nametoolkit.com/whois/nametoolkit.com.

We are just using a linux terminal on the back end and this data goes nowhere.


If I recall correctly Instant Domain Search is using DNS queries to quickly check availability (which can yield false positives, BTW). Hopefully he's also using a trustworthy name server...


The article says to not check if the domain you are interesting in resolves, because ISPs sell the data on resolution failures. I have two questions about that.

1. That seems to assume that one is using their ISPs DNS service. What if I'm querying the top level .com servers directly? Is that safe?

2. Even if you are using your ISPs DNS servers, if they are getting that data from their logs and selling it I'd expect there would be a fair delay before the data got to some third party that would act on it. That should make it safe if your intent is to buy the domain soon, shouldn't it?


What do you mean by "querying the top level .com servers directly"? How are you doing that?

Yes, any ISP would likely have a substantial delay in collecting, filtering and selling this type of data, which is why I think DNFR is most likely happening at registrars. I'm just presenting the facts that there are "middlemen" in the process that people should know about. Thanks for helping me clarify.


> What do you mean by "querying the top level .com servers directly"? How are you doing that?

First, ask the root servers for the authoritative servers for the TLD you are interested in:

    $ dig @f.root-servers.net www.google.com
    
    [...]
    ;; WARNING: recursion requested but not available
    
    ;; QUESTION SECTION:
    ;www.google.com.                        IN      A
    
    ;; AUTHORITY SECTION:
    com.                    172800  IN      NS      a.gtld-servers.net.
    com.                    172800  IN      NS      b.gtld-servers.net.
    [...]
    com.                    172800  IN      NS      m.gtld-servers.net.
    
    ;; ADDITIONAL SECTION:
    a.gtld-servers.net.     172800  IN      A       192.5.6.30
    b.gtld-servers.net.     172800  IN      A       192.33.14.30
    [...]
    m.gtld-servers.net.     172800  IN      A       192.55.83.30
    a.gtld-servers.net.     172800  IN      AAAA    2001:503:a83e::2:30
    
    [...]
The root servers don't know about google.com, but suggest you ask [a-m].gtld-servers.net, which are authoritative for .com. (Other TLDs have other authoritative servers.) So let's ask l.gtld-servers.net:

    $ dig @l.gtld-servers.net www.google.com
    
    [...]
    ;; WARNING: recursion requested but not available
    
    ;; QUESTION SECTION:
    ;www.google.com.                        IN      A

    ;; AUTHORITY SECTION:
    google.com.             172800  IN      NS      ns2.google.com.
    google.com.             172800  IN      NS      ns1.google.com.
    google.com.             172800  IN      NS      ns3.google.com.
    google.com.             172800  IN      NS      ns4.google.com.
    
    ;; ADDITIONAL SECTION:
    ns2.google.com.         172800  IN      A       216.239.34.10
    [...]
    ns4.google.com.         172800  IN      A       216.239.38.10
    
    [...]
The above is an example of a registered domain ("I don't know about www.google.com, ask ns[1-4].google.com"); if the domain is not registered, it looks like this:

    $ dig @l.gtld-servers.net no-such-domain.com
    
    [...]
    ;; WARNING: recursion requested but not available
    
    ;; QUESTION SECTION:
    ;no-such-domain.com.            IN      A
    
    ;; AUTHORITY SECTION:
    com.                    900     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1301905185 1800 900 604800 86400
    
    [...]
Of course, [a-m].gtld-servers.net are run by Verisign, who could use this information for front-running. I'd be very surprised if they did, though. (DNSSEC may make it possible to query for the existence of a name without revealing it to the answering server, but I'm not sure - I'd have to read up on the protocol.)


@JoachimSchipper: That is a good question. I'll need to do some research on that.


Are you referring to my DNSSEC remark? You'll want to look at their NXDOMAIN alternative, which says "there are no domains with hashes between 0xCAFEBABE and 0xDEADBEEF", where the 0x... stuff are hashes.

Note that running through a dictionary and looking for hashes "near" the domain you're interested in works if the DNS server is nice enough to hand out responses of the above form; unfortunately, this can also be used to find which host names are valid for a domain (host names aren't exactly crypto-strength passwords). At least djb advocates giving out answers of the form "there are no domains with hashes between 0xCAFEBABE and 0xCAFEBAC0" (that is, exactly bracketing the query), in which case you'd need to do something more clever.

Unfortunately, I'm not intimately familiar with DNSSEC. I'd be happy to learn the answer, though; if you find it, could you post it as a response, or, if takes a while, e-mail me? (E-mail in profile.)

[EDIT: improved wording, make it clear that actually sending the whole dictionary to the DNS server is not necessary.]


Hey, this is a valuable "domain name customer protection measure". Says so right here in the class action lawsuit notification I got from network solutions:

Dear Network Solutions Customer,

Earlier this year, we notified you of the settlement of a class action lawsuit brought against Network Solutions® in connection with our domain name customer protection measure that was discontinued last year.

Today, we are pleased to announce that the court has officially approved the settlement and as result, you are being issued a $6.00 credit applicable to any Network Solutions product or service purchased on the Network Solutions website, valid for one year from the date of the issuance of the credit. Your credit is equal to $6 per qualifying domain name registered through Network Solutions. For example, if you registered two qualifying domains you can expect to receive a credit of $12.00.

A qualifying domain name is one that was (i) searched for through Network Solutions on or between December 14, 2007 and March 15, 2008, (ii) reserved by Network Solutions under our customer protection measure, (iii) registered by you through Network Solutions within the same internet session used for the domain availability search, and (iv) not previously refunded.

You can use your credit to register domain names, get reliable Web hosting, create a website, secure your existing site & more.

To take advantage of your credit, follow these simple steps:

Visit www.networksolutions.com and select the product(s) you wish to purchase. In the shopping cart, click ‘Redeem Offer Code’. Enter coupon code XYXYXYXYXYXYXYXYXYX then click ‘Continue’. Your discount will be reflected in the shopping cart. Please note that this settlement does not in any way impact the domain names that you registered, or the terms of domain names you have registered. No action is necessary on your part.

Sincerely,

Network Solutions® Customer Support

/sarcasm


I have two rules when searching for domains.

First, I never search for a complete name. I use www.namedroppers.com that allows partial name searches. E.g. if I'm looking for 'coolwidgets', I'd search for "olwidge".

And second, if I see a potentially interesting domain, I grab it right away, without any worries about the cost -- I'll just drop it a year later if I don't need it.


Is this actually a significant problem anymore? No doubt front running was a pretty significant practice historically, but I haven't run into the practice in quite some time. At the peak of tasting practices more than 9 in 10 domains were given back during the cooling off period. That number has dropped dramatically since the rules were changed.

While I'm sure a bit of front running must still go on, it's hard for me to believe it happens to the average joe much if ever. In that light the rules that page lay out sound pretty over the top, and I'm generally a pretty paranoid person. I'd only worry about front running today if I was a known high value target, one who buys or holds a lot of domains. If that was me, I'd just take some mild precautions. Don't use my registrar to search for domains, clear tracking cookies before searching. The implications that you can't trust your ISP DNS system, search engines and certain whois services sounds like '06-'08 logic to me.


Yes. Our business name got nicked on Aug 14, 2010, between us handing in the bus reg forms and us getting the certificate a week later, cos I typed it into a domain search site..

we made nametoolkit.com and don't buy domains, ever, not counting nametoolit & name-toolkit.


The registrars that got caught stopped, it's not really that big a problem anymore.


It's not a big problem anymore, but as I point out in the article a) it can happen a small percentage of the time and b) many registrars ARE in conflict of interest with their customers.


I once completed the sale of zioo.com on GoDaddy. I'd managed to hand-register the name for the regular registration price. The money came off my credit card and everything. About an hour later, I got an email saying "sorry, we didn't really get the name, here's your money back"

I was positively gutted.

(For those who don't know the domain space 4 letter pronouncable dot-coms are often valued in the five digit range ($xx,xxx) - that one probably just a few thousand but still a good ROI vs. $10 to register. I'd have been happy to build something fun on it.)

There is a lot of anecdotal evidence that Godaddy does steal names from searches. I spend a lot of time working in the domain space and I hear about it from the pros from time to time.


Obviously not in the same price range, but I had a similar experience with my regular registrar that caused me to grab and then lose diagnose.com.au. Happened on a weekend too when they had limited/no tech support running. Very frustrating.


I don't know about you, but the prevalence of this has made "picking a domain" something I only do when I'm buying the domain these days. As in, from search to buy, it's a few seconds.


I went to find a domain name for personal use a few years ago, using yahoo business DNS (they were running a special on 5 year pricing). When I decided on one I liked, I noticed the .com of it was already poached (site was the usual garbage filler). So I bought the .org.

By the time I closed an paid for the DNS the .net and all other variations had been bought and were directing to those generic filler pages. I can only hope that which ever group poached those wasted some amount of time, effort, or money. I don't run a business from it, and never intend to, but I can see how this kind of shady behavior would warent paranoia from those looking to run a business around a given DNS (/corresponding business name).


What prevents the WHOIS database operator from doing the same query logging?


The WHOIS database operator is the registry, not a registrar. (I believe they're actually required to be separate entities.) So, unless there's a shady back-room deal going on between the registry and one of their registrars, the registry has no incentive to log their queries.


This recently happened me and I posted a thread about it here on HN. Godaddy responded to an angry tweet of mine, saying that they don't pursue this practice and asked if the domain was listed with their "privacy service". When they didn't respond to my reply to that, I emailed them. Customer relations replied that the domain is protected by their "privacy service" and they can't reveal who bought it, speculating it was an "individual".


I've been poached rather differently - I formed a limited liability company, and found that as soon as my formation was made official, someone had registered "$mycompanyname.com". Foolish on my part I suppose.

I do find it rather odd that the owner isn't responding to contact via the whois record - seems an odd sort of extortion where they don't want to take your money.


On this one, if the date you registerred the LLC is before the registration record was created (do a whois on the domain) you might be able to file a UDRP complaint (Uniform DOmain Name Resolution Policy) claiming that the current owner registerred the name in bad faith, with the expectation that they were going to extort you for the ownership of the .com.

This sort of stuff happens all the time. As far as I know, it's not usually passed with respect to LLC but rather Trademark.

Regardless, if you really want that name you could have a fighting chance at it.

Look up UDRP to learn more. Better yet UDRP lawyer. There's one who advertises a lot on some of the forums I read. Let me know if you're interested and I can put a bit more legwork into tracking down a name for you.


This is a great point, and likely you'll win a UDRP because the registrant will ignore the request (if they're guilty). However, filing a UDRP costs about $1,300.

Entrepreneurs should always register the domain name BEFORE you register for your company.


Not as trivial in the .com.au space if you're doing everything by the book becuase you must register the domain to a particular ABN or ACN (business or company number). Can register it to one entity and try to later transfer it, but not sure how annoying that is. Even one form is enough of a roadblock for me sometimes so I just register all mine to a single ACN.


This is a commonplace-type issue with all public documents. For example, every time I am granted a trademark (which are publicly published upon grant), I receive a letter on official-looking stationary sayingnincan protect my trademark for $3,000. It's a complete racket by a company with an official sounding name but unaffiliated with the USPTO.


You cannot even trust registrars (netsol and godaddy are prime examples).

Spend a few hours and write your own code to do direct registry searches through the whois telnet query.

I wrote one myself, it's not that hard and you'll learn a bit.


Doesn't the whois queries databases like GoDaddy?


Only if you continue to resolve registered domains to the local registrar.

You don't have to resolve them that far to see if they are not-registered (or when they expire) just hit the main registry for the TLD you are interested in.


This article stops short of actually explaining how to interpret the text output. I just did a lookup on a domain I'm interested in, and I think it's expired -- it's registered with Tucows and it shows two expiry dates (XX-Mar-2011 and XX-mar-2012). This is kinda fishy since I checked the day before it was set to expire (~2 weeks ago) and the output never said anything about 2012. My gut tells me Tucows has renewed it for their client (or slyly making it seem like it's renewed). So... can I grab it yet?


This is standard from what I understand. As it has been explained to me in the past, what happens is once the domain has passed expiration it is actually renewed automatically at the registry level,until or unless the registrar issues a command to delete it. Within 30 - 45 days from the expiry date the registrar will keep the domain in a 'grace period' where you can still renew it with them. If you do not renew during the registrar's specified grace period they will then issue a command to delete it from the registry and it will go into the next phase of the drop cycle, I myself have only ever noticed this happen on .org and .mobi domains, but I've been told it can also happen with .com and .net


mcurving got most of this correct. Most large registrars will auto renew the domain on behalf of their customers as a "service." this gives you time to notice no email coming in and your domain/website not working. Most will allow you to renew for the regular renewal fee while others will up charge for the renewal. Then, if it doesn't get renewed, the registrar will auction the domain name if of high worth (links coming in, traffic, etc.). It then goes to the highest bidder. If no one bids, it gets deleted. Note: some registrars do not auction (very few).

I plan to update the article on DomainSherpa (http://doms.to/vra) soon with this information.


It might be fun to F with godaddy.com and start pumping them randomly with domains. Mixing random words in the dictionary and trying combinations in sequence like a typical user would would be effective.

Set this up to happen on a daily basis through proxy servers for different ips, and you might create an interesting way to bleed them a little bit.

Record the domains entered, and see how many times you get them to nick you. It would make for a fun blog post.

Keep in mind, they have to pay ever time they register a domain.


I've never experienced name poaching firsthand. Has anyone else?


Yeah, it happened to me. I did a search for various domain names, but didn't settle on anything until the next or two and by then it was taken by a parking page site. This was several years ago, so I don't recall what the domain name was.

Since then I've only searched for names I've been willing to buy right away if it was available.


Happened to me in the .com.au space. Searched a variety of options and made a shortlist. Sat on it overnight and then returned the next day once I'd decided which ones to grab - they (8-10 unrelated domains) were taken.


really? Wow. Did you attempt to contest the names at all? (Considering they likely weren't valid?)

// The .com.au space is much harder to register a domain for than .com


It's not that much harder - pretty trivial to register under the "close and substantial connection rule" and then have a valid play at it under the service of "domain monetisation."

Years ago it was much more difficult, but since then it's been pretty straightforward. None of these names were trademarks or anything like that so there wasn't anything I could contest.


Thanks. Who do you normally do your registration with? I don't normally touch .au's but have done one or two and it's been a little painful


I use TPP, mostly because they've been pretty easy when it comes to keeping multiple domains under control - easy to delegate to default nameservers, pay by default credit card on file, etc. 95% of the domains I look after (60-70ish personal ones and then others for friends and a bunch more for clients) are .com.au though and I keep the majority of my .coms with TPP also even though they're more expensive - just saves having different logins for every domain with Joker, Gandi, etc.


$99 for 2 years of .com.au registration? ziphosting.com.au are pricing it for $21


The rate for resellers is $24 or so for two years.


makes sense. Thanks.


I guess it makes it a bit easier to charge clients a fraction more (say $50/2yrs) via the same registrar and they don't necessarily feel like you're screwing them.


Likewise, never happened and I've registered close to 300 domains and searched for thousands. I think if this is being done by registrars then they're using people to go through the searches and find ones that meant some sort of "value" quota. I have had domains I wanted registered the next day, but these were things related to "current" things, it was someone else with the same idea as me, that happens sometimes.


It happened to me with 3dicons.com. I searched for it and about week (don't remember exactly) later, it was "taken".


3D domain names are hot with domain investors so I would suspect this was not an example of domain name front running, especially if it was a week later.


I kinda have from a company called Easily (March 2008). I used a random domain name and their interface claimed it was already taken for the top TLDs, I don't know if they instantaneously registered it or just lied:

http://alicious.com/img/Easily-hosting_2008-03-03.png


Does anyone know if http://domize.com is a front runner? They claim on their website they are not, but would like to hear users experience if this is not the case.


I always use http://dynadot.com, I've never had a single problem with them registering what I'm searching for, and their interface is awesomely simple.


Javascript which adds a few dozen bogus flack queries to the one in which you are interested and only presents you with the results for that one?


Frontrunning really isn't a big problem anymore. They were caught, got in trouble, it's basically over. Notice the sources from 2007.


@ohashi: It's not a big problem anymore as you npointed out. However, the way domain name tasting was reduced (i.e. The financial penalty that was put in place) does not eliminate the practice entirely. It is not illegal as stated by ICANN. That was the point of my article, and how people should protect themselves.


I had godaddy steal my domain back in January. It was kinda depressing.



A friend of mine who has 800+ domains was searching for a name for his company on godaddy and found one he liked. He spoke to his business partner that evening and they agreed on the name.

The next day he went to register it and found that it was taken... by godaddy.

Godaddy then set it as a "premium domain" and changed the price to $500.

He was pissed.

He accepted the version of the domain with a '-' between the two words instead. He recently emailed godaddy and let them know that he has 800+ domains with them, explained what happened and said "I would like the domain that you took, unethically, for the regular domain registration price that all available domains go for or I will take my ~$9,000 in annual renewal fees to another registrar.

He has not heard back from godaddy. But he switched his searches aways from them.

I on the otherhand, typically only search for a domain if I am willing to spend the 10 right then to grab it.


Alright, I'm doing an experiment - I've run the following shell commands:

function randomWord() { head -n $(numrandom /1..$(wc -l /usr/share/dict/words)/) /usr/share/dict/words | tail -n1; } echo $(randomWord)$(randomWord).com

This has given me an obscure two-word domain name, which I searched in GoDaddy - all subdomains GoDaddy sells weren't registered.

I've repeated this to give a total of twelve domains. The final two of these domains are saucepansgrooming.com and rivaledpopping.com. The other ten domains are written on a folded over piece of paper, and aside from me, the only place they have been disclosed is in a GoDaddy search (which was sent unencrypted over the Internet - so technically someone could have sniffed it). I haven't even attempted a domain name resolution on any of the 12 names.

I plan to come back in a few hours and repeat the search to see whether the names are still available.


I've checked back via the GoDaddy interface, and all twelve domain names are still available (on all the TLDs that GoDaddy sells) at the original price.

This doesn't necessarily mean that GoDaddy doesn't ever take domains - maybe they only do it from high value customers who they think they can extract more money from, rather than people who aren't logged in; maybe I searched for too many domains with too few common substrings so their algorithm classified me as not wanting to seriously buy; maybe I didn't wait long enough because they manually decide which ones to buy; maybe the names I tried are too long to be considered valuable.


It took me a couple of weeks before mine disappeared, and during that time I had run searches to double check the availability. The domain name was totally random so it feels extremely far-fetched that someone happened to register it just before I was about to purchase it.


I wonder if checking multiple times in two weeks flagged your name as "popular but unregistered", prompting its' registration? I doubt any registrar would grab every single name, but ones that suddenly got search hits probably get snapped up.

Like the article suggests, I always search at the terminal. If the name is available it gets registered then. I look at it as 8 bucks buying me a one year option on the name.


Yeah, you may have a point there. I for sure won't repeat that mistake again. Having my .com domains snapped away from under my nose is definitely the most annoying part of branding.


Good idea, but maybe they're more sophisticated. You note higher traffic customers as higher risk. The front-running might be done by employees, opportunistically and episodically. Or they might screen somehow for silly phrases.


This experiment is pretty arbitrary -- I guess they would only register good domain names if they pop up, not just random ones.


Another domain they have taken, which is an available domain, and attached an arbitrary "premium" price on is Imbued.com which they want $625 for. Which is BS.


The question is, did he switch his domain registrations away from them?


This just happened, so I don't have an update yet.


Likely he'll either transfer them when they're up for renewal (a transfer often costs roughly the same as a domain registration but comes with a few renewal) OR sometimes if you talk to a big registrar like fabulous, they'll make allowances to bulk-transfer names in at a significant discount.


If you have a discount club membership with Godaddy, and I imagine with 800+ your friend has one, a .com is less than $8, so that's not $9k in fees, but more like $6.2-6.3k.

It would be close to $9k at any other registrar though, so I suspect your friend will end up like many before, including me, learning his lesson but leaving the domains there.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: