<!-- metadata: title -->
# Protecting Against Domain Front-Running by Registrars

<!-- metadata: subtitle -->
> ### Understanding and Mitigating Domain Registration Interception
<!-- metadata: -->

**Published Date:**
<!-- metadata: date -->
2024-10-25
<!-- metadata: -->

**Keywords:**
<!-- metadata: keywords, is_array=true -->
  - domain-front-running
  - WHOIS-privacy
  - RDAP
  - domain-registrars
  - cybersquatting
  - domain-privacy
  - DNS-security
  - domain-tasting
<!-- metadata: -->

**Categories:**
<!-- metadata: categories, is_array=true -->
  - cyber-security
<!-- metadata: -->

## Description
<!-- metadata: description -->
This article examines the practice of domain front-running by registrars and presents a transparent, open-source solution for private domain availability checking. Drawing from personal experiences and community reports, we explore how registrars potentially monitor domain searches and preemptively register domains of interest, and propose methods to conduct domain searches more privately.
<!-- metadata: -->

## Introduction

Domain front-running^[https://en.wikipedia.org/wiki/Domain_name_front_running] typically occurs when a domain registrar or associated party monitors search queries entered by users looking for available domain names. If the domain appears promising or marketable, the registrar may register it before the user, intending to profit by reselling it at a higher price. While registrars deny engaging in this practice, affected individuals and businesses find it challenging to prove due to limited transparency regarding how domain search data is managed and monitored.

On a personal level, I, along with several friends and family members, have encountered domain front-running. In one instance, after conducting an availability search for a domain through a popular registrar's website, the exact domain was unexpectedly registered within minutes (literally!). On average, short and simple domain names are typically lost within `12-72 hours` after searching, depending on where you searched and the TLD of the domain.

Such incidents are far from isolated. Numerous domain seekers report similar patterns, noting that after searching for specific domains, these names quickly become registered by the same or affiliated registrars. This behavior leaves many users without clear explanations, contributing to widespread suspicion and concern. Evidence from personal experiences and community reports suggests that domain front-running remains an ongoing concern that affects domain seekers.


Recent discussions across various forums highlight ongoing concerns about domain front-running:

 - [*Domain Front Running?*](https://www.reddit.com/r/Domains/comments/1ejjsjr/domain_front_running/) - <small>Sunday, August 4, 2024</small>
 - [*Safe way to search for availability to avoid front running?*](https://www.reddit.com/r/Domains/comments/pujp0o/safe_way_to_search_for_availability_to_avoid/) - <small>Friday, September 24, 2021</small>
 - [*Did GoDaddy just front run me?*](https://www.reddit.com/r/Domains/comments/1c0to8b/did_godaddy_just_front_run_me/) - <small>Wednesday, April 10, 2024</small>
 - [*I just confirmed that Namecheap buys available domains that you search for*](https://www.reddit.com/r/NameCheap/comments/124pctw/i_just_confirmed_that_namecheap_buys_available/) - <small>Tuesday, March 28, 2023</small>
 - Others - <https://www.google.com/search?q=domain+front-running+site%3Areddit.com>

### Understanding Domain Registration Systems

Domain registration involves multiple levels of authority:

 - Country-level registries (e.g., [KENIC](https://rdap.kenic.or.ke/) for `.ke` domains)
 - Global registries (e.g., [Verisign](https://rdap.verisign.com/com/v1/) for `.com` and `.net`)
 - Individual registrars (e.g., GoDaddy, Namecheap)

 Each registry maintains authoritative records of registered and unregistered domains through their `WHOIS` or `RDAP` protocols. Some TLDs face stability issues, such as Libya's `.ly` domain, where the official registrar ([whois.nic.ly](https://whois.nic.ly)) is non-functional, leaving only unofficial services like [reg.ly](https://reg.ly/ly-domain/).

There are two main protocols for checking domain availability, `WHOIS` and `RDAP`:

<table>
    <tr>
        <th>Feature</th>
        <th>WHOIS Protocol</th>
        <th>RDAP (Registration Data Access Protocol)</th>
    </tr>
    <tr>
        <td><strong>Introduced</strong></td>
        <td>1982</td>
        <td>2015</td>
    </tr>
    <tr>
        <td><strong>Status</strong></td>
        <td>Legacy but still widely used</td>
        <td>Modern replacement for WHOIS</td>
    </tr>
    <tr>
        <td><strong>Privacy Features</strong></td>
        <td>Limited</td>
        <td>Built-in</td>
    </tr>
    <tr>
        <td><strong>Standardization</strong></td>
        <td>Varies by registrar</td>
        <td>JSON-based, consistent</td>
    </tr>
    <tr>
        <td><strong>Accuracy</strong></td>
        <td>Can be inconsistent</td>
        <td>Generally more reliable</td>
    </tr>
    <tr>
        <td><strong>Advantages</strong></td>
        <td>
            <ul>
                <li>Widespread support</li>
                <li>Simple protocol</li>
            </ul>
        </td>
        <td>
            <ul>
                <li>Standardized JSON responses</li>
                <li>Better privacy controls</li>
                <li>More efficient queries</li>
            </ul>
        </td>
    </tr>
    <tr>
        <td><strong>Disadvantages</strong></td>
        <td>
            <ul>
                <li>No standardized format</li>
                <li>Limited privacy protections</li>
                <li>Rate limiting issues</li>
            </ul>
        </td>
        <td>
            <ul>
                <li>Not yet universally adopted</li>
                <li>Requires more complex implementation</li>
            </ul>
        </td>
    </tr>
</table>


### Best Practices for Private Domain Searches

Claims of domain snatching by domain registrars underscore the need for domain seekers to understand the risks and methods for safeguarding their domain searches.

1. Use Official WHOIS Lookup Sites:
   Instead of searching on a registrar's website, consider using a neutral WHOIS lookup service. Many of these services do not track or record searches, reducing the likelihood of domain front-running.
   - ICANN lookup (https://lookup.icann.org/en) for `.com` domains
   - Direct registry websites (e.g., [KENIC](https://rdap.kenic.or.ke/) for `.ke` domains)
   - Avoid commercial registrars for initial searches, such as [GoDaddy](https://www.godaddy.com/domains) or [NameCheap](https://www.namecheap.com/domains/domain-name-search/)

2. Utilize command-line tools:
   - Use terminal `whois` command (e.g., `whois example.com`). whois program is usually preinstalled in most unix systems. For Windows users, Microsoft offers a WHOIS utility that can be downloaded from [Sysinternals site](https://learn.microsoft.com/en-us/sysinternals/downloads/whois).
   - Minimizes exposure to potential monitoring

3. Time your searches strategically:
   - Only search on commercial registrars when ready to purchase immediately
   - Make sure you test your payment method before searching

4. Research the Registrar's Reputation:
   Before using a registrar, check reviews and forums for any reports or complaints about front-running. Users often share their experiences, which can help identify registrars with questionable practices.
   - Avoid small resellers who may have less secure practices
   - Understand that most resellers ultimately use major registrars' services, thus have less control over the monitoring of the domain searches

5. Use Independent Domain Search Tools:
   - Utilize unaffiliated services like our [private domain checker - https://toknow.ai/apps/private-domain-checker](https://toknow.ai/apps/private-domain-checker)
   - Prefer open-source solutions for transparency


### Transparent Solution: Private Domain Checker

[Private Domain Checker](https://toknow-ai-private-domain-checker.hf.space), hosted on [Hugging Face Spaces](https://huggingface.co/spaces/ToKnow-ai/private-domain-checker) and with publicly available [source code](https://huggingface.co/spaces/ToKnow-ai/private-domain-checker/tree/main), provides a privacy-focused alternative for domain availability checks. Key features include:

- Multiple checking methods (DNS, RDAP, WHOIS)
- No registrar affiliations
- [Open-source codebase](https://huggingface.co/spaces/ToKnow-ai/private-domain-checker/tree/main)
- Support for nearly all TLDs

**Limitations**:

The tool has some constraints:

- Cannot check certain TLDs (e.g., `.ly`) due to non-functional official registries
- Platform accessibility issues in some regions (e.g., China^[whois.cnnic.cn is timming out in huggingface: https://www.chinatalk.media/p/hugging-face-blocked-self-castrating]) due to Hugging Face hosting restrictions. Consequently, domains with TLDs in restricted regions cannot be searched, such as `.cn` when Hugging Face is blocked
- Dependent on registry API availability and response times
- Dependent on Hugging Face Space resources and availability

#### Demo

[Please visit <{{< meta html_uri >}}> to view the demo]{.content-visible when-format="pdf"}

<!-- #| .content-visible unless-format="pdf" -->

{{< iframe 
  'loading private domain checker...' 
  src="https://toknow-ai-private-domain-checker.hf.space"
  frameborder="0"
  width="100%"
  height="440px" >}}

#### Code

Below is the code running the flask app running the above [private domain checker](https://huggingface.co/spaces/ToKnow-ai/private-domain-checker/blob/main/app.py)

```python

# https://huggingface.co/spaces/ToKnow-ai/private-domain-checker/blob/main/app.py

{{< include private-domain-checker/app.py >}}
```

In [1]:
# | echo: false
# | output: false

import sys
import os

sys.path.append(os.path.abspath("private-domain-checker"))

%reload_ext autoreload
%autoreload 2

#### Test

In [24]:
# | echo: false
# | output: false

def check_domain(domain: str):
    from app import check_domain
    import json
    result = check_domain(domain)
    print(json.dumps(result, indent=2))

In [23]:
check_domain("examplerhccvu.ly")

{
  "domain": "examplerhccvu.ly",
  "available": false,
  "method": "Unsupported TLD, try at https://reg.ly/ly-domain/",
  "logs": []
}


In [19]:
check_domain("examplerhccvu.cn")

{
  "domain": "examplerhccvu.cn",
  "method": "Checked via WHOIS:whois.cnnic.cn",
  "available": true,
  "logs": [
    "dns_is_available:NS:Exception::The DNS query name does not exist: examplerhccvu.cn.",
    "dns_is_available:A:Exception::The DNS query name does not exist: examplerhccvu.cn.",
    "dns_is_available:AAAA:Exception::The DNS query name does not exist: examplerhccvu.cn.",
    "dns_is_available:MX:Exception::The DNS query name does not exist: examplerhccvu.cn.",
    "dns_is_available:CNAME:Exception::The DNS query name does not exist: examplerhccvu.cn.",
    "get_whois_server:no RDAP"
  ]
}


In [21]:
check_domain("examplerhccvu.com")

{
  "domain": "examplerhccvu.com",
  "method": "Checked via RDAP:https://rdap.verisign.com/com/v1/",
  "available": true,
  "logs": [
    "dns_is_available:NS:Exception::The DNS query name does not exist: examplerhccvu.com.",
    "dns_is_available:A:Exception::The DNS query name does not exist: examplerhccvu.com.",
    "dns_is_available:AAAA:Exception::The DNS query name does not exist: examplerhccvu.com.",
    "dns_is_available:MX:Exception::The DNS query name does not exist: examplerhccvu.com.",
    "dns_is_available:CNAME:Exception::The DNS query name does not exist: examplerhccvu.com."
  ]
}


In [22]:
check_domain("example.com")

{
  "domain": "example.com",
  "method": "Checked via DNS:NS",
  "available": false,
  "logs": []
}


## Conclusion

While domain front-running remains challenging to prove conclusively, the abundance of user experiences and technical evidence suggests the need for private domain checking solutions. Our open-source tool provides one approach to mitigating these risks, though industry-wide changes and improved regulations may be necessary for long-term solutions.