Registering a website domain name anonymously / privately / securely?

zzz

Hello,

I'm considering registering my own domain for the purposes of hosting a personal website and/or email.

What should one look out for in this scenario?
I'm particularly interested in reputable registrar recommendations.
Any further tips & links to resources on ways to preserve privacy / anonymity / security in this situation would be much appreciated.

For example, the "usTLD Nexus" has some pretty obtuse sounding requirements:

Proxy, or privatized registrations, are not permitted under current policy.
https://www.about.us/faqs

The more I look into it the crazier it sounds:

Information Collected From Registrants
To register a name, Registrants (through their Registrars) will be required to provide basic registration information to the Registry. The minimum required information is:
§ The domain name registered;
§ The IP address and corresponding names of the primary and secondary name servers for the registered name;
§ The Registrar name and URL or, where appropriate, the identity of the delegated manager under whom the name is registered;
§ The original creation date and term of the registration;
> § The name and postal address of the domain name Registrant;
> § The name, postal address, e-mail address, voice telephone number, and (where available) fax number of the name holder for the name registered;
> § The name, postal address, e- mail address, voice telephone number, and (where available) fax number of the technical contact for the name registered; and
§ The name, postal address, e- mail address, voice telephone number, and (where available) fax number of the administrative contact for the name registered.
https://www.about.us/cdn/resources/ebooks/policies/usTLD_Nexus_Requirements_Policy.pdf

Like most things, my assumption here is that there's a "default way" which is convenient / cheap / problematic, and also a "right way" which is maybe more anonymous / private / secure, less convenient, and depends on threat models. I'd love to hear different folks' perspectives on each end of that spectrum.

I know this is somewhat off-topic, but I think that a discussion like this could be helpful as it is sometimes suggested on this forum that users register their own domain name for email. (recent example: https://discuss.grapheneos.org/d/4043-private-email-providers/41 )

Thanks all~

boarim

zzz It depends on your threat model. What do you want to hide? From who? How much inconvenience are you willing to take.

If you just plan to host your personal website, and your email server, where you use your real name (and don’t do something that might catch the attention of law enforcements), you don’t need to go trough all the hassle and a reputable registrar is enough. I personally recommend Gandi in that scenario. They provide a private WHOIS to protect your personal contact details to appear in public WHOIS searches. Nevertheless, like all registrar, they need your contact details to register the domain (probably it’s a legal requirement).

If you want to host a site and email server where your identity is unknown, you could buy a domain to Njalla, through Tor and pay with Monero for instance. I don’t have any experience in this unfortunately.

It all depends on what you’re trying to achieve.

final

Registering a domain privately is a pain in the ass, and has a fair amount of setbacks. Mainly being the lack of transparency for the services, their prices, and potential risk of domain loss. Buying a domain is honestly one of the only services I buy personally. Sadly domain ownership and registration is not made to be a private system.

I am aware that Njalla is the popular one, it's been around a long time. But, they have no privacy policy on their site, so what they do to data you provide is a bit of a mystery - main reason I won't. I am in no position to suggest other providers since a lot of the other ones have really bad looking websites and seem sketchy to me. I'd probably just use Njalla if I had a use case for it.

If you buy a domain via a service or middleman like this, you have increased risk of losing that domain if the service disappears.

I've known people who had success in putting somewhat misleading information (different address, last name etc) in real, smaller registrars but some larger ones will ask to verify identity. These real registrars typically would need real payment methods though, so likely would only be a last resort option.

Making a site on the Tor Network is free and requires no information about you, just a PC to run 24/7. If you hosted at home, you don't need to worry as a just static content site has no risk of revealing your IP address. Although, this is massively incomparable to the real thing.

zzz

final Thanks so much for the recommendation and your perspective on this. Njalla sounds like a good option (the only option?) to run a non-tor website if LE is part of someone's threat model.

boarim On one hand I'm interested in mapping the spectrum of threat models with respect to domain registration for the benefit of the GOS community.

More personally, I am concerned about revealing my home address to third party data brokers and online bullies / harassers / doxers. I'm fine with paying a registrar with a credit card and giving my billing address to a reputable org. But I am not comfortable with the idea of my home address becoming searchable to the entire planet via a WHOIS lookup.

Does anyone have experience with providing a non home address to a registrar? Would a PO box work? Is there some other service that one could pay to substitute your address for theirs and then they forward you the mail or something?

After a bit more searching, I can see that choosing a "thick" vs "thin" top level domain has an impact on how much info goes into the WHOIS database:

A thin registry only includes technical data sufficient to identify the sponsoring registrar, status of the registration, and creation and expiration dates for each registration in its WHOIS data store. .COM and .NET are examples of thin registries. Thick registries maintain the registrant’s contact information and designated administrative and technical contact information, in addition to the sponsoring registrar and registration status information supplied by a thin registry. .INFO and .BIZ are examples of thick registries.

https://whois.icann.org/en/what-are-thick-and-thin-entries

csis01 Thanks for the rec!
About connecting the domain to servers, that is a question of how to host the site, right? I see that many of these domain name registrars also bundle website hosting services and the associated server infrastructure.

For a low-volume personal or small business website worried about third party data brokers / harassment / bullying / doxing, does anyone have recommendations for reputable hosting services?

Thanks again all

final

zzz I am concerned about revealing my home address to third party data brokers and online bullies / harassers / doxers.

If you are looking at any registrar then you can look for domains that have WHOIS privacy protection by default, many registrars do these. Would be too many to list here, so do your own evaluations on what provider fits your needs.

zzz Would a PO box work? Is there some other service that one could pay to substitute your address for theirs and then they forward you the mail or something?

I've known some people who use P.O. Boxes as the main postal address for domain registrations, however some registrars may not permit their usage. Some TLD's have their own rules, such as the need to have a presence in the country of domain, or be a registered company etc. Having a P.O. Box may not be permissible, you'd probably have better luck for generic/personal TLD's though which is your thing.

zzz For a low-volume personal or small business website worried about third party data brokers / harassment / bullying / doxing, does anyone have recommendations for reputable hosting services?

I'd suggest if you are concerned about data brokers and want an ethical business, then just look for a registrar that affirms they wont sell you out. boarim suggested Gandi and they appear to be a good option. Very good pricing and their privacy policy only mentions 'third parties' when it comes to legal provisions. From my experience some other providers like Freethought and GreenNet come to mind, but their prices can be quite hammering since they are trying to sell 'ethical' services rather than simple and cheap ones. (Anyone reading this in comments, please suggest some others...)

All the providers previously mentioned do hosting as well. Plans from normal, popular providers will give you better value for money but you'd have to do time to look into what the policies of these providers are to see if they suit you or not.

csis01

In the past, I've successfully registered domains using freenom dot com using made up details, however I haven't recently so can't guarantee that it will still work.

The thing to keep in mind though, is that a domain name must fundamentally be connected to other actual servers with real IP addresses. This is probably the greater challenge when dealing with anonymity.

If you want anonymity in a server, you might need to think about using TOR/darkweb. The downside, however, is anybody accessing your website would have to use that as well.