• Off Topic
  • Registering a website domain name anonymously / privately / securely?

Hello,

I'm considering registering my own domain for the purposes of hosting a personal website and/or email.

What should one look out for in this scenario?
I'm particularly interested in reputable registrar recommendations.
Any further tips & links to resources on ways to preserve privacy / anonymity / security in this situation would be much appreciated.

For example, the "usTLD Nexus" has some pretty obtuse sounding requirements:

Proxy, or privatized registrations, are not permitted under current policy.
https://www.about.us/faqs

The more I look into it the crazier it sounds:

Information Collected From Registrants
To register a name, Registrants (through their Registrars) will be required to provide basic registration information to the Registry. The minimum required information is:
§ The domain name registered;
§ The IP address and corresponding names of the primary and secondary name servers for the registered name;
§ The Registrar name and URL or, where appropriate, the identity of the delegated manager under whom the name is registered;
§ The original creation date and term of the registration;
> § The name and postal address of the domain name Registrant;
> § The name, postal address, e-mail address, voice telephone number, and (where available) fax number of the name holder for the name registered;
> § The name, postal address, e- mail address, voice telephone number, and (where available) fax number of the technical contact for the name registered; and
§ The name, postal address, e- mail address, voice telephone number, and (where available) fax number of the administrative contact for the name registered.

https://www.about.us/cdn/resources/ebooks/policies/usTLD_Nexus_Requirements_Policy.pdf

Like most things, my assumption here is that there's a "default way" which is convenient / cheap / problematic, and also a "right way" which is maybe more anonymous / private / secure, less convenient, and depends on threat models. I'd love to hear different folks' perspectives on each end of that spectrum.

I know this is somewhat off-topic, but I think that a discussion like this could be helpful as it is sometimes suggested on this forum that users register their own domain name for email. (recent example: https://discuss.grapheneos.org/d/4043-private-email-providers/41 )

Thanks all~

    Registering a domain privately is a pain in the ass, and has a fair amount of setbacks. Mainly being the lack of transparency for the services, their prices, and potential risk of domain loss. Buying a domain is honestly one of the only services I buy personally. Sadly domain ownership and registration is not made to be a private system.

    I am aware that Njalla is the popular one, it's been around a long time. But, they have no privacy policy on their site, so what they do to data you provide is a bit of a mystery - main reason I won't. I am in no position to suggest other providers since a lot of the other ones have really bad looking websites and seem sketchy to me. I'd probably just use Njalla if I had a use case for it.

    If you buy a domain via a service or middleman like this, you have increased risk of losing that domain if the service disappears.

    I've known people who had success in putting somewhat misleading information (different address, last name etc) in real, smaller registrars but some larger ones will ask to verify identity. These real registrars typically would need real payment methods though, so likely would only be a last resort option.

    Making a site on the Tor Network is free and requires no information about you, just a PC to run 24/7. If you hosted at home, you don't need to worry as a just static content site has no risk of revealing your IP address. Although, this is massively incomparable to the real thing.

    • zzz replied to this.

      zzz It depends on your threat model. What do you want to hide? From who? How much inconvenience are you willing to take.

      If you just plan to host your personal website, and your email server, where you use your real name (and don’t do something that might catch the attention of law enforcements), you don’t need to go trough all the hassle and a reputable registrar is enough. I personally recommend Gandi in that scenario. They provide a private WHOIS to protect your personal contact details to appear in public WHOIS searches. Nevertheless, like all registrar, they need your contact details to register the domain (probably it’s a legal requirement).

      If you want to host a site and email server where your identity is unknown, you could buy a domain to Njalla, through Tor and pay with Monero for instance. I don’t have any experience in this unfortunately.

      It all depends on what you’re trying to achieve.

        In the past, I've successfully registered domains using freenom dot com using made up details, however I haven't recently so can't guarantee that it will still work.

        The thing to keep in mind though, is that a domain name must fundamentally be connected to other actual servers with real IP addresses. This is probably the greater challenge when dealing with anonymity.

        If you want anonymity in a server, you might need to think about using TOR/darkweb. The downside, however, is anybody accessing your website would have to use that as well.

        • zzz replied to this.

          final Thanks so much for the recommendation and your perspective on this. Njalla sounds like a good option (the only option?) to run a non-tor website if LE is part of someone's threat model.

          boarim On one hand I'm interested in mapping the spectrum of threat models with respect to domain registration for the benefit of the GOS community.

          More personally, I am concerned about revealing my home address to third party data brokers and online bullies / harassers / doxers. I'm fine with paying a registrar with a credit card and giving my billing address to a reputable org. But I am not comfortable with the idea of my home address becoming searchable to the entire planet via a WHOIS lookup.

          Does anyone have experience with providing a non home address to a registrar? Would a PO box work? Is there some other service that one could pay to substitute your address for theirs and then they forward you the mail or something?

          After a bit more searching, I can see that choosing a "thick" vs "thin" top level domain has an impact on how much info goes into the WHOIS database:

          A thin registry only includes technical data sufficient to identify the sponsoring registrar, status of the registration, and creation and expiration dates for each registration in its WHOIS data store. .COM and .NET are examples of thin registries. Thick registries maintain the registrant’s contact information and designated administrative and technical contact information, in addition to the sponsoring registrar and registration status information supplied by a thin registry. .INFO and .BIZ are examples of thick registries.

          https://whois.icann.org/en/what-are-thick-and-thin-entries

          csis01 Thanks for the rec!
          About connecting the domain to servers, that is a question of how to host the site, right? I see that many of these domain name registrars also bundle website hosting services and the associated server infrastructure.

          For a low-volume personal or small business website worried about third party data brokers / harassment / bullying / doxing, does anyone have recommendations for reputable hosting services?

          Thanks again all

            zzz I am concerned about revealing my home address to third party data brokers and online bullies / harassers / doxers.

            If you are looking at any registrar then you can look for domains that have WHOIS privacy protection by default, many registrars do these. Would be too many to list here, so do your own evaluations on what provider fits your needs.

            zzz Would a PO box work? Is there some other service that one could pay to substitute your address for theirs and then they forward you the mail or something?

            I've known some people who use P.O. Boxes as the main postal address for domain registrations, however some registrars may not permit their usage. Some TLD's have their own rules, such as the need to have a presence in the country of domain, or be a registered company etc. Having a P.O. Box may not be permissible, you'd probably have better luck for generic/personal TLD's though which is your thing.

            zzz For a low-volume personal or small business website worried about third party data brokers / harassment / bullying / doxing, does anyone have recommendations for reputable hosting services?

            I'd suggest if you are concerned about data brokers and want an ethical business, then just look for a registrar that affirms they wont sell you out. boarim suggested Gandi and they appear to be a good option. Very good pricing and their privacy policy only mentions 'third parties' when it comes to legal provisions. From my experience some other providers like Freethought and GreenNet come to mind, but their prices can be quite hammering since they are trying to sell 'ethical' services rather than simple and cheap ones. (Anyone reading this in comments, please suggest some others...)

            All the providers previously mentioned do hosting as well. Plans from normal, popular providers will give you better value for money but you'd have to do time to look into what the policies of these providers are to see if they suit you or not.

            • zzz likes this.
            3 months later

            Hi all,

            I'm writing to report a bad experience with Gandi. I'm trying to figure out why - any help would be appreciated.

            The story:

            I signed up by volunteering my real identity (name, address, phone) and paid with paypal, connecting to their website with a VPN.

            About 5 minutes after my transaction cleared, I got an automated email from the "support" address:

            Please kindly note that your order XXXXXXX has been rejected.
            Please note that no transaction has been registered. The amount of the transaction will be refunded by your bank within a couple of days. Don't hesitate to contact your bank for further details regarding this refund.
            If you would like to proceed with another order, we require a copy of a valid ID (passport, drivers' license, national ID card) of the registrant/owner of your User Account.
            You may send these documents to us in PDF or JPG format by replying to this email.

            I replied with a very respectful and reasonable question:

            May I ask - why has this transaction been cancelled? I'm curious as to whether this was Gandi's decision or another party's.
            It's unusual that an image of ID is required for transactions like this. Why are such stringent measures now in place for me specifically?

            Gandi's response, this time from their "abuse" address (!) :

            We remind you that by agreeing to Gandi's contract, you committed your contacts and yourself to always provide full, accurate and reliable identification information.

            My response:

            I am aware of the obligation to provide accurate contact info, and I have done so by manually entering my contact info into your site.
            You have not answered my original question, however - why is it required that I send you sensitive ID photos to verify?
            [...]
            I would be willing to send over a different form of less sensitive non-photo ID, such as an electricity bill from the local power company with my name and address on it.
            Your past two messages have not been helpful. I would appreciate a more straightforward answer to why I am being selectively targeted with this photo ID verification requirement.

            Gandi "abuse":

            We remind you that according to Gandi's General Service Conditions, you have agreed that Gandi can proceed with verification of your contact information.
            "Gandi General Terms and Conditions of Domain Name Registration" ( https://www.gandi.net/contracts/ ) clearly provides as follows:
            ####################################################
            We reserve the right of proceeding with verifications of Your contact information, and You commit to providing, at any time and within the deadlines provided, whether for completing an order and/or during the term of the Contract, any proof of ID and/or street address (driver's license, passport, certificate of incorporation, etc.) or of Your capacity to engage in, use, or pay for Our services.
            ####################################################

            My response:

            Yes - but why is Gandi asking me specifically for this extra verification?

            And then no response for some time now :/

            Is this to be expected as a result of using a VPN? Paypal? I find it hard to imagine...

            I almost feel harassed by their labelling of this issue as "abuse". Their arbitrary use of such onerous, anti-privacy verification and fine-print sliminess is just very disappointing.

            Off to try out another service. Perhaps this time one based in the US? Somehow I feel like Gandi's hostile stance could be a result of some kind of EU legal requirement or something?

            This has been bothering me, I would appreciate anyone's advice / take.

              zzz Pretty sure it's just a normal procedure they have based on the IP Score that you used which was a VPN so it came back as dirty and it didn't match your payment method billing address or its just because it was labeled as a VPN for whatever API they use to determine fraud. They may have also used some third party API that runs your name through a database for past frauds, arrests, blacklists etc but the chance of that for a domain registrar is very slim. For a domain registrar you could use NameCheap and they allow Crypto Currency payments for their domains, it's a pretty solid choice and unless you are hosting something illegal or bad speech about someone they will not suspend you. Stay safe

              • zzz replied to this.
              • zzz likes this.

                GrapheneLover

                Thanks so much, I appreciate the reassurance that this is fairly normal.

                Thankfully I do not have a history with any type of crime or fraud. I would be very surprised to end up on a blacklist.

                My Paypal address did match my volunteered address - very strange that Paypal's word wasn't enough for them.

                The VPN was from Proton on a US-based server, which I could understand if it scores "yellow" or "red" on whatever IP scoring tool they use.

                Personally I have no interest in "dark" or illegal uses of the internet. I'm just trying to create a simple personal website / portfolio with a few photos of my artistic work and a contact page. It's surprisingly difficult to do that without becoming vulnerable to identity theft situations or doxing via WHOIS lookup.

                Anyways, thanks again for the take. Off to find another registrar (perhaps with the VPN off this time? Hmm...)

                • [deleted]

                • Edited

                zzz I signed up by volunteering my real identity (name, address, phone) and paid with paypal, connecting to their website with a VPN.

                If doxxing is of any real concern to you (as you indicated in your last reply) I wouldn't volunteer real address and phone number so readily as there are about a million ways this info can get exposed, either by mistake on your part or during the transfer process. Worst case, it's going to be hoovered up by a multitude of 'Historical DNS and WHOIS' services in the meantime. Use PO Box (or better virtual street address) and a VoIP number so you protect yourself from yourself as well as from your registrar.

                • zzz replied to this.
                • zzz likes this.

                  [deleted]
                  Thanks for the link!

                  I should clarify - I gave Gandi my real name, address, and phone as part of my customer signup process.

                  But as far as my publicly available WHOIS info goes, I was hoping to trust in their "Hidden WHOIS Data" promises:

                  Gandi’s privacy service is a free and automatic service which anonymizes some personal details in the contact information listed publicly for your domain.
                  Hidden WHOIS Data
                  This option, activated by default, hides your personal data in Gandi’s public WHOIS database. Due to internet regulations, your state, country, anonymized email address (see below), and company name (where applicable) will still be visible. All other information will display “redacted for privacy”.
                  https://docs.gandi.net/en/domain_names/common_operations/whois_privacy.html

                  I appreciate your point though - ideally the registrar wouldn't even know your contact info internally, or should be getting some harmless "fake" info.

                    • [deleted]

                    • Edited

                    zzz My point was that whether 'domain privacy' option is activated by default (habitual practice) at no cost to you, they have it and if you are going to move registrars, you might be asked to turn it off for a while. I like having a snail mail address and VoIP number just for these occasions. You can plaster mine on a billboard for all I care.

                    • zzz likes this.

                    With NameCheap you can pay with BTC and use fake details to register a domain. Be aware that you risk loosing your domain if they find out details are fake.