Can Domain Squatters Detect When People Make WHOIS Requests?

How-To Geek

By Akemi Iwaya

Published May 11, 2017

It can be very frustrating if you find out the unclaimed domain name you wanted has suddenly been registered right out from under you by a domain squatter the day after you looked it up.

Quick Links

The Question

The Answer

It can be very frustrating if you find out the unclaimed domain name you wanted has suddenly been registered right out from under you by a domain squatter the day after you looked it up. With that dilemma in mind, today's SuperUser Q&A post has the answer to a curious reader's question.

Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.

The Question

SuperUser reader William wants to know if domain squatters can detect when people make WHOIS requests:

I have always used whois domain.com to check for information about domains, but this Stack Exchange question made me stop and think:

How do I check that a domain is available without triggering a grabber?

Can domain squatters actually detect when WHOIS requests are made?

Can domain squatters detect when people make WHOIS requests?

The Answer

SuperUser contributor davidgo has the answer for us:

Generally, no. You will notice that in the comments of the Stack Exchange question you linked to, we discovered that it was done through a web interface to WHOIS. The web interface was the "gotcha" element, and it was not the WHOIS query that was pinched, but it was a kind of man-in-the-middle attack where the "web->WHOIS interface" was used to hijack the request. When making a WHOIS request, use a trusted WHOIS client directly, not a web interface, and you should be OK.

I answered "Generally, no." because it is conceivable that a registrar has been hacked or is in league with the bad guys, and you would not necessarily know about it. This is unlikely for most decent domains though. It is also possible (but again, unlikely) that your ISP is in on it and is sniffing the WHOIS requests through traffic since these requests are not encrypted.

For what it is worth, I have never had a domain name registered out from under me as a result of making a WHOIS request (through the use of a standard Linux WHOIS client).

Additional Links of Interest

Domain Tasting [Wikipedia]

Domain Name Front Running [Wikipedia]

Have something to add to the explanation? Sound off in the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.

Image Credit: Zeroos (Wikimedia Commons)