The actual value, from a security standpoint, of using a proxy domain registrar?

Howdy,

I am curious what others in the industry think on this topic. When one
registers a domain they can put in their real information or they can use a
proxy, like Go-Daddy's Domains By Proxy.

Now, personally, I would prefer just to get a PO Box and put that address on
my domain info instead of doing a proxy. I could also put down a phone
number in the registration that just goes to my general business phone line
which is just a DVR.

So the question I have is this: What actual security are these proxy
companies providing to the end-user? My company website has my real
address, my real phone number, exec bio's and pictures of them yet upper
management (and our marketing company) think using a proxy is a good thing.

What's the difference between using a proxy vs using a PO Box except that a
PO Box is cheaper?

I'd just like to get thoughts from others to see what the general feeling is
on this topic.

Cheers,
Mike

My opinion is that it's nothing more than a "value-add" for domain
registrars. The domain registration fees these days have razor thin
margins. So places like Godaddy and others offer these services to make
up for their domains essentially being "loss-leaders".

A lot of these places use scare tactics to convince domain buyers that
"privacy" is essential, otherwise one would get spam, telemarketing
calls and junk mail.

Well, that's partly true, as some companies do scrape whois data.

So does maintaining a P.O box, a phone number that goes direct to voice
mail, as well as a separate "junk mail" email account cost you less than
about $20 a year? I'm not sure, but having your number on the do not
call list (if you are in the U.S) is free, receiving junk mail doesn't
cost anything and neither does a hotmail/yahoo/gmail account.

So, to get to my point, from a "security" standpoint my opinion is that
domain "privacy" is of as much benefit as hiding under the covers of my
bed if an attacker breaks into my home.

Mike Lyon wrote:

I am curious what others in the industry think on this topic. When one
registers a domain they can put in their real information or they can use a
proxy, like Go-Daddy's Domains By Proxy.
  

If you're using it for your business, the value is pretty slim. You probably want your business to be reachable by the public.

Individuals, especially those using their domains to publish anything controversial, could benefit somewhat from the increased privacy.

David Smith
MVN.net

And that falls right into some of the scare tactic sales pitches the
domain registrars use.

"they can look up your domain and find your home address!"

Heck, even a p.o box could leave someone open to a stalker, if said
stalker is determined enough.

so yes, I'll concede that point to a certain extent.

I still think it's a huge waste of money.

Not everybody charges for the service. Shop around.

Mike Lyon wrote:

Howdy,

I am curious what others in the industry think on this topic. When one
registers a domain they can put in their real information or they can use a
proxy, like Go-Daddy's Domains By Proxy.

Now, personally, I would prefer just to get a PO Box and put that address on
my domain info instead of doing a proxy. I could also put down a phone
number in the registration that just goes to my general business phone line
which is just a DVR.

[snip]

What's the difference between using a proxy vs using a PO Box except that a
PO Box is cheaper?

As others have already said, it doesn't really provide any security. In addition, it makes the company doing it appear amateurish. One expects professional behavior from a company. There are certainly reasons one might choose to obscure the ownership of a domain, but none of them are sound business reasons.

For the sake of your management, pick a few domains at random, do a whois on them, and print them out, as examples of grown up companies (I chose lockheed.com, microsoft,com, google.com, and revlon.com myself).

I'd just like to get thoughts from others to see what the general feeling is
on this topic.

Just tell them no, in the most diplomatic way possible (lucky for them it's you and not me, since I am not always so diplomatic as I ought to be).

As a quick aside, I did see someone advise you that you could use the fedgov do not call list for your phone, but if it's a business phone, you cannot.

The whois is for when you stuff up you DNS / WEB etc. There
  are lots of errors which are not visible except from a
  iterative resolver. The contacts should be reachable easily
  from anywhere in the world. They should be kept up to date.
  I don't know how often I've attempted to report a operational
  problem with DNS servers and delegations just to have the
  email bounce due to the data being out of date.

  Proxy services just add yet another layer that can go wrong.

  Mark

* Mike Lyon:

So the question I have is this: What actual security are these proxy
companies providing to the end-user?

You can register domains without alerting your competition that you
plan to provide a particular service (which could be guessed based on
the domain name). Or a merger is coming up, and you want to quietly
get the domain for the new company name.

OTOH, there doesn't seem to be a legitimate long-term use for business
purposes. (In my view, the secondary domain market is not
legitimate---online advertisers keep it alive to artificially increase
conversion rates, essentially defrauding brand owners who are
structurally unable to cope with this situation.)

Not so much anymore. It's far more cost-effective and efficient for
them to buy the data in bulk, and there are plenty of suppliers offering it.
Now as to whether they're bad actors inside registrars, or registrars
themselves, or folks who've cracked registrar security and helped themselves
to the contents of their databases: who knows? But the bottom line is
that the data's out there.

---Rsk

I am curious what others in the industry think on this topic. When one
registers a domain they can put in their real information or they can

use

a proxy, like Go-Daddy's Domains By Proxy.

More food for thought:
<http://blog.easydns.org/archives/247-Why-we-do-not-offer-Whois-masking-at
-easyDNS.html#extended>

~JasonG

Don't be myopic about this. There are very legitimate business cases for these services.

Example: I work for a VoIP provider that sells to large customers. Their customers sell to smaller customers that want to operate their own small scale VoIP business. No one 2 or 3 levels down knows who we are, and the people upstream want it that way.

Sure, most have their own domain names, but maintaining that for SBCs and very small customers who don't have/want their own domain name (to check call logs, etc) simply isn't feasible (you can doubt this assertion, but unless you know the middle eastern VoIP markets you have no business doing so).

Solution? Generic sounding domain name with private registration. Cheap. Effective. Done.

Daryl

Example: I work for a VoIP provider that sells to large customers.
Their customers sell to smaller customers that want to operate their
own small scale VoIP business. No one 2 or 3 levels down knows who we
are, and the people upstream want it that way.

Sure.

Solution? Generic sounding domain name

Right.

with private registration.

Wrong.

Proxy registration just makes you look sleazy. Voxbone does just dandy
as a VoIP wholesaler without proxy registration. What do they know that
you don't?

Some proxy registration is just stupid, e.g., there's proxy
registration for betamax.com, but not for their brands such as
voipdiscount.com, phonefreecalls.com, internetcalls.com, and
nowcall.com.

R's,
John

PS: