[At-Large] Security broken. WHOIS it?

Derek Smythe derek at aa419.org
Wed Jul 26 22:26:15 UTC 2017


As a consumer of WHOIS data in our attempt at fighting cyber fraud, we
noticed WHOIS lookups failing the past day and a bit.

This failure was noticed using various utilities across various
platforms and locations. Further investigations shows the gTLD
registry data format had changed for .net and .com domains,
specifically the format line to the registrar’s WHOIS server.

As per the ICANN specifications, and how it was, this should be the
registry format (bold for the sake of emphasis):

    Domain Name: VERISIGN.COM
    Whois Server: whois.networksolutions.com

But this has now become:

    Domain Name: VERISIGN.COM
    Registry Domain ID: 2703255_DOMAIN_COM-VRSN
    Registrar WHOIS Server: whois.corporatedomains.com

Naturally parsing data and looking for a string that should be an
identifier, but has changed, will result in lookup failures. Using
this observation and patching, suddenly saw  the WHOIS lookup process
start working again. This same observation was made in the .NET gTLD.
Despite checking, no public notices are available on the ICANN website
that this specification is changing:


It’s a concern that a data format can be changed unilaterally, leaving
folks in the IT security field (and other legitimate consumers of such
data) in the dark, especially when we see the mass proliferation of
malicious domains targeting consumer, commerce and even governments.
The process of looking up registration data rapidly is crucial for
accurate identification to allow precise mitigation of such threats.
Changes made in such a manner as this, undermines these efforts.

Derek Smythe
Artists Against 419

More information about the At-Large mailing list