Products APIs Data Feeds Web Tools Domain Research & Monitoring Enterprise Packages
WHOIS / WHOIS History
WHOIS / WHOIS History

Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.

DNS / DNS History
DNS / DNS History

Look into all current and historical DNS / IP connections between domains and A, MX, NS, and other records. Monitor suspicious changes to DNS records.

IP Geolocation / IP Netblocks
IP Geolocation / IP Netblocks

Get detailed context on an IP address, including its user’s geolocation, time zone, connected domains, connection type, IP range, ASN, and other network ownership details.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Access our web-based solution to dig into and monitor all domain events of interest.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Get access to a web-based enterprise-grade solution to search and monitor domain registrations and ownership details for branded terms, fuzzy matches, registrants of interest, and more.

Research
Monitoring
White-Label
Enterprise API Packages
Enterprise API Packages

Our complete set of domain, IP, and DNS intelligence available via API calls as an annual subscription with predictable pricing.

Security Intelligence (SI) Suite
Security Intelligence (SI) Suite

Offers complete access to WHOIS, IP, DNS, and subdomain data for product enrichment, threat hunting and more.

Premium API Services
Premium API Services

Enjoy priority data access with our premium API services topped with extra perks including dedicated team support, enterprise-grade infrastructure, and SLAs for full scalability and high performance.

×
Contact Us

Success Stories

See other success stories Download PDF

WHOIS Data for Vulnerability Notifications




One of the cornerstones of cyber security is threat intelligence sharing. Maintenance of our IT systems' security and their protection against malicious actions require up-to-date knowledge of the entire field. There are significant efforts to assist experts in this activity, including those of market leaders such as IBM X-Force Exchange.

Due to the decentralized architecture of the Internet, however, the collaboration of the actors as well as voluntary campaigns in order to detect vulnerabilities are also of utmost importance. If, however, the owners of the affected systems cannot be notified, these efforts can hardly achieve their positive goal. And in this notification process, WHOIS data have their use. O. Cetin et al. [1], researchers of University of Delft, the Netherlands have recently presented some research results in this vein, leading to important conclusions regarding cybersecurity.

The problem

Surprisingly many domain name servers (DNS) are vulnerable to so-called “zone poisoning”. This consists in the possibility of replacing existing A or MX records of a name server by a malicious actor who can then use the domain for phishing or intercepting e-mail. This vulnerability was studied in detail in Ref. [3].

It seems quite trivial that the existence of such vulnerable domains is harmful for the global cyber security in general. Hence it would be beneficial if the affected domains would be fixed. In their research, Cetin et al. conducted a global campaign against this vulnerability and studied in detail the efficacy of e-mail notifications resulting from their activity.

But how to contact those who can do anything against the vulnerability of a DNS? The trivial idea would be to build on RFC 2142 [2], which specifies that the RNAME field of the given name server’s SOA (Start of Authority) record is supposed to contain the DNS operator's contact information. It is found, however, that these records are frequently missing or inaccurate.

WHOIS records to reach domain owners

As one of the alternatives, the researchers have purchased WHOIS data from WhoisXML API for the purpose of their campaign. Domain WHOIS data contain contact information of the domain owners, who typically have a stronger incentive to act against the DNS vulnerability than the DNS operators themselves. In addition, though unfortunately Domain WHOIS data are not perfect, it still may be the most reliable of all available sources.

In Ref. [1] it was indeed found that using e-mail addresses from Domain WHOIS data significantly decreases the bounce probability of the e-mail notifications sent.

Conclusions

One of the main lessons to learn from the contribution of Cetin et al. is that unfortunately at the moment there is no really efficient way to deploy vulnerability messages. It is likely that e-mail is too limited a tool to achieve this task, and something else should replace it in the future.

So what now? If you want to reach out to the owner of a domain for any reason (e.g. to draw their attention to a security vulnerability), the best approach is still to use as reliable WHOIS data as possible. And if you are an honest domain owner, you should keep your WHOIS data up-to-date, or you may miss some important messages.

References

In Ref. [2] the details of the methods are described and their successful operation is demonstrated on various real-life datasets. The biggest considered dataset consists of 11,975 URLs, 5,090 malicious and 6,885 benign.

The research was carried out by a research group of University of Calabria, Italy. The implementation of the method needed a large amount of accurate WHOIS data. Queries had to be implemented in the programming languages preferred by the researchers and had to run quickly to obtain the relevant information. This was realized using the services of WhoisXML API.

References

[1] Orcun Cetin, Carlos Ganan, Maciej Korczyński, and Michel van Eeten. Make notifications great again: Learning how to notify in the age of large-scale vulnerability scanning. In 16th Annual Workshop on the Economics of Information Security - WEIS 2017, La Jolla, California, June 26-27 2017
http://mkorczynski.com/WEIS2017Cetin.pdf

[2] D. Crocker. Mailbox Names for Common Services, Roles and Functions. RFC 2142, Internet Mail Consortium, May 1997.
https://www.ietf.org/rfc/rfc2142.txt

[3] Maciej Korczyński, Michał Król, and Michel van Eeten. Zone Poisoning: The How and Where of Non-Secure DNS Dynamic Updates Proceedings of the 2016 ACM on Internet Measurement Conference - IMC 16, 2016.
https://doi.org/10.1145/2987443.2987477

See other success stories
Try our WhoisXML API for free
Get started