What you should know about WHOIS and Security

Table of contents

• What is WHOIS?
• Look inside a WHOIS record
• Uses for WHOIS information
• WHOIS, from the field
• WHOIS issues
• The Future of WHOIS
• Next Generation: Registration Data Access Protocol (RDAP)
• RDAP specifications
• GDPR and WHOIS
• Security and WHOIS

If you’ve ever looked at a WHOIS entry, you probably know how much valuable information is contained within the records of just one domain registration. When this information is accurate, it can make getting in touch with other parties on the web a lot easier. In the real world however, accessing consistently accurate WHOIS data is more of a goal than anything else. For every accurate WHOIS record, there are many more inaccurate and sometimes fraudulent records.

WHOIS is important to organizations that seek to secure against threats across their digital landscape because aside inaccurate records, there are many potential threats. These include:

• Spam
• Malware
• Botnet sources
• Advanced Persistent Threats
• Malicious traffic
• Ransomware
• Insider threats
• State-sponsored threat actors

What is WHOIS?

WHOIS information, maintenance, and collection operations are dictated by regulations set forth by The Internet Corporation for Assigned Names and Numbers (ICANN). This Internet record listing identifies the owners and operators of a domain as well as indicating how to get in contact with them.

Collectively, this base of information provides integrity for domain registrations and a path for resolution for when issues might arise.

There are two channels of information in WHOIS information, known as thin and thick.

THIN: the first level of information that can be accessed. Registrar information, registration dates, and nameservers are found at this level.

THICK: Deeper ownership information includes names, addresses, and contact information for administrative, technical, and registrant parties (often the same as that of the registrant).

Look inside a WHOIS record

In any industry, standards have a way of updating and the forces behind WHOIS are just as susceptible to standard and implementation changes over time. For the most part however, these records are designed to include all contact and registration information for the parties that register a domain name, specific to the company, group and person in charge of various operational web elements.

Each WHOIS record should contain the following information:

• The date of domain registration
• The domain expiration date
• Nameserver details
• Name and contact information of the Registrant (domain owner)
• The name and contact information of the organization or commercial entity that registered the domain name
• Most recent update information

Uses for WHOIS information

WHOIS has a number of important uses which include:

• Is a domain available?
• Alert technical contacts to security and site issues
• Disclose contact, address information behind a given site
• Emergency/Outage contact information
• Provide information for domain-related transactions
• Uncover responsible parties behind intellectual property scenarios
• Channel for security and incident response contacts
• Overall historical and background information behind traffic and domain sources

WHOIS, from the field

Legitimate, fully populated and compliant records are exceedingly rare, especially when the volume of records collectively scale. This makes tracking down information a challenge. In addition to the millions of domains in existence, there are countless registrars with varying implemented and enforced registration standards. Servers that run the WHOIS service are also vast in numbers. Like many systems born from the early days of the internet, the WHOIS system wasn’t built to scale into the future. And if it can be inefficient, then it can be exploited.

Despite its imperfect nature, the WHOIS system and the information contained within are still critical to the industry as WHOIS reinforces the security and stability of the internet, largely as a channel for Internet Service Providers, network administrators, and security personnel to research and contact information that is domain-related. WHOIS also provides structure to the domain registration process as well as proving itself as a channel or investigative activities and law enforcement.

On a global scale, WHOIS information assists in campaigns against technology abuses, uncovering botnet networks, nefarious actors, suspicious traffic sources, intellectual property infringements and more with the ability to track information behind domain activities.

WHOIS issues

One big issue with the system is the maintenance and updating of data. The process is reliant on the original population of data that occurs when a domain is first registered. When things change, it is up to the registrant to change this information. As phone numbers, email information, addresses, and other information change, WHOIS data may become stale. The Internet Corporation for Assigned Names and Numbers, also known as ICANN, requests yearly routine updates of this information but it is not stringently enforced.

Another element is the existence of private domain registration. That is because WHOIS information is public and earlier on, in the days of domain registration, domain registrars offered privacy services, registering domains “by proxy” on their customer’s behalf.

The Future of WHOIS

Next Generation: Registration Data Access Protocol (RDAP)

All things must change, which is the way of technology and the internet. Seeking improvement in the integrity of domain records, the RDAP standard was developed as a successor to the WHOIS protocol and it is currently making its way through the adoption curve. The object was to create a standard for nimble, portable, and accurate data without the legacy issues of WHOIS. The emerging format features a standard, machine-readable JSON standard and a foundation build on RESTful web services. This systems is HTTP-compatible, so that error codes, user identification, authentication, and access control can be delivered through the universal HTTP web protocol.

RDAP-compliant records are registered through validated hosts and the features of RDAP services include:

• Standardized queries and responses
• Data object language capabilities that extend beyond English
• Redirection capabilities that allow seamless referrals to other registries
• Network address registrations for IPV4 and IPV6

RDAP specifications

• RFC 7480 – HTTP Usage in the Registration Data Access Protocol (RDAP)
• RFC 7481 – Security Services for the Registration Data Access Protocol (RDAP)
• RFC 7482 – Registration Data Access Protocol (RDAP) Query Format
• RFC 7483 – JSON Responses for the Registration Data Access Protocol (RDAP)

GDPR and WHOIS

General Data Protection Regulation (GDPR) became effective in early 2018 and although there haven’t been a lot of significant fines or legal cases to emerge just yet, news stories indicate that a wave is coming. This sweeping reformation of privacy laws affects European Union countries as well as any company that might retain the private information of any European individual. These regulations dictate not only the protection of data, but the retention, collection, and distribution of personal information.

The WHOIS system is at odds with GDPR, because it is public, because it has specific information, and because it retains that information for extended periods of time. The fate of WHOIS in light of GDPR is unclear. In the aftermath of GDPR, some registrars have declined to comply with ICANN WHOIS information requirements, to avoid potential GDPR fines.

Security and WHOIS

The WHOIS system is a critical research and security component. Its information provides valuable background information that helps affirm proper network connectivity, domain source information, and contributes towards critical security and service continuity.

Cybersecurity professionals use WHOIS information to quickly assess and eliminate cyberthreats every day. To limit access to this information because of GDPR and other forthcoming privacy mandates would be to hamper this resource. Even with all of its flaws and a significant data accuracy challenge, WHOIS continues to prove to be a valuable forensic tool. Due to human nature and ease of registrations, researchers can quickly cross-compare domain registration information that can be associated with foreign nationals, cybercriminal groups, and other nefarious actors.

In some cases, researchers could correlate networks belonging to bad actors through inter-related domain registrations, common IP information, and other telling information that is gathered through the WHOIS system. Some of the largest organizations today rely heavily on domain registration data to add to their organizational security intelligence, to protect networks and applications, and secure data where it expected to be protected.

Email spam, malware, ransomware, virus distribution, insider threats, data leaks, advanced persistent threats, payloaded software, and many other types of threats can often be traced back to domain-sourced certificates and registrations. Therefore, protecting information proactively by using public information is the ultimate value of WHOIS to a security-minded organization.

The future of WHOIS information and security lies in maintaining an active, open environment and open database via which intelligence can be freely gathered and referenced. Every day, thousands of incidents can be and are protected by proactive investigative discoveries through this valuable system.