Security broken. WHOIS it?

Security broken. WHOIS it?

As a consumer of WHOIS data in our attempt at fighting cyber fraud, we noticed WHOIS lookups failing the past day and a bit.

This failure was noticed using various utilities across various platforms and locations. Further investigations shows the gTLD registry data format had changed for .net and .com domains, specifically the format line to the registrar’s WHOIS server.

As per the ICANN specifications, and how it was, this should be the registry format (bold for the sake of emphasis):

Domain Name: VERISIGN.COM
Registrar: NETWORK SOLUTIONS, LLC.
Whois Server: whois.networksolutions.com

But this has now become:

Domain Name: VERISIGN.COM
Registry Domain ID: 2703255_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.corporatedomains.com

Naturally parsing data and looking for a string that should be an identifier, but has changed, will result in lookup failures. Using this observation and patching, suddenly saw the WHOIS lookup process start working again. This same observation was made in the .NET gTLD. Despite checking, no public notices are available on the ICANN website that this specification is changing:

https://www.icann.org/resources/pages/com-2012-12-07-en
https://www.icann.org/resources/agreement/net-2017-07-01-en
https://www.icann.org/resources/pages/advisories-2012-02-25-en

It’s a concern that a data format can be changed unilaterally, leaving folks in the IT security field (and other legitimate consumers of such data) in the dark, especially when we see the mass proliferation of malicious domains targeting consumer, commerce and even governments. The process of looking up registration data rapidly is crucial for accurate identification to allow precise mitigation of such threats.  Changes made in such a manner as this, undermines these efforts.

Update:

There has been suggestions varying from additional data only being added, to accusations of badly written software being the only ones failing.

Let’s us consider what has changed:

Software processing the registry port 43 output for a domains in the .net and .com gTLD space was expecting a specific set of key/value pairs, to quote ICANN’s own documentation at https://www.icann.org/sites/default/files/tlds/net/net-agmt-pdf-01jul17-en.pdf.

However, the key as still specified in the last mentioned document and at  https://www.icann.org/resources/pages/appendix-05-2012-12-07-en is “WHOIS Server:” and “Whois Server:” respectively.  Apart from these specifications, no newer specifications could be found.

Let us consider what a specification is. From https://www.merriam-webster.com/dictionary/specification:

Definition of specification

  1. 1 :  the act or process of specifying

  2. a :  a detailed precise presentation of something or of a plan or proposal for something —usually used in plural

    b :  a statement of legal particulars (as of charges or of contract terms); also :  a single item of such statement

    c :  a written description of an invention for which a patent is sought

Naturally anybody moving in a field as technical as data interchange will appreciate the need for a specification. Any such change should be communicated to all concerned parties. Consider a power station supposedly delivering a stable 110v AC power source changing it to 380V AC.  Users will be in for a shocking surprise, with damage sure to occur. More so, any public protection agency with the necessary oversight will be sure to take strong action. It is precisely for this reason that specifications and agreements are vital. This is what makes our civilized world function. Likewise on the internet. Considering law enforcement and consumer protection agencies and groups are continuously overwhelmed with abuse attributable to malicious domains, the ability to do a fast efficient WHOIS lookup is essential. In fact many registrars even consider law enforcement and groups such as the APWG etc their abuse operatives.

Getting back to our key, a deviation from a specification is what broke port 43 WHOIS lookups at Verisign.

As such this deviation from the specification was pointed out to ICANN Compliance: Ticket [~QJA-246-67354]. The reply?

Thank you for submitting a complaint concerning the top-level domains .COM and .NET. ICANN has reviewed and closed your complaint because:

– ICANN does not have contractual authority to address your complaint, as ICANN is not the source of registry or registrar Whois information in port 43. Please contact the registry operator directly. Alternatively, you may wish to obtain Whois data by conducting Whois queries directly from the registry or registrar’s web-based Whois services/websites.

ICANN considers this matter now closed.

Please do not reply to the email. If you require future assistance, please email compliance@icann.org; if you have a new complaint, please submit it at http://www.icann.org/resources/compliance/complaints .

ICANN is requesting your feedback on this closed complaint. Please complete this optional survey at https://www.surveymonkey.com/s/8F2Z6DP?ticket=(snip).

Sincerely,

ICANN Contractual Compliance

Perhaps something more than mere security was broken? But then again, don’t we know it already, when we see people losing their livelihoods daily on the net due to malicious domains with lot of self-blinding abounding? As someone said recently: So much pretense …

Comments are closed.