Abstract
Public registration information on domain names, such as the accredited registrar, the domain name expiration date, or the abuse contact is crucial for many security tasks, from automated abuse notifications to botnet or phishing detection and classification systems. Various domain registration data is usually accessible through the WHOIS or RDAP protocols—a priori they provide the same data but use distinct formats and communication protocols. While WHOIS aims to provide human-readable data, RDAP uses a machine-readable format. Therefore, deciding which protocol to use is generally considered a straightforward technical choice, depending on the use case and the required automation and security level. In this paper, we examine the core assumption that WHOIS and RDAP offer the same data and that users can query them interchangeably. By collecting, processing, and comparing 164 million WHOIS and RDAP records for a sample of 55 million domain names, we reveal that while the data obtained through WHOIS and RDAP is generally consistent, 7.6% of the observed domains still present inconsistent data on important fields like IANA ID, creation date, or nameservers. Such variances should receive careful consideration from security stakeholders reliant on the accuracy of these fields.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
References
Affinito, A., et al.: Domain name lifetimes: baseline and threats. In: 6th Network Traffic Measurement and Analysis Conference, TMA 2022. IFIP (2022). https://dl.ifip.org/db/conf/tma/tma2022/tma2022-paper32.pdf
Bianzino, A.P., Pezzuolo, D., Mazzini, G.: Who is whois? An analysis of results consistence. In: 2014 22nd International Conference on Software, Telecommunications and Computer Networks (SoftCOM), pp. 289–292. IEEE (2014). https://doi.org/10.1109/SOFTCOM.2014.7039137
Blanchet, M.: Finding the Authoritative Registration Data Access Protocol (RDAP) Service. Request for Comments RFC 9224, Internet Engineering Task Force (2022). https://doi.org/10.17487/RFC9224
Çetin, O., Hanif Jhaveri, M., Gañán, C., van Eeten, M., Moore, T.: Understanding the role of sender reputation in abuse reporting and cleanup. J. Cybersecur. 2(1), 83–98 (2016). https://doi.org/10.1093/cybsec/tyw005
Christin, N., Yanagihara, S.S., Kamataki, K.: Dissecting one click frauds. In: Proceedings of the 17th ACM Conference on Computer and Communications Security - CCS 2010, p. 15. ACM Press (2010). https://doi.org/10.1145/1866307.1866310
Daigle, L.: WHOIS Protocol Specification. Request for Comments RFC 3912, Internet Engineering Task Force (2004). https://doi.org/10.17487/RFC3912
Dittrich, D., Kenneally, E.: The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research (2012)
Du, K., Yang, H., Li, Z.: The ever-changing labyrinth: a large-scale analysis of wildcard DNS powered blackhat SEO. In: USENIX Security 2016, p. 19 (2016)
Felegyhazi, M., Kreibich, C., Paxson, V.: On the potential of proactive domain blacklisting. In: LEET 2010 (2010)
Ganan, C.: WHOIS sunset? A primer in registration data access protocol (RDAP) performance. In: TMA, p. 8 (2021)
Ghaleb, F.A., Alsaedi, M., Saeed, F., Ahmad, J., Alasli, M.: Cyber threat intelligence-based malicious URL detection model using ensemble learning. Sensors 22(9), 3373 (2022). https://doi.org/10.3390/s22093373
Gould, J.: Extensible Provisioning Protocol (EPP) and Registration Data Access Protocol (RDAP) Status Mapping. Request for Comments RFC 8056, Internet Engineering Task Force (2017). https://doi.org/10.17487/RFC8056
Hao, S., Kantchelian, A., Miller, B., Paxson, V., Feamster, N.: PREDATOR: proactive recognition and elimination of domain abuse at time-of-registration. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1568–1579. ACM (2016). https://doi.org/10.1145/2976749.2978317
Hollenbeck, S., Newton, A.: Registration data access protocol (RDAP) object tagging. Request for Comments RFC 8521, Internet Engineering Task Force (2018). https://doi.org/10.17487/RFC8521
Hollenbeck, S., Newton, A.: JSON Responses for the Registration Data Access Protocol (RDAP). Request for Comments RFC 9083, Internet Engineering Task Force (2021). https://doi.org/10.17487/RFC9083
Hollenbeck, S., Newton, A.: Registration Data Access Protocol (RDAP) Query Format. Request for Comments RFC 9082, Internet Engineering Task Force (2021). https://doi.org/10.17487/RFC9082
IANA: List of TLDS (2023). https://www.iana.org/domains/root/db
IANA: Registrar IDS (2023). https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml
ICANN: ICANN registrar agreement. https://www.icann.org/resources/pages/registrars-0d-2012-02-25-en
ICANN: ICANN temporary agreement for GTLDS to comply with GDPR. https://www.icann.org/resources/pages/gtld-registration-data-specs-en
ICANN: ICANN whois history. https://whois.icann.org/en/history-whois
IETF: Domain names - implementation and specification. Request for Comments RFC 1035, Internet Engineering Task Force (1987). https://doi.org/10.17487/RFC1035
Izhikevich, L., et al.: ZDNS: a fast DNS toolkit for internet measurement. In: Proceedings of the 22nd ACM Internet Measurement Conference, pp. 33–43. ACM (2022). https://doi.org/10.1145/3517745.3561434
Kitterman, S.: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. Request for Comments RFC 7208, Internet Engineering Task Force (2014). https://doi.org/10.17487/RFC7208
Lauinger, T., Onarlioglu, K., Chaabane, A., Robertson, W., Kirda, E.: WHOIS lost in translation: (mis)understanding domain name expiration and re-registration. In: Proceedings of the 2016 Internet Measurement Conference, pp. 247–253. ACM (2016). https://doi.org/10.1145/2987443.2987463
Le Pochat, V., et al.: A practical approach for taking down avalanche botnets under real-world constraints. In: Proceedings 2020 Network and Distributed System Security Symposium. Internet Society (2020). https://doi.org/10.14722/ndss.2020.24161
Liu, S., Foster, I., Savage, S., Voelker, G.M., Saul, L.K.: Who is.com?: learning to parse WHOIS records. In: Proceedings of the 2015 Internet Measurement Conference, pp. 369–380. ACM (2015). https://doi.org/10.1145/2815675.2815693
Loffredo, M., Martinelli, M.: Registration Data Access Protocol (RDAP) Partial Response. Request for Comments RFC 8982, Internet Engineering Task Force (2021). https://doi.org/10.17487/RFC8982
Lu, C., et al.: From WHOIS to WHOWAS: a large-scale measurement study of domain registration privacy under the GDPR. In: Proceedings 2021 Network and Distributed System Security Symposium. Internet Society, Virtual (2021). https://doi.org/10.14722/ndss.2021.23134
Maass, M., et al.: Effective notification campaigns on the web: a matter of trust, framing, and support. In: USENIX Security 2021 (2021). https://doi.org/10.48550/ARXIV.2011.06260
McCallum, A., Li, W.: Early results for named entity recognition with conditional random fields, feature induction and web-enhanced lexicons. In: Proceedings of the Seventh Conference on Natural Language Learning at HLT-NAACL 2003, Edmonton, Canada, vol. 4, pp. 188–191. Association for Computational Linguistics (2003). https://doi.org/10.3115/1119176.1119206
Mockapetris: Domain names - concepts and facilities. Request for Comments RFC 1034, Internet Engineering Task Force (1987). https://doi.org/10.17487/RFC1034
Newton, A., Hollenbeck, S.: Registration Data Access Protocol (RDAP) Query Format. Request for Comments RFC 7482, Internet Engineering Task Force (2015). https://doi.org/10.17487/RFC7482
Newton, A., Hollenbeck, S.: JSON Responses for the Registration Data Access Protocol (RDAP). Request for Comments RFC 7483, Internet Engineering Task Force (2015). https://doi.org/10.17487/RFC7483
Partridge, C., Allman, M.: Ethical considerations in network measurement papers. Commun. ACM 59(10), 58–64 (2016)
Sommese, R., et al.: When parents and children disagree: diving into DNS delegation inconsistency. In: Sperotto, A., Dainotti, A., Stiller, B. (eds.) PAM 2020. LNCS, vol. 12048, pp. 175–189. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44081-7_11
European Union: General data protection regulation. https://eur-lex.europa.eu/eli/reg/2016/679/oj
Vissers, T., Joosen, W., Nikiforakis, N.: Parking sensors: analyzing and detecting parked domains. In: Proceedings 2015 Network and Distributed System Security Symposium. Internet Society (2015). https://doi.org/10.14722/ndss.2015.23053
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Examples of Records
A Examples of Records
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Fernandez, S., Hureau, O., Duda, A., Korczynski, M. (2024). WHOIS Right? An Analysis of WHOIS and RDAP Consistency. In: Richter, P., Bajpai, V., Carisimo, E. (eds) Passive and Active Measurement. PAM 2024. Lecture Notes in Computer Science, vol 14537. Springer, Cham. https://doi.org/10.1007/978-3-031-56249-5_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-56249-5_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-56248-8
Online ISBN: 978-3-031-56249-5
eBook Packages: Computer ScienceComputer Science (R0)