Skip to main content
SpringerLink
Log in

WHOIS Right? An Analysis of WHOIS and RDAP Consistency

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14537))

Included in the following conference series:

  • 51 Accesses

Abstract

Public registration information on domain names, such as the accredited registrar, the domain name expiration date, or the abuse contact is crucial for many security tasks, from automated abuse notifications to botnet or phishing detection and classification systems. Various domain registration data is usually accessible through the WHOIS or RDAP protocols—a priori they provide the same data but use distinct formats and communication protocols. While WHOIS aims to provide human-readable data, RDAP uses a machine-readable format. Therefore, deciding which protocol to use is generally considered a straightforward technical choice, depending on the use case and the required automation and security level. In this paper, we examine the core assumption that WHOIS and RDAP offer the same data and that users can query them interchangeably. By collecting, processing, and comparing 164 million WHOIS and RDAP records for a sample of 55 million domain names, we reveal that while the data obtained through WHOIS and RDAP is generally consistent, 7.6% of the observed domains still present inconsistent data on important fields like IANA ID, creation date, or nameservers. Such variances should receive careful consideration from security stakeholders reliant on the accuracy of these fields.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://data.iana.org/rdap/dns.json.

  2. 2.

    https://tracker.debian.org/pkg/whois.

  3. 3.

    https://github.com/rfc1036/whois.

  4. 4.

    https://metacpan.org/pod/Net::Whois.

  5. 5.

    https://whoisrb.org/.

  6. 6.

    https://github.com/SimpleUpdates/phpwhois.

  7. 7.

    https://pypi.org/project/python-whois/.

  8. 8.

    https://czds.icann.org.

  9. 9.

    http://sie-europe.net.

  10. 10.

    https://www.spamhaus.org.

  11. 11.

    https://apwg.org.

  12. 12.

    https://openphish.com.

  13. 13.

    https://urlhaus.abuse.ch.

  14. 14.

    https://threatfox.abuse.ch.

  15. 15.

    https://surbl.org.

  16. 16.

    https://certstream.calidog.io.

References

  1. Affinito, A., et al.: Domain name lifetimes: baseline and threats. In: 6th Network Traffic Measurement and Analysis Conference, TMA 2022. IFIP (2022). https://dl.ifip.org/db/conf/tma/tma2022/tma2022-paper32.pdf

  2. Bianzino, A.P., Pezzuolo, D., Mazzini, G.: Who is whois? An analysis of results consistence. In: 2014 22nd International Conference on Software, Telecommunications and Computer Networks (SoftCOM), pp. 289–292. IEEE (2014). https://doi.org/10.1109/SOFTCOM.2014.7039137

  3. Blanchet, M.: Finding the Authoritative Registration Data Access Protocol (RDAP) Service. Request for Comments RFC 9224, Internet Engineering Task Force (2022). https://doi.org/10.17487/RFC9224

  4. Çetin, O., Hanif Jhaveri, M., Gañán, C., van Eeten, M., Moore, T.: Understanding the role of sender reputation in abuse reporting and cleanup. J. Cybersecur. 2(1), 83–98 (2016). https://doi.org/10.1093/cybsec/tyw005

    Article  Google Scholar 

  5. Christin, N., Yanagihara, S.S., Kamataki, K.: Dissecting one click frauds. In: Proceedings of the 17th ACM Conference on Computer and Communications Security - CCS 2010, p. 15. ACM Press (2010). https://doi.org/10.1145/1866307.1866310

  6. Daigle, L.: WHOIS Protocol Specification. Request for Comments RFC 3912, Internet Engineering Task Force (2004). https://doi.org/10.17487/RFC3912

  7. Dittrich, D., Kenneally, E.: The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research (2012)

    Google Scholar 

  8. Du, K., Yang, H., Li, Z.: The ever-changing labyrinth: a large-scale analysis of wildcard DNS powered blackhat SEO. In: USENIX Security 2016, p. 19 (2016)

    Google Scholar 

  9. Felegyhazi, M., Kreibich, C., Paxson, V.: On the potential of proactive domain blacklisting. In: LEET 2010 (2010)

    Google Scholar 

  10. Ganan, C.: WHOIS sunset? A primer in registration data access protocol (RDAP) performance. In: TMA, p. 8 (2021)

    Google Scholar 

  11. Ghaleb, F.A., Alsaedi, M., Saeed, F., Ahmad, J., Alasli, M.: Cyber threat intelligence-based malicious URL detection model using ensemble learning. Sensors 22(9), 3373 (2022). https://doi.org/10.3390/s22093373

    Article  Google Scholar 

  12. Gould, J.: Extensible Provisioning Protocol (EPP) and Registration Data Access Protocol (RDAP) Status Mapping. Request for Comments RFC 8056, Internet Engineering Task Force (2017). https://doi.org/10.17487/RFC8056

  13. Hao, S., Kantchelian, A., Miller, B., Paxson, V., Feamster, N.: PREDATOR: proactive recognition and elimination of domain abuse at time-of-registration. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1568–1579. ACM (2016). https://doi.org/10.1145/2976749.2978317

  14. Hollenbeck, S., Newton, A.: Registration data access protocol (RDAP) object tagging. Request for Comments RFC 8521, Internet Engineering Task Force (2018). https://doi.org/10.17487/RFC8521

  15. Hollenbeck, S., Newton, A.: JSON Responses for the Registration Data Access Protocol (RDAP). Request for Comments RFC 9083, Internet Engineering Task Force (2021). https://doi.org/10.17487/RFC9083

  16. Hollenbeck, S., Newton, A.: Registration Data Access Protocol (RDAP) Query Format. Request for Comments RFC 9082, Internet Engineering Task Force (2021). https://doi.org/10.17487/RFC9082

  17. IANA: List of TLDS (2023). https://www.iana.org/domains/root/db

  18. IANA: Registrar IDS (2023). https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml

  19. ICANN: ICANN registrar agreement. https://www.icann.org/resources/pages/registrars-0d-2012-02-25-en

  20. ICANN: ICANN temporary agreement for GTLDS to comply with GDPR. https://www.icann.org/resources/pages/gtld-registration-data-specs-en

  21. ICANN: ICANN whois history. https://whois.icann.org/en/history-whois

  22. IETF: Domain names - implementation and specification. Request for Comments RFC 1035, Internet Engineering Task Force (1987). https://doi.org/10.17487/RFC1035

  23. Izhikevich, L., et al.: ZDNS: a fast DNS toolkit for internet measurement. In: Proceedings of the 22nd ACM Internet Measurement Conference, pp. 33–43. ACM (2022). https://doi.org/10.1145/3517745.3561434

  24. Kitterman, S.: Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1. Request for Comments RFC 7208, Internet Engineering Task Force (2014). https://doi.org/10.17487/RFC7208

  25. Lauinger, T., Onarlioglu, K., Chaabane, A., Robertson, W., Kirda, E.: WHOIS lost in translation: (mis)understanding domain name expiration and re-registration. In: Proceedings of the 2016 Internet Measurement Conference, pp. 247–253. ACM (2016). https://doi.org/10.1145/2987443.2987463

  26. Le Pochat, V., et al.: A practical approach for taking down avalanche botnets under real-world constraints. In: Proceedings 2020 Network and Distributed System Security Symposium. Internet Society (2020). https://doi.org/10.14722/ndss.2020.24161

  27. Liu, S., Foster, I., Savage, S., Voelker, G.M., Saul, L.K.: Who is.com?: learning to parse WHOIS records. In: Proceedings of the 2015 Internet Measurement Conference, pp. 369–380. ACM (2015). https://doi.org/10.1145/2815675.2815693

  28. Loffredo, M., Martinelli, M.: Registration Data Access Protocol (RDAP) Partial Response. Request for Comments RFC 8982, Internet Engineering Task Force (2021). https://doi.org/10.17487/RFC8982

  29. Lu, C., et al.: From WHOIS to WHOWAS: a large-scale measurement study of domain registration privacy under the GDPR. In: Proceedings 2021 Network and Distributed System Security Symposium. Internet Society, Virtual (2021). https://doi.org/10.14722/ndss.2021.23134

  30. Maass, M., et al.: Effective notification campaigns on the web: a matter of trust, framing, and support. In: USENIX Security 2021 (2021). https://doi.org/10.48550/ARXIV.2011.06260

  31. McCallum, A., Li, W.: Early results for named entity recognition with conditional random fields, feature induction and web-enhanced lexicons. In: Proceedings of the Seventh Conference on Natural Language Learning at HLT-NAACL 2003, Edmonton, Canada, vol. 4, pp. 188–191. Association for Computational Linguistics (2003). https://doi.org/10.3115/1119176.1119206

  32. Mockapetris: Domain names - concepts and facilities. Request for Comments RFC 1034, Internet Engineering Task Force (1987). https://doi.org/10.17487/RFC1034

  33. Newton, A., Hollenbeck, S.: Registration Data Access Protocol (RDAP) Query Format. Request for Comments RFC 7482, Internet Engineering Task Force (2015). https://doi.org/10.17487/RFC7482

  34. Newton, A., Hollenbeck, S.: JSON Responses for the Registration Data Access Protocol (RDAP). Request for Comments RFC 7483, Internet Engineering Task Force (2015). https://doi.org/10.17487/RFC7483

  35. Partridge, C., Allman, M.: Ethical considerations in network measurement papers. Commun. ACM 59(10), 58–64 (2016)

    Article  Google Scholar 

  36. Sommese, R., et al.: When parents and children disagree: diving into DNS delegation inconsistency. In: Sperotto, A., Dainotti, A., Stiller, B. (eds.) PAM 2020. LNCS, vol. 12048, pp. 175–189. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44081-7_11

    Chapter  Google Scholar 

  37. European Union: General data protection regulation. https://eur-lex.europa.eu/eli/reg/2016/679/oj

  38. Vissers, T., Joosen, W., Nikiforakis, N.: Parking sensors: analyzing and detecting parked domains. In: Proceedings 2015 Network and Distributed System Security Symposium. Internet Society (2015). https://doi.org/10.14722/ndss.2015.23053

Download references

Author information

Authors and Affiliations

  1. Univ. Grenoble Alpes, Grenoble INP, LIG, Saint-Martin-d’Hères, France

    Simon Fernandez, Olivier Hureau, Andrzej Duda & Maciej Korczynski

Authors
  1. Simon Fernandez
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Olivier Hureau
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrzej Duda
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Maciej Korczynski
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Simon Fernandez .

Editor information

Editors and Affiliations

  1. Akamai Technologies, Cambridge, MA, USA

    Philipp Richter

  2. Hasso Plattner Institute, Potsdam, Germany

    Vaibhav Bajpai

  3. Northwestern University, Evanston, IL, USA

    Esteban Carisimo

A Examples of Records

A Examples of Records

Fig. 6.
figure 6

Registry WHOIS record of google.com obtained from the VeriSign server

Full size image
Fig. 7.
figure 7

Part of the Registry RDAP record of google.com obtained from the VeriSign server

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Fernandez, S., Hureau, O., Duda, A., Korczynski, M. (2024). WHOIS Right? An Analysis of WHOIS and RDAP Consistency. In: Richter, P., Bajpai, V., Carisimo, E. (eds) Passive and Active Measurement. PAM 2024. Lecture Notes in Computer Science, vol 14537. Springer, Cham. https://doi.org/10.1007/978-3-031-56249-5_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-56249-5_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-56248-8

  • Online ISBN: 978-3-031-56249-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation