Threat Level: green Handler on Duty: Tom Webb

SANS ISC: InfoSec Handlers Diary Blog - Anonymous domainnames InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Anonymous domainnames

Published: 2007-09-22
Last Updated: 2007-09-22 14:53:46 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

In the past we've pointed readers in private email and publicly to use whois to find out who's behind domainnames and IP addresses.

Over the years we've seen the whois system deteriorate for domainnames with -paid for- anonymous registrations, with systems that point you to website where you have to interact with the website instead of continuing on the command line, with results that come back as gifs instead of text etc.

But today I was dealing with a .name registration that's likely up to no good, but on the odd chance there was a real company behind it I checked it out in whois:

$ whois [suppressed].name
Disclaimer: [skipping the legalese]

This is the .name Tiered Access Whois. For help, query whois with the
string "help". A whois web service also exists on http://www.whois.name.
A full list of .name Registrars can be found on http://www.nic.name
                              --------


Domain Name ID: 2899351DOMAIN-NAME
Domain Name: [suppressed].NAME
Domain Status: ok

Ok, nothing of use here, it's basicaly a "see http://www.whois.name/"

On to that website, - it's actually a redirect to https://whois.nic.name/ :

You basically have 3 options:

  • the "summary search": equally useless as the whois interface itself
  • the "standard search": ah yes, that must give what we need! Let's try it:
    Domain Name ID: 2899351DOMAIN-NAME
    Domain Name:
    [suppressed].NAME
    Sponsoring Registrar ID: 21
    REGISTRAR-NAME Sponsoring Registrar: Directi Internet Solutions d/b/a PublicDomainRegistry.Com
    Domain Status:
    ok
    Registrant ID:
    2314764
    CONTACT-NAME Admin ID: 2314764
    CONTACT-NAME Tech ID: 2314764
    CONTACT-NAME Billing ID: 2314764
    CONTACT-NAME Name Server ID: 1306740
    HOST-NAME Name Server: NS1.[suppressed].NAME
    Name Server ID:
    1306741
    HOST-NAME Name Server: NS2.[suppressed].NAME
    Created On: 2007-04-25T07:58:33Z
    Expires On: 2008-04-25T07:58:33Z
    Updated On:
    2007-06-25T02:25:20Z
    No such luck apparently.
    It seems they lowered their standard quite a bit.
  • There's a third option: "For detailed Whois searches, which are subject to higher privacy protection than Summary and Standard". Now, that sounds like what we need.
    Unfortunately, higher privacy protection seems to not apply to those who seek the information at all. They insist on having not just the obligatory hurdle of a CAPTCHA (without escape for the visually impaired), but it almost looks like a typical phishing website as they also want all your private data, including your credit card number.

    Yes, you got it: ".name" wants to charge you for knowing who registered what domainname!

I guess I need to say thanks to those who created and run .name for this "wonderful" scheme. I'm sure those up to no good will love you for it.

Before we get flooded by reactions: I can be sympathetic to privacy, but if you have something to say (email, web, ... something that needs a domainname) I want to have the right to know who you are and I want those giving you the domainname to verify you are who you are before letting you have the domainname. If you cannot safely say what you want to say unless you are anonymous: don't get a domainname, there's plenty of services out there to get a message across without your very own domainname.

--
Swa Frantzen -- NET2S

Keywords:
0 comment(s)
Diary Archives