InterNIC "whois server <handle>" broke?
Has anyone else noted that "whois server <handle>" no longer seems to be working at the InterNIC? -- Jeffrey Haas "Denial of Spamming is not a crime." elezar@pfrc.org -- Russell Nelson <nelson@crynwr.com>
Given the number of very confused personal e-mails I've gotten on this, here's a direct example: : dns:~ $ whois conch.aa.msen.com : [No name] (CONCH-HST) : : Hostname: CONCH.AA.MSEN.COM : Address: 148.59.1.20 : System: ASA Pentium running BSDI UNIX : : Coordinator: : Operations Center, Msen Network (MNO5) noc@MAIL.MSEN.COM : +1 248 740-3400 xt. 2 (FAX) +1 248 740-0690 : : Record last updated on 13-Dec-96. : Database last updated on 18-Dec-98 09:08:01 EST. : : dns:~ $ whois server conch-hst : No match for server "CONCH-HST". : : dns:~ $ whois gr-press.com : : Registrant: : The Grand Rapids Press (GR-PRESS-DOM) : 155 Michigan Ave. NW : Grand Rapids, MI 49503 : : Domain Name: GR-PRESS.COM : : Administrative Contact: : Hanson, Worth (WH851) Whanson@CCMAIL.GR-PRESS.COM : (616) 222-5605 : Technical Contact, Zone Contact: : Burnett, Doug (DB131) dburnett@BOOTH-NEWS.COM : (313) 994-6960 : Billing Contact: : Ramos, Dora (DR921) sbandg@CONDENAST.COM : (212) 692-4456 : : Record last updated on 26-Aug-97. : Record created on 17-Mar-94. : Database last updated on 18-Dec-98 09:08:01 EST. : : Domain servers in listed order: : : DNS.MSEN.COM 148.59.19.11 : CONCH.AA.MSEN.COM 148.59.1.20 : NBN.NBN.COM 199.4.64.19 : Hopefully this clarifies things a bit more. We're having enough trouble getting information on stuff on our servers. We will be rather upset if this path is closed off too. On Fri, Dec 18, 1998 at 01:20:54PM -0500, Jeffrey Haas wrote:
Has anyone else noted that "whois server <handle>" no longer seems to be working at the InterNIC?
-- Jeffrey Haas "Denial of Spamming is not a crime." elezar@pfrc.org -- Russell Nelson <nelson@crynwr.com>
-- Jeffrey Haas "Denial of Spamming is not a crime." elezar@pfrc.org -- Russell Nelson <nelson@crynwr.com>
But why not the following syntax: (and I admit, I've never used "whois server server-handle" before, but always the below syntax) [dredd@lawgiver dredd]$ whois conch-hst [rs.internic.net] [No name] (CONCH-HST) Hostname: CONCH.AA.MSEN.COM Address: 148.59.1.20 System: ASA Pentium running BSDI UNIX <snip> On Fri, 18 Dec 1998, Jeffrey Haas wrote:
Given the number of very confused personal e-mails I've gotten on this, here's a direct example:
: dns:~ $ whois conch.aa.msen.com : [No name] (CONCH-HST) : : Hostname: CONCH.AA.MSEN.COM : Address: 148.59.1.20 : System: ASA Pentium running BSDI UNIX : : Coordinator: : Operations Center, Msen Network (MNO5) noc@MAIL.MSEN.COM : +1 248 740-3400 xt. 2 (FAX) +1 248 740-0690 : : Record last updated on 13-Dec-96. : Database last updated on 18-Dec-98 09:08:01 EST. : : dns:~ $ whois server conch-hst : No match for server "CONCH-HST". : : dns:~ $ whois gr-press.com : : Registrant: : The Grand Rapids Press (GR-PRESS-DOM) : 155 Michigan Ave. NW : Grand Rapids, MI 49503 : : Domain Name: GR-PRESS.COM : : Administrative Contact: : Hanson, Worth (WH851) Whanson@CCMAIL.GR-PRESS.COM : (616) 222-5605 : Technical Contact, Zone Contact: : Burnett, Doug (DB131) dburnett@BOOTH-NEWS.COM : (313) 994-6960 : Billing Contact: : Ramos, Dora (DR921) sbandg@CONDENAST.COM : (212) 692-4456 : : Record last updated on 26-Aug-97. : Record created on 17-Mar-94. : Database last updated on 18-Dec-98 09:08:01 EST. : : Domain servers in listed order: : : DNS.MSEN.COM 148.59.19.11 : CONCH.AA.MSEN.COM 148.59.1.20 : NBN.NBN.COM 199.4.64.19 :
Hopefully this clarifies things a bit more.
We're having enough trouble getting information on stuff on our servers. We will be rather upset if this path is closed off too.
On Fri, Dec 18, 1998 at 01:20:54PM -0500, Jeffrey Haas wrote:
Has anyone else noted that "whois server <handle>" no longer seems to be working at the InterNIC?
-- Jeffrey Haas "Denial of Spamming is not a crime." elezar@pfrc.org -- Russell Nelson <nelson@crynwr.com>
-- Jeffrey Haas "Denial of Spamming is not a crime." elezar@pfrc.org -- Russell Nelson <nelson@crynwr.com>
====================================================================== Derek J. Balling | "Bill Gates is a monocle and a white dredd@megacity.org | fluffy cat from being a villain in the http://www.megacity.org/ | next Bond film." - Dennis Miller ======================================================================
On Fri, Dec 18, 1998 at 11:17:00AM -0800, Derek Balling wrote:
But why not the following syntax: (and I admit, I've never used "whois server server-handle" before, but always the below syntax)
[dredd@lawgiver dredd]$ whois conch-hst
[...] The whole purpose of the "server" directive is to give you a dump, within reason, of the domains that contain your server's NIC handle. Conch is no longer supposed to be serving DNS, but the NIC and its agents are giving us a HELL of a time getting the thing changed to the new handle, especially for domains that we aren't registered handles for. I'm tempted at this point to LAME DELEGATE each of the affected domains (lucky for me, I have a snapshot of this the last time it worked). Never mind that it will take about a solid month of beating on hostmaster and calling and yelling to get this done. Lame delegations seem to get ignored most of the time when we submit them. The NIC is either broke, or is slipping even further in letting people keep the whois system clean. I'm trying to figure out if this is oops or otherwise. I'm not going to even comment on their broken BEFORE-USE guardian problems.. Anyone from NetSol wishing to comment?
dredd@megacity.org | fluffy cat from being a villain in the
-- Jeffrey Haas "Denial of Spamming is not a crime." elezar@pfrc.org -- Russell Nelson <nelson@crynwr.com>
So I was told (quite rudely I might add) by someone in a private e-mail. As I said.. I'd never used that syntax before, so it was completely lost on me. :) My apologies for the noise. :) D On Fri, 18 Dec 1998, Jeffrey Haas wrote:
The whole purpose of the "server" directive is to give you a dump, within reason, of the domains that contain your server's NIC handle. Conch is no longer supposed to be serving DNS, but the NIC and its agents are giving us a HELL of a time getting the thing changed to the new handle, especially for domains that we aren't registered handles for.
====================================================================== Derek J. Balling | "Bill Gates is a monocle and a white dredd@megacity.org | fluffy cat from being a villain in the http://www.megacity.org/ | next Bond film." - Dennis Miller ======================================================================
On Fri, 18 Dec 1998, Derek Balling wrote:
But why not the following syntax: (and I admit, I've never used "whois server server-handle" before, but always the below syntax)
[dredd@lawgiver dredd]$ whois conch-hst [rs.internic.net] [No name] (CONCH-HST)
Hostname: CONCH.AA.MSEN.COM Address: 148.59.1.20 System: ASA Pentium running BSDI UNIX <snip>
[...]
: dns:~ $ whois server conch-hst : No match for server "CONCH-HST".
[...] You are missing the whole point of what he is trying to do. Originally (well, a while back), "whois server foo-hst" would return a list of up to 256 domains using that nameserver for their ns records. Then it was changed so it only returned 100 or something on that order. Now that this feature is gone, if you want to do this then you either have to beg the InterNIC to send you a list (if it is your server) and wait around hoping they will respond or beg them to give you ftp access to the zone file then download the whole thing and grep it.
Has anyone else noted that "whois server <handle>" no longer seems to be working at the InterNIC?
Indeed it is more broken now than before. Before, it would truncate the list, making its usefullness very limited (if you are trying to clear off all uses of a host, you have to do a few at a time, wait, and query again ... could take a long time). Now it seems to be just plain dead. Maybe they are doing this as a measure to reduce harvesting for domain names? I would support it if that is the case. But a means still needs to exist for the authorized contact for a host to be able to get the full server list that Internic has for that host. Sending the list by e-mail to the contact of record would seem to me to be the best way to do it. -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
On Fri, Dec 18, 1998 at 01:31:16PM -0600, Phil Howard wrote:
But a means still needs to exist for the authorized contact for a host to be able to get the full server list that Internic has for that host. Sending the list by e-mail to the contact of record would seem to me to be the best way to do it.
I would wholeheartedly support locking out the server directive if I was given one of these two methods: authenticate yourself by telneting into internic.net at the whois prompt. From there, I could then issue a query for all domains that list my server's NIC handles. So, in my case, I'm MNO5. I could then query for anything that MNO5 is either: o a contact o a dns server attached to my contact I could even live with the request being done live and then e-mailed to me. I would _really_ love a way to lame delegate my stuff via password login as well in a batch fashion. I'm wondering if part of the problem is they're changing DB systems, and don't have the appropriate macros installed yet.
-- *-----------------------------* Phil Howard KA9WGN * --
-- Jeffrey Haas "Denial of Spamming is not a crime." elezar@pfrc.org -- Russell Nelson <nelson@crynwr.com>
I might agree with the security involved in being able to query the database. However, I don't agree with the limitation of what records can be accessed. As recently as last night (apparently before the "server" feature became unavailable) I used this tool to get information that pertained to me on records that were not "mine". I recently had a new /24 routed to me by my upstream, and after examining my filter logs I saw a slew of nameservice requests battering me from many locations to an IP address that wasn't even active on my new network. A quick query on the netblock with the "host" wildcard showed a nameservers that _used_ to be in my address space. Then, queries about that nameserver with the "server" command told me what domain contacts I needed to talk to in order to have them change their primary/secondary listings at the InterNIC. Email is sub-optimal, due to complexity of access and speed. Can you say you've never had problems with their _current_ store-and-forward order systems? (eg: domain registration) Besides, the exception rules become a LOT more difficult to deal with - if I have to look something up that is NOT under my contact name, do I really want to talk with the domain registration army they have answering the help lines at the NIC? (especially after what I'm sure will be a huge hiring binge after their stock run!) Do you think they have the SLIGHTEST clue what I'm talking about? Nope. I don't feel like wasting my time, either. Just my $.02 - I believe in authorization trails and unlimited access to data. If the unlimited access becomes a problem... deny authorization. Give me all the tools, and if they're abused, then take the access away. Has there been any "official" comment from the InterNIC as to why this "whois" feature suddenly doesn't work as of some time last night? Or is this merely "broken" instead of deactivated? JT At 03:30 PM 12/18/98 -0500, Jeffrey Haas wrote:
On Fri, Dec 18, 1998 at 01:31:16PM -0600, Phil Howard wrote:
But a means still needs to exist for the authorized contact for a host to be able to get the full server list that Internic has for that host. Sending the list by e-mail to the contact of record would seem to me to be the best way to do it.
I would wholeheartedly support locking out the server directive if I was given one of these two methods:
authenticate yourself by telneting into internic.net at the whois prompt. From there, I could then issue a query for all domains that list my server's NIC handles.
So, in my case, I'm MNO5. I could then query for anything that MNO5 is either: o a contact o a dns server attached to my contact
I could even live with the request being done live and then e-mailed to me.
I would _really_ love a way to lame delegate my stuff via password login as well in a batch fashion.
I'm wondering if part of the problem is they're changing DB systems, and don't have the appropriate macros installed yet.
-- *-----------------------------* Phil Howard KA9WGN * --
-- Jeffrey Haas "Denial of Spamming is not a crime." elezar@pfrc.org -- Russell Nelson <nelson@crynwr.com>
Jeffrey Haas wrote:
authenticate yourself by telneting into internic.net at the whois prompt. From there, I could then issue a query for all domains that list my server's NIC handles.
So, in my case, I'm MNO5. I could then query for anything that MNO5 is either: o a contact o a dns server attached to my contact
The greatest difficulty I see in this is establishing authenticity for everyone. Those with existing authenticity (CRYPT-PW or PGP) could be done. The rest would be a problem, and could invite people trying to assign their own passwords to other people's contact records, and that would end up being a big mess.
I could even live with the request being done live and then e-mailed to me.
If it is mailed to the contact e-mail address only, that might well be safe enough for Internic to be willing to send the full list.
I would _really_ love a way to lame delegate my stuff via password login as well in a batch fashion.
I believe they can do lame delegations, but that it's not practical to be doing that over and over on millions of domains. However, it might be practical for an authenticated request to do so specifically for a particular server. The code to do that would just run through all the domains with that server as a DNS, and apply the lame test via that server. Those that get a specifically negative response (I never heard of that domain and I don't have an SOA record for it) would be collected. It would then be entered into the system and assigned a tracking number, and perhaps send you a notify template to give final authority to yank that specific server from those domains.
I'm wondering if part of the problem is they're changing DB systems, and don't have the appropriate macros installed yet.
That's believable. I'd give them some time and see if it comes back online. Just how much? I don't know. Look for a response from them. -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
The greatest difficulty I see in this is establishing authenticity for everyone. Those with existing authenticity (CRYPT-PW or PGP) could be done. The rest would be a problem, and could invite people trying to assign their own passwords to other people's contact records, and that would end up being a big mess.
Perhaps this is dumb, but how about authentication by ensuring the TCP connection from the whois comes from the server in question. IE you can whois FOO-HST to see which domains are served by FOO-HST only from FOO-HST. Mildly inconvenient, but stops random people pulling off everyones lists. I can't currently think of an OS that supports DNS servers but not whois. -- Alex Bligh GX Networks (formerly Xara Networks)
On Sat, Dec 19, 1998 at 01:22:07AM +0000, Alex Bligh wrote:
Perhaps this is dumb, but how about authentication by ensuring the TCP connection from the whois comes from the server in question. IE you can whois FOO-HST to see which domains are served by FOO-HST only from FOO-HST. Mildly inconvenient, but stops random people pulling off everyones lists. I can't currently think of an OS that supports DNS servers but not whois.
The problem with this, is if there is some sort of network problem or you are trying to determine what domains are still looking at an old nameserver you took down. I don't see why authentication is such a necessity-- why is it a secret what domains a given nameserver serves? It would be easy enough to pull the information down by exhaustive search. Mike -- Michael P. Lyle Security Architect Exodus Communications, Inc.
On Fri, Dec 18, 1998 at 06:19:18PM -0800, Michael P. Lyle wrote:
I don't see why authentication is such a necessity-- why is it a secret what domains a given nameserver serves? It would be easy enough to pull the information down by exhaustive search.
The whole issue isn't so much authentication but logging. This way, the abusers can be isolated from the database. How many spams from the Internic domain scrapers have YOU gotten the last couple of weeks?
Michael P. Lyle
-- Jeffrey Haas "Denial of Spamming is not a crime." elezar@pfrc.org -- Russell Nelson <nelson@crynwr.com>
As of at least today, if not earlier, the problem with "whois server <handle>" is working again. -- Jeffrey Haas "Denial of Spamming is not a crime." elezar@pfrc.org -- Russell Nelson <nelson@crynwr.com>
On Fri, 18 Dec 1998, Phil Howard wrote:
But a means still needs to exist for the authorized contact for a host to be able to get the full server list that Internic has for that host. Sending the list by e-mail to the contact of record would seem to me to be the best way to do it.
http://www.internic.net/reports/ (I'm not saying this works, just that it exists)
On Fri, Dec 18, 1998 at 12:44:53PM -0800, Marc Slemko wrote:
But a means still needs to exist for the authorized contact for a host to be able to get the full server list that Internic has for that host. Sending the list by e-mail to the contact of record would seem to me to be the best way to do it.
http://www.internic.net/reports/
(I'm not saying this works, just that it exists)
It does work, but ONLY for things that are the primary domain, not the secondaries. Hence, it doesn't fulfill the need. Additionally, they send it to you on a periodic basis. Some of these issues need to be resolved quicker than that. (N.B. - The report format is damn ugly, but its saved a couple of our client ISPs from getting their domain name shut off.) -- Jeffrey Haas "Denial of Spamming is not a crime." elezar@pfrc.org -- Russell Nelson <nelson@crynwr.com>
participants (7)
-
Alex Bligh -
Derek Balling -
Jeffrey Haas -
John Todd -
Marc Slemko -
Michael P. Lyle -
Phil Howard