Is there some kind of real-time WHOIS for .COM (and friends) which allows you to determine at least the corresponding registrar? This is helpful if you have to pull a delegation in order to mitigate a particular threat. Going by the name servers listed in DNS isn't particularly helpful if it points to end-user dial-up space. 8-(
* Joe Abley:
On 10 Aug 2005, at 06:36, Florian Weimer wrote:
Is there some kind of real-time WHOIS for .COM (and friends) which allows you to determine at least the corresponding registrar?
whois.crsnic.net?
Since a couple of others have also suggested similar approaches, here's the actual problem (implied by the "real-time" part of the subject line 8-):
Last update of whois database: Wed, 10 Aug 2005 02:12:49 EDT <<<
In other words, this database lags considerably behind DNS. Someone has suggested to query all known registrars for the domain and hope that one of them has already updated its WHOIS server. This reduces the delay a little bit for some registrars, but is of course no general solution.
Joe Abley wrote:
On 10 Aug 2005, at 06:36, Florian Weimer wrote:
Is there some kind of real-time WHOIS for .COM (and friends) which allows you to determine at least the corresponding registrar?
whois.crsnic.net?
the issue is that VGRS does not even allow a registrar to find out this information real-time. Other registries publish this information in the whois and also make it available to registrars through EPP real-time. RRP and the VeriSign EPP implementation DO NOT allow a registrar to inspect other registrars object (though other registres do) don't expect the powers that be to assist anyone in security issues. the average length of a phishing e-mail spam last some 45 minues, com,net whois is updated ever 24 hours. -rick
* Rick Wesson:
the issue is that VGRS does not even allow a registrar to find out this information real-time. Other registries publish this information in the whois and also make it available to registrars through EPP real-time.
It seems that one of the largest Verisign competitors plans to hide the registrar information completely and permanently. (They operate according the thick registry model, if I got the terminology right, so this is quite possible.) If you don't like this move, speak up. Unfortunately, only those who know which ccTLD I'm talking about have a vote. 8-(
the average length of a phishing e-mail spam last some 45 minues,
ITYM "median". Average is definitely higher.
On Thu, 11 Aug 2005, Florian Weimer wrote:
It seems that one of the largest Verisign competitors plans to hide the registrar information completely and permanently. (They operate according the thick registry model, if I got the terminology right, so this is quite possible.) If you don't like this move, speak up.
I don't like this...
Unfortunately, only those who know which ccTLD I'm talking about have a vote. 8-(
but ccTLD operate under different rules then gTLDs and I'm not sure that my not liking this can cause any changes. ccTLD operator is pretty much free to do as they like (as long as government agency for that country does not get angtry at them).
the average length of a phishing e-mail spam last some 45 minues,
ITYM "median". Average is definitely highier.
Closer to 8 hours I think, but I dont have enough data to be certain. -- William Leibzon Elan Networks william@elan.net
On Wed, 10 Aug 2005, Florian Weimer wrote:
Is there some kind of real-time WHOIS for .COM (and friends) which allows you to determine at least the corresponding registrar? This is helpful if you have to pull a delegation in order to mitigate a particular threat.
You can ask Verisign (NOT networksolutions) directly, but as far as I know they do updates of whois once/day and it is not real time and no other options are available. Note that registrar information should be current in internic whois because registrar data can not be changed in real-time and transfers are done once or twice a day (as far as I know, this may have changed now too). Best you can get is to do query using whois.completewhois.com since by default our server will do both whois query to internic and dns query to find current deligated dns servers. If they are different you will see this info after nameserver saying "[from dns" where as whois nameserver will be indicated with "[from whois". This can be helpful with some domains that change nameservers often (domains used in phsh emails in particular seem to be used this way). -- William Leibzon Elan Networks william@elan.net
I think the implied querstion may have been how to find registrar for newly registered domains (<24 hours). In that case you're out of luck - there seems to be no way to do that - and yes, I've asked this particular question from somebody @verisign before and he said they will consider how this info can be made available (but nothing has been done so far and there was no promise to do it - so keep asking them maybe if they hear enough requests they will move on it). On somewhat similar problem, I've also asked them to provide public access to deltas of nameserver changes (i.e. what changes to nameservers had been done for domain within say last 24 hours)and nothing so far either (this is also very helpful when investigating phishes). On Wed, 10 Aug 2005, william(at)elan.net wrote:
On Wed, 10 Aug 2005, Florian Weimer wrote:
Is there some kind of real-time WHOIS for .COM (and friends) which allows you to determine at least the corresponding registrar? This is helpful if you have to pull a delegation in order to mitigate a particular threat.
You can ask Verisign (NOT networksolutions) directly, but as far as I know they do updates of whois once/day and it is not real time and no other options are available. Note that registrar information should be current in internic whois because registrar data can not be changed in real-time and transfers are done once or twice a day (as far as I know, this may have changed now too).
Best you can get is to do query using whois.completewhois.com since by default our server will do both whois query to internic and dns query to find current deligated dns servers. If they are different you will see this info after nameserver saying "[from dns" where as whois nameserver will be indicated with "[from whois". This can be helpful with some domains that change nameservers often (domains used in phsh emails in particular seem to be used this way).
-- William Leibzon Elan Networks william@elan.net
On Wed, Aug 10, 2005 at 09:11:10AM -0700, william(at)elan.net wrote: ...
Best you can get is to do query using whois.completewhois.com since by default our server will do both whois query to internic and dns query to find current deligated dns servers. ...
Fedora core test page? Ah - you may have meant to say <URL: http://www.completewhois.com/>. -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
Joseph S D Yao <jsdy@center.osis.gov> wrote:
william(at)elan.net wrote: [...]
Best you can get is to do query using whois.completewhois.com since by default our server will do both whois query to internic and dns query to find current deligated dns servers. ...
Fedora core test page? Ah - you may have meant to say <URL: http://www.completewhois.com/>.
No. I'm almost certain that he really did mean whois.completewhois.com and that whistling sound overhead is you missing the point. Write out 100 times: "the Internet and the web are not the same thing". -- Her virtue was that she said what she thought, her vice that what she thought didn't amount to much. - Sir Peter Ustinov
On Wed, Aug 10, 2005 at 06:33:16PM +0000, abuse@dopiaza.cabal.org.uk wrote:
Joseph S D Yao <jsdy@center.osis.gov> wrote:
william(at)elan.net wrote: [...]
Best you can get is to do query using whois.completewhois.com since by default our server will do both whois query to internic and dns query to find current deligated dns servers. ...
Fedora core test page? Ah - you may have meant to say <URL: http://www.completewhois.com/>.
No. I'm almost certain that he really did mean whois.completewhois.com and that whistling sound overhead is you missing the point.
Write out 100 times: "the Internet and the web are not the same thing".
Good heavens, I'm becoming one of Them! You're quite right, I've said exactly that myself, too many times. My only defense is that 'whois' does not work from where I'm sitting, and the Web interface was needed. [But a simple 'ssh' would have fixed that.] -- Joe Yao ----------------------------------------------------------------------- This message is not an official statement of OSIS Center policies.
On Wed, 10 Aug 2005, Florian Weimer wrote:
Is there some kind of real-time WHOIS for .COM (and friends) which allows you to determine at least the corresponding registrar? This is helpful if you have to pull a delegation in order to mitigate a particular threat.
Near-real-time Whois for com/net is not available today but is coming: it will be in place by April 1, 2006, per the new .net registry agreement (http://www.icann.org/tlds/agreements/net/net-registry-agreement-01jul05.pdf, FWIW). Our registry customer service group reads mail sent to <info@verisign-grs.com> 24 hours per day, so if it's a real emergency you can always contact them or activate the bat signal with a posting on NANOG, which is also read here throughout the day. Matt -- Matt Larson <mlarson@verisign.com> VeriSign Naming and Directory Services
participants (7)
-
abuse@dopiaza.cabal.org.uk -
Florian Weimer -
Joe Abley -
Joseph S D Yao -
Matt Larson -
Rick Wesson -
william(at)elan.net