Home20081 → Command Line WHOIS Safer? Not Quite

Command Line WHOIS Safer? Not Quite

This is a follow up to yesterday’s post, where I looked at Network Solutions’ domain tasting practise. It has long been warned on various Internet forums that you should not make WHOIS queries on registrars’ web interface if you do not intend to buy straight away. Your queries might be logged by the dodgy registrar whose website you have been using, and these queries might be sold to domain tasters or cybersquatters, so that 2 days later when you actually want to register those domains, they become unavailable.

The suggestion on “checking out a domain” has been:

  1. Try to query on trust worthy website, such as Jay’s Domain Tools.
  2. Try to use a standalone WHOIS client, for example the “whois” command on your Linux console.

The problem with (1) is — how can you classify the website as trustworthy? Anyone can slap a disclaimer “we do not sell WHOIS queries” but how do you know whether your queries are logged, and how they process the logs internally? What happy if the website changes hands? For the ultra paranoid, no web-based WHOIS tools are trust worthy.

Then, the “myth” is that command line WHOIS clients must be safe as you are querying the WHOIS server directly. The man-in-the-middle, i.e. the website acting as the front-end, is eliminated, thus there is no way your queries can be logged and resold. Well, the truth is, anything that can be queried can log those queries, and we are still ending up at ground 0 — are you trusting the source?

Who then, is the source that the command line WHOIS client is querying against?

On my Debian, Ubuntu and Gentoo boxes, when you apt-get install whois or emerge whois, it uses the WHOIS software from here, “an improved whois client” and part of many Linux distributions. From the source code, it appears the default WHOIS source for .com and .net is — Network Solutions! Under debian/changelog, it was changed from querying InterNIC to querying Network Solutions back in December 1999, i.e. 2x the eternity in Internet age.

That also implies that every .com/.net WHOIS query you make using Debian’s whois client, it is Network Solutions who receives the query and responds to it. It might be logged together with time and your IP address — we simply don’t know. I am not saying that NetSol is going to sell the queries on their WHOIS server to evil domainers. But then from NetSol’s track record (registering prior to clients confirming purchase, wildcard deployment on .com (Verisign is the parent company of NetSol), etc etc) — they will go low if there is financial gain from it. What they are going to do with the query log is probably anyone’s guesses.

On the other hand, GNU jwhois, which is the default WHOIS client on CentOS, still queries InterNIC for .com/.net domains, even at its latest 4.0 version. Now, who do you trust more? InterNIC who is operated by ICANN a “non-profit organisation”, or Network Solutions who is a child company of VeriSign, a public company? Then again on InterNIC’s whois page:

Results for .com and .net are provided courtesy of Verisign Global Registry Services.

I guess there is not much you can do about it. Still the old suggestion — only query when you are ready to buy!

Category: Uncategorized | Fri, 11 January 2008 11:51 am
Tags: , , , ,

Comments

1.
Avatar for Lee
Posted by Lee on Wed, 16 January 2008 6:23 pm

I must admit I haven’t done any research into this but I always had it in the back of my mind when doing a domain name search what if someone saw I was looking at that domain and snatched it up.

So I’m surprised (and not surprised at the same time unfortunately) to hear it actually does happen.

Generally if I know there is a domain I want to use in the future and it’s available I’ll just order it straight away.


2.
Avatar for Nathan
Posted by Nathan on Sat, 26 January 2008 8:47 pm

I believe this actually happened to me once.

I queried a reasonably unique domain name that I thought had good keywords, using a well known online registrar, and within a week of me doing this it had been registered to someone else.

Could be coincidence… but who really knows?


3.
Avatar for jc
Posted by jc on Sat, 17 May 2008 7:52 am

I’m using Hardy Heron with “Network Tools” – Whois.

I’ll assume the search uses NetSol too. I haven’t been able to find out it this has been brought up as an issue in the software.

Is there a way to change how it does whois?


4.
Avatar for john
Posted by john on Sat, 3 April 2010 11:52 pm

I thought it was just me until I decided to look for domain registration tampering and other such topics on the net.

For the past few years, but especially now, I am finding it more and more difficult to register a good name. It appears that almost every combination of words I can possibly dream up are always gone.

I started wondering if there are people or software monitoring my searches and instantly taking the better names I come up with, especially ones which use common words in any combination.

On the better ones lost which I could not believe someone else had registered, I decided to see what the other registrant was doing with the domain only to find it parked with ads. What really got my attention was that after a while of doing this, I started noticing that the ads seem to be instantly generated, there is a similarity to each site.

I notice that godaddy offers a $69.00 (or so) service to ‘help’ people find and register domains which are not available. Judging from the amount of extra offiers godaddy tries to suck you into when you register anything, it immediately made me wonder if my own registration hosting company is messing with me.

I now believe this is the case. I wrote to them asking if there might be anyone doing this type of thing and of course received a quick, long winded reply telling me that there was no such thing going on.

Last night, I lost out to yet another domain so decided to search it on the Internet and ended up finding the weirdest things I’ve ever seen. Searching for the exact domain lead me to countless dead links connected to almost every other domain we have ever registered with godaddy. In other words, say one of my domains was ABC.com, when I searched for thedomainIlost.com, I found countless google links to my other already registered domains. The other strange thing I found was my original search along with hundreds of others registered for that same day.

This means to me that someone, somewhere is watching what is being registered, perhaps even in real time? Is there software in place making sure that my searching for good names leads to additional costs?

Anyways, I do believe there is something going on. It is too weird that almost every common word combination is already taken.

Sorry for my rambling, I’m not the best writer :).


5.
Avatar for john
Posted by john on Sun, 4 April 2010 12:00 am

PS: Just went to register a domain I came up with yesterday and it’s gone already.


6.
Avatar for john
Posted by john on Sun, 4 April 2010 12:19 am

As you moderate, could you combine my last posts please. I want to update but there is no edit :).
I have now found something else. Another domain which I had looked for yesterday using godaddy is suddenly also gone. Worse, it is now being offered as a premium domain from godaddy for $2500.00!!!

We all need to help each other and let people know how to stop this nonsense. I believe that we have an option such as http://reports.internic.net/cgi/registrars/problem-report.cgi and if this isn’t the right place, perhaps you might find a better one and post it at the very top of your blog.

Thanks.


Add a comment

Gravatar is used. Email address is required but will not be displayed. Please keep your comment on topic. No spamming and/or bad language. First time poster will be moderated. Scott reserves the right to delete/edit your comments.