Whois API Blog http://www.yuefa2.com.cn/blog Mon, 19 Aug 2019 12:42:57 +0000 en-US hourly 1 http://wordpress.org/?v=3.5.1 Research Any Domain’s History With Whois History API! http://www.yuefa2.com.cn/blog/research-any-domains-history-with-whois-history-api/ http://www.yuefa2.com.cn/blog/research-any-domains-history-with-whois-history-api/#comments Mon, 19 Aug 2019 02:31:24 +0000 admin http://www.yuefa2.com.cn/blog/?p=1239 With thousands of new domain names registered every day, billions and billions have been registered over the years. And these have undergone multiple ownerships or even registration changes over time. These could be modifications to the domain’s registrar or associated … Continue reading ]]>

With thousands of new domain names registered every day, billions and billions have been registered over the years. And these have undergone multiple ownerships or even registration changes over time. These could be modifications to the domain’s registrar or associated name servers or even changes in contact details, to name just a few.


Aging domains have a history and we at WhoisXML API can help you delve deeper to understand a given domain’s past with WHOIS History API. Professionals conducting research for cybersecurity or investment purposes can hugely benefit from uncovering a domain’s lifecycle to find out if it has ever had a checkered past or draw connections that may not be easy to see at the surface level.


Table of Contents



Why a Domain’s Past Matters


We all know that if we’re interested in purchasing a domain name for our company website, the easiest way to do so is by approaching a domain registrar. So we go online and look for domain registrar recommendations and find the most popular ones. And that’s hardly surprising, as any business would want to be served by the best. So we contact them and get a list of available domain names that would best fit our business requirements. We sift through the list and settle on one from, say, the top domain registrar according to our online research. Weeks after, perhaps, we launch our website and visitors start pouring in. Business is going well, that is, until we receive customer inquiries on our site’s involvement in a cyber attack.

Why a Domain’s Past Matters

Are we being hacked? Has our website recently been owned so we’ve been directing visitors to phishing sites? We dig deeper. And after several conversations with the complaint filers, we realize they dug something up from our domain’s past. As it turns out, our company isn’t to blame, our domain’s shady past is. We should have known better to have found everything we could on our domain’s history before actually buying it. Too late for that though so we do the next best thing—we issue a statement on our website severing us from ties to any malicious activities and assure our visitors that our pages are safe to visit.


If you don’t want to be in this kind of situation, you’ll need to be more careful when acquiring domains. One way to do that is by using a WHOIS history API, search, or lookup tool that will give you all the information you need on a domain. And we’re not talking about just its current state but its past (no matter how clean or sordid it is) as well.


Looking into a domain name’s entire history is critical if you don’t want to be hounded by skeletons in its closet once your business is already up and running. Here are just some of the possible reasons why:


  • SERP violations: In general, old domains are more likely to get better SEO rankings because they have been online for quite some time. But that’s only good if they were ranked for a good reason. Typical examples of this would be great content, tons of visitors, and so on. But some aged domains may have been abandoned by their former owners because they had been flagged for violations. That said, no matter how good your SEO strategy is, your pages will never get good rankings because they’ve been marked for bad behavior. Be sure not to end up with such a domain or you’ll suffer the consequences of its previous owner’s wrongdoings.
  • Ties to cybercrime and cyber attacks: The domain could have been involved in a past crime. Cybersecurity solutions block access to identified malicious URLs from their customers’ systems. If that’s the case, potential clients who wish to visit your website would always be alerted to its insecurity (based on historical data) through warnings. They’ll never reach your site and that means lost opportunities for your company. Compromised URLs that end up as unknowing accomplices to cybercrime also get named in threat reports and news. That’s most likely how the site visitor in our sample scenario ended up complaining about our site’s safety.
  • Hijacked domains: Not all domains that end up seemingly “available for use” have been lawfully obtained. Some could have been stolen from other individuals or organizations. And the only way you can use them is because they have been compromised by the ones selling them. This is easy to do with insufficiently protected domains. Make sure you don’t end up buying a stolen domain or you just may lose more than you gained.
  • Ties to unscrupulous content and activities: Some websites may have been taken offline by the authorities because they contain malicious content (porn, etc.), sell fake goods and services, or have ties to illegal activities. Make sure the domain you’re currently eyeing didn’t play host to such sites or you’ll land in hot water.
  • Handing your personal data and money to fake registrars: Not all registrars that advertise on the Web, especially those who offer really low prices, are legitimate. If you’ve got your heart set on a domain and finally found just one registrar that offers it, conduct extensive background research on the seller first. More often than not, the most promising domain names are already taken and just because you found someone offering your dream domain doesn’t mean you’ve hit the jackpot. Be very wary about hard-to-believe offers, as they almost always end up being false. You may just be taken in by a fake domain registrar.


Domain registrars often buy domains in bulk for reselling. They may not have had time to check all of their purchases’ past (or may just not care). It doesn’t help that even the best and most reputable registrars have also had brushes with the law. Take a closer look at these noteworthy incidents:


  • Alibaba Cloud Computing: Several domain names tied to an Android supply chain attack just this June were reportedly registered by this provider. The attack perpetrators used these domains to preinfect Android-based smartphones with malware before they even came off the rack and made their way into mobile phone shops.
  • Google Cloud Platform: Thousands of vulnerable D-Link routers were affected by a spate of traffic redirection attacks. Hackers abused the provider’s network to reroute the traffic that passed through affected routers to malicious sites, putting the victims’ systems and the data they contain at great risk just this April.
  • Namecheap: Sometimes, the more popular a registrar is, the more likely cyber attackers will go after it. That’s because halting its operations means affecting a greater number of websites. This is a lesson that providers such as Namecheap and other big names like it learn the hard way.


But since you’re the one whose brand and therefore reputation is at stake, you want to make sure you won’t regret using the domain name you chose.


Dig deep into the past of your business’s gateway—your domain—so its ghosts won’t end up haunting you with WHOIS History API.


What WHOIS History API Reveals


Every company website has its own WHOIS record. It’s required by law. And any site owner who provides false information on this record is penalized (his ownership is rendered null and void). That said, all registered sites’ WHOIS records are stored in a database that anyone can access through API, search, or lookup tools. There are tons available on the Web today though not all of them let you do historic WHOIS lookups — the kind you need to do to find out everything about a domain name’s past.


Apart from providing typical information found in a WHOIS record — registrant and billing, administrative, and technical contact name and details; registrar; nameservers; registration and expiration dates; and so on — you need a WHOIS history search tool that will give you data on how many changes (registrant, contact details, nameservers, etc.) a domain has undergone throughout its existence and when these occurred. That way, you can find out if it has been involved in any kind of activity that can be harmful to your business. If our sample scenario has taught us anything, that means don’t purchase that domain name.


When looking into a WHOIS record, don’t stop at finding out all you can about its content. Look for signs of malicious ties as well to its registrar, registrant, contacts, nameservers, and everything else on its historical records.


But what makes a great WHOIS history API, search, or lookup tool? Find out in the next section.


What You Should Look For In A WHOIS History Database


A WHOIS history API is only as good as its source — the WHOIS history database it’s hooked to. A good database is one that contains billions of WHOIS records that span the entire TLD space. It not only has records on domains that use popular gTLDs such as .com, .net, and .org, but also the more uncommonly seen ccTLDs like .tk, .ru, and .cn, along with those that sport newly created gTLDs such as .xyz, .biz, and .shop. Look for the complete list of TLDs that it supports so you can check if it’s as comprehensive as it says on its website. Choose a provider that has been in the business for a good long while. That’s one way to find out how reliable its product is. It also gives you an idea of how far back its domain historical data goes. Is it recommended by reputable companies? That will help you make sure that it’s not just tooting its own horn. Find out what its clients actually say about the tool.


WHOIS History API gives you access to:


  • More than 5.2 billion WHOIS records
  • More than 582 million domains
  • More than 2,864 TLDs
  • More than 10 years’ worth of WHOIS data


Because the tool contains a consistent set of WHOIS information, it can be easily filtered based on date (registration, expiration, and modification) for easy analysis.


WhoisXML API has been in the business for almost a decade with product recommendations from more than 50,000 of today’s biggest online brands such as Apple, Amazon, GoDaddy, and more. Backed by a solid foundation, WHOIS History API can give you timely, accurate, and relevant information on any domain throughout its life cycle to meet several business needs—cybersecurity, brand protection, fraud investigation, and many more.


To get a glimpse of the many benefits that a WHOIS History API provides, see the list we compiled in the next section.


What You Can Do With Historical WHOIS Data


What You Can Do With Historical WHOIS Data

Historical WHOIS data can be useful for many kinds of business applications in various industries. Here’s a list of who can benefit from using WHOIS History API and how:


Potential User Practical Uses
Cybersecurity professional Gather currently hidden information on a privately registered website by looking at its history
Domain registrar Sift through registrant changes to make sure the domain you’re looking to buy doesn’t have anything to hide
Fraud investigator Find out how long a case has been occurring by going back in time to look at a domain’s entire life cycle
Marketing professional Get to know your customers better to keep them coming back for more


With WHOIS History API, you get a whole lot more information than you would normally find in a regular WHOIS record. To ensure your business’s future success, it’s not enough to focus on what’s right before your eyes, it’s also critical to carefully assess the past so you can avoid bad surprises when you least expect them.


WHOIS History API results can be downloaded in two easy-to-read-and-decipher formats —JSON (readable on any text editor such as Notepad on Windows and TextEdit on Mac OS) and XML (readable on any spreadsheet application like Microsoft Excel on Windows and Numbers on Mac OS). You don’t need to purchase additional software to use it. To see sample WHOIS History Reports and nifty tips and tricks on using it, visit this page.


WHOIS History API is just one of the many tools in WhoisXML API’s Enterprise API Package. To get the most out of domain monitoring, use it with these other tools:


  • Enterprise Data Feed Package: This works best for users who prefer sifting through and analyzing data offline. It comes with:
    • WHOIS Database Download: This provides partial or complete historic domain information that can be customized according to your business needs.
    • IP Geolocation Data Feed: This is an exhaustive and precise IP geolocation database that is updated on a weekly basis.
    • IP Netblocks WHOIS Database: This lets you find out which IP range a particular address belongs to, along with its owner’s contact and other information.
    • Domain IP Database: This gives you access to the biggest passive DNS database that works particularly well when you’re conducting cybersecurity research.


  • Enterprise Tools Package: This, meanwhile, works best for those who prefer working with data online. It comes with:
    • Domain Research Suite: This enhances your domain research toolkit with enterprise-grade Web-based solutions that help you search for and monitor domain-related data. It comprises:
      • Reverse WHOIS Search: This lets you find all domains containing specified search terms in their WHOIS records.
      • WHOIS History Search: This is WHOIS History API’s Web-based counterpart for those who want to find all there is to know about a domain’s past on a Web interface.
      • WHOIS Search: This allows you to get all the key data points related to a domain name you’re interested in.
      • Domain Availability Check: This lets you find out if the domain name you want to purchase is available for registration.


    • Whoisology: This is an advanced reverse WHOIS tool that lets you find deep connections between domain names and their owners. It was primarily designed for cybercrime investigations, intelligence gathering for infosec and corporate use, conducting legal research, and business development.
    • Threat Intelligence Platform or TIP: This is a set of enterprise-grade threat intelligence tools for optimal threat detection and analysis. It makes use of the following APIs:
      • Domain’s Infrastructure Analysis API: This lets you research servers’ infrastructure beyond their domain names.
      • SSL Certificates Chain API: This obtains a domain’s SSL certificate, along with its certificates chain in a well-parsed JSON format.
      • SSL Configuration Analysis API: This allows you to check a host’s SSL connection and analyze it for common configuration issues.
      • Domain Malware Check API: This lets you check if a domain name has ties to malware.
      • Connected Domains API: This lets you discover domain names that resolve to the same IP address.
      • Domain Reputation Scoring API: This allows you to evaluate a domain’s reputation based on several security data sources using an instant external configuration auditing procedure.


Whether used as a standalone tool or in combination with other domain monitoring and research tools, WHOIS History API is sure to give you all the information you would need to make sure your domain is as threat-free as it can possibly be, thus ensuring not just your company’s safety, but also that of your employees, clients, partners, and other stakeholders.


WHOIS History API will not only give you useful insights into the entire history of the domain you’re interested in purchasing, it can also help you beef up your company’s security posture by blocking sites with known ties to malicious actors and activities; get to know your customers, partners, third-party suppliers, and other stakeholders better so you can enhance the way they do business with you; spot domains with potential tie-ups to outstanding fraud cases; and so much more. How? The next section will tell you.


How WHOIS History API Works


Immediately after registering for the service, you can start reaping the benefits of WHOIS History API. Here’s how:


  • 1. Log in and type the name of the domain you wish to see the history of into the search field.?
  • 2. You will see how many historical records the domain has had over the years beside “Historical records discovered” and how much the reports would cost if downloaded in either XML or JSON format next to “Report price.”?
  • 3. Below these, you can see a preview of the reports you can download. You can filter information by update date, registrar name, WHOIS server, and other WHOIS data.


Now you’re all set, you can dig as deep as you want on any domain’s past. The next question you need to answer is “What specific threats should you be looking for to make sure your domain’s past won’t haunt you?” The next section gives you an idea.


Specific Threats in Your Domain’s Past That Can Harm Your Business


Although the World Wide Web allows users to transcend boundaries set by time and space, it is also chock-full of threats that any business wouldn’t want to be caught having ties with. With WHOIS History API, you can look out for these to make sure your domain’s past won’t cause you grief:


  • Phishing: Cyber thieves sometimes hijack insufficiently protected websites to redirect users to their own specially crafted data-stealing pages laced with keyloggers to siphon log-in credentials.?
  • Spamming: Threat actors normally spoof popular companies to send out spam that either come with malicious attachments that, when opened, infect users’ computers with malware (typically data stealers) or links that point to websites that drop malware onto users’ systems.?
  • DDoS attack: One way by which cyber attackers hide traces is by using compromised sites to do their malicious bidding. In DDoS attacks, for instance, they transform vulnerable sites into bots that disrupt the operation of their targets.?
  • Cryptocurrency-mining malware: Cybercriminals typically plant these into company websites so they don’t use up their own resources to generate cryptocurrencies that they can use to fund their operations or sell for profit.?
  • Business email compromise or BEC: Also known as email account compromise or EAC, fraudsters typically pretend to be C-level executives of organizations to trick employees who have access to financial resources into transferring huge sums of money into the attack perpetrators’ accounts.?
  • Malvertising: Cybercriminals typically plant malicious advertisements in unsecured sites so they won’t need to create their own websites or pages just to get to victims. They just need to bait compromised sites’ visitors into clicking their ads.


This list is by no means exhaustive. Any ties to an online attack, even if it happened years ago can land your business in hot water. Remember that security companies and authorities can block access to your domain, IP address, or website when these are used in any kind of cyber attack. So even if you’re an innocent victim or unknowing accomplice, your company may suffer dire consequences. This is exactly why you need to ensure your domain’s safety at all times and why it’s important to know everything about it before you even start using it. Your domain’s past can make or break your business’s current and even future state.


Concluding Thoughts


Your domain is your business’s online home. It’s the place where employees feel safest. And so you should make sure it will not get hacked, thus not putting your staff at risk. It’s also where you welcome guests so make sure it won’t serve as host to malware or redirect them to malicious sites. That’s why you must always make sure it stays protected against all kinds of online theft. And to some, it’s also where they work and so it must remain secure from anyone who wishes it any harm.


Don’t let your name suffer just because you happened to choose a domain name with a shady past. Remember that a name is only as good as its history. What good would a great domain name do if it comes with a lot of unwanted baggage? Use WHOIS History API so you won’t need to clean up your act even before you make a mistake. Living with your past mistakes is hard enough, so why live with someone else’s?


More Information on WHOIS History API


For those interested in putting WHOIS History API to work, note that it is part of our Domain Research Suite. As such, API requests are charged in so-called “DRS credits.” This is a convenient way to use all of the products in the suite with a single subscription that works for both the APIs and Web-based search tools. Costs vary according to the operation you require. One WHOIS History API request costs 50 DRS credits.


Signing up is free of charge and gives you instant access to the API. We also offer one-time purchases to those who don’t have a recurring need for domain information. Monthly and annual subscriptions packages, meanwhile, should serve those who regularly use domain data better. For more detailed pricing information, see the pricing table on this page.


If you’re looking for more customized plans, feel free to contact WhoisXML API at sales@whoisxmlapi.com. What are you waiting for? Find out all you can about any domain’s past with WHOIS History API.

http://www.yuefa2.com.cn/blog/research-any-domains-history-with-whois-history-api/feed/ 0
Who Has Been Acquiring the Web? Newly Registered Domains Can Tell You http://www.yuefa2.com.cn/blog/who-has-been-acquiring-the-web-newly-registered-domains-can-tell-you/ http://www.yuefa2.com.cn/blog/who-has-been-acquiring-the-web-newly-registered-domains-can-tell-you/#comments Tue, 13 Aug 2019 05:22:54 +0000 admin http://www.yuefa2.com.cn/blog/?p=2184 Connectivity is a double-edged sword. Though it makes reaching almost anyone and anything with an email address or a website a breeze, it also puts all things online at the mercy of cybercriminals and unfair competitors who are always on … Continue reading ]]>

Connectivity is a double-edged sword. Though it makes reaching almost anyone and anything with an email address or a website a breeze, it also puts all things online at the mercy of cybercriminals and unfair competitors who are always on the lookout for benefiting from established brands using malicious copycat or similarly misleading sites registered under new domains.


There is no doubt that one of a company’s greatest assets — its customer or client portal — is its website. It can be likened to a shop’s front door. And let’s face it, we all want to keep thieves and infringers out of our places of business.


To make this happen, you need a strategy in place, and one which involves keeping track of all new and disguised players on the web — a process that can be aided by an effective domain-monitoring tool such as Newly Registered Domains. If you are still wondering why you should care about recent domain registrations, read on to find out.


Why Should I Worry About Newly Registered Domains?


Your domain name is your unique identifier on the Internet. All of your virtual real estates are tied to it. And that’s true for everybody else. In fact, every company that has an online presence is required by law to register their domain names, and all the information on these is stored on WHOIS records.


In turn, each WHOIS record contains up-to-date information on every domain name including its registrant’s, registrar’s, administrative, billing, and technical contact’s names, along with their company and contact details (street and email address and phone and fax numbers). Regularly updated WHOIS records also show when a domain name was registered, all its modification dates, and when it will expire, along with its name servers.


Sounds pretty thorough, right? Now that it’s put in context, that information regarding new domain registrations can tell you a lot about your business environment and its latent threats — especially as events of fraud and misconduct take place with recently registered or expired names which haven’t caught the attention of anyone just yet.


For example, you or one of your business partners or vendor might be the target of an impersonation attack that may deceive your employees or customers into downloading corrupted files, passing on confidential data (intellectual property, customer and employee information, etc.), or revealing their credentials to a key system or application for managing business operations.


What Can Newly Registered Domains Do For You?


Newly Registered Domains is a dynamic service that gives you access to the data feeds of recently registered or expired domains, along with related WHOIS information updated daily. It can:


  • Provide timely information on domains as they are registered, changed, or dropped via WHOIS data feeds
  • Give frequently updated WHOIS data feeds no matter how many times these undergo changes daily
  • Let you access WHOIS information even on domains that reside in the gTLD space


More specifically, take a look at just some of the ways by which Newly Registered Domains can help you:


Beef up your company’s IT security posture Cybersecurity professionals who are handling malware, phishing, and other cyber attack investigations can rely on daily domain alerts to speed up threat detection and response.
Be the first to acquire domain names you’ve set your heart on A name can be everything in a competitive business environment. With Newly Registered Domains, you can be the first to know when an active domain name becomes available again as its current registration expires.
Look out for potential intellectual property violations Brand protection companies can rely on real-time alerts to spot attempts to spoof a client’s brand or abuse its trademarked assets, as well as finding the necessary contact details in WHOIS records to engage legal procedures.
Stop fraudsters from harming your customers Payment processors, banks, and other financial service providers can prevent fraud aided by WHOIS data feed alerts before or as they happen.
Use the latest data to keep competitors at bay Marketing practitioners can use up-to-date statistics to keep track of and beat the competition as they introduce new similar products or enter new markets.
Monitor the health and safety of your entire domain portfolio Domain owners who have offices in multiple locations that maintain their own websites and pages can keep tabs on all of their virtual holdings to address issues as they crop up.


Whatever business you run online, your company is sure to make the most of the many benefits that Newly Registered Domains provides. In a world where a cyber attack occurs every 39 seconds and online competition has gone global, every company with an online presence needs to stay secure from all sorts of digital threats.


We can help you make it a number 1 priority to keep your digital properties and intellectual property safe and healthy. To find out more, contact us today at support@whoisxmlapi.com.

http://www.yuefa2.com.cn/blog/who-has-been-acquiring-the-web-newly-registered-domains-can-tell-you/feed/ 0
How Bulk Whois API Can Boost Your Business http://www.yuefa2.com.cn/blog/how-bulk-whois-api-can-boost-your-business/ http://www.yuefa2.com.cn/blog/how-bulk-whois-api-can-boost-your-business/#comments Tue, 30 Jul 2019 08:00:08 +0000 admin http://www.yuefa2.com.cn/blog/?p=2160 It can be said without a doubt that businesses of the 21st century are all geared towards the internet. With rapid advancements in digital technology and the exponential growth of the online ecosystem, it hardly comes as a surprise that … Continue reading ]]>

It can be said without a doubt that businesses of the 21st century are all geared towards the internet. With rapid advancements in digital technology and the exponential growth of the online ecosystem, it hardly comes as a surprise that businesses have to maintain a considerable presence on the web in order to cater to the needs of the online population. Apart from this, the rapid proliferation of the internet into even the most remote corners of the world has opened up new business avenues and markets that were previously difficult to access, or even altogether unavailable for business. This has naturally incentivized businesses to move online.

However, as with everything, there is a flipside to this as well. According to the latest statistics?there are currently well over 1 billion websites on the internet, and this number is growing every second. This creates an environment where much of the business interactions are carried out on digital platforms. As a result, the requirement for trust establishment becomes a vital factor in the scheme of things. When you are dealing with an online entity it helps to know the person behind the (web) page.

Bulk Whois API is our latest endeavour to help you do exactly that, and more.



Salient Features of Bulk Whois API

Bulk Whois API helps your business by allowing you to gather Whois information for a vast number of online properties that can be used to power, and provide direction to, your business. Along with our product Bulk Whois Search, Bulk Whois API offers the following capabilities:

  • Bulk Whois search provides records for domain names and IPs of your choosing, thus allowing you to make better business decisions when it comes to navigating the web.


  • Accessing up to 500,000 domain records per query means you don’t have to search for each individual domain separately.


  • Gathers key data points such as registrant name and organization, email and contact information, domain availability and expiration date and much, much more.


  • Query results are well-parsed & normalized and returned in easy to integrate XML and JSON formats.


  • Allows direct API integration for automated data access by your business processes, thus eliminating the need for manual fetching and using of data.



How This Boosts Your Business?

By providing your business with such a large range of information, Bulk Whois API can help your business in some of the following ways:

  • Expanding Your Business Network- The use of bulk Whois data can allow you to gather information about other players in your business niche, or even across verticals so that you can easily approach them for strategic partnerships. This helps to grow your network of contacts which is one of the prime factors that decide the success of a business.


  • Protecting Against Cybercrime- Bulk Whois API helps to secure your organization against potential cyber threats and frauds. In the vast complexity of the online world, protecting against cybercriminals is one of the top concerns of all business owners. Fraudulent websites often aim to deceive business owners by posing as legitimate partners or clients. Falling prey to such scammers can often result in massive losses. Bulk Whois API provides cyber-security specialists access to useful intelligence against such unscrupulous players and prevent frauds before they happen. Bulk Whois data is also useful for tracking down the perpetrators in case of a cyber-attack.


  • Enforcing Brand Uniqueness- With such a massive number of websites out there, it is very important for every brand to associate itself with a domain name that is uniquely reflective of its ethos. However, closely similar domain names can seriously undermine the value of a business by misleading both existing and potential customers. Bulk Whois data helps in this regard by identifying the entity with a domain similar to yours. This enables you to contact the person or persons concerned and reach a resolution. In the event of copyright violations, Whois data can help to pinpoint the offenders and initiate required legal action.


  • Boosting Marketing Efforts- Bulk Whois data can prove to be a focal point in your marketing efforts. Whois data can provide valuable insights that can steer your digital or offline marketing efforts in the right direction.


  • Enabling Secure Financial Transactions- Bulk Whois API data helps to secure online payment systems against frauds and in the case of any impropriety, to detect and redress the situation with fluidity.




These are only a fraction of the ways in which Bulk Whois API can give a boost to your business. In a world of increasing complexity requiring constant vigilance, authentic Whois data can help your business achieve that extra edge. To access Bulk Whois API please click on the link:?https://bulk-whois-api.whoisxmlapi.com/

http://www.yuefa2.com.cn/blog/how-bulk-whois-api-can-boost-your-business/feed/ 0
Keep Up with the World Wide Web’s Massive Growth by Using Internet Statistics Reports http://www.yuefa2.com.cn/blog/keep-up-with-the-world-wide-webs-massive-growth-by-using-internet-statistics-reports/ http://www.yuefa2.com.cn/blog/keep-up-with-the-world-wide-webs-massive-growth-by-using-internet-statistics-reports/#comments Mon, 22 Jul 2019 09:48:21 +0000 admin http://www.yuefa2.com.cn/blog/?p=2137 The Internet has marked an explosive growth in the past few years, with around 380 new websites created every second. It’s physically impossible to keep up with even if your job calls for that. But anyone and everyone that needs … Continue reading ]]>

The Internet has marked an explosive growth in the past few years, with around 380 new websites created every second. It’s physically impossible to keep up with even if your job calls for that. But anyone and everyone that needs to keep tabs on the competition and look for new sales and marketing opportunities, has got their hearts set on specific domains or wants to safeguard their digital assets can do so easily with Internet Statistics Reports.


What Is Behind Internet Statistics Reports?


Internet Statistics Reports is backed by an extensive database containing billions of WHOIS records that cover thousands of TLDs and track millions of domain names.


582+ M
domain names
6+ B
WHOIS records
1.2+ B
domains and subdomains


Our huge collection of WHOIS records allows us to gather information on not only commonly used or gTLDs, but also on locale-specific or ccTLDs, less-seen internationalized TLDs, and newly launched TLDs.


7 gTLDs
178,123,569 domains
322 ccTLDs
127,067,383 domains
1,243 new TLDs
41,684,542 domains
Internationalized TLDs
and many more
and many more
在線 (online)
????? (organization)
セール (sale)
?? (dot com)
verm?gensberater (financial advisor)


For comprehensive lists of the gTLDs and ccTLDs in our database, visit the following pages: supported gTLDs and supported ccTLDs.


What Kinds of TLD Information Do You Get from Internet Statistics Reports?


Internet Statistics Reports can provide you with:


  • A list of all changes a specific domain name undergoes (registration, modifications, and expiration) on a daily basis;
  • All domains a registrar owns, allowing you to compare market shares;
  • All domains in a specific location (country, region, or city), informing you of specific user base sizes;
  • The number of active domain names worldwide or in specific locales, allowing you to gauge the size of the Internet;
  • Top N domain registrants or owners.


Note that this list is in no way exhaustive, and you can do so much more with Internet Statistics Reports.


Who Can Benefit from Internet Statistics Reports?


With Internet Statistics Reports, you can get customized TLD reports using various domain name, WHOIS, and DNS categories to cater to your specific business requirements, such as:


Expanding your market coverage The Internet’s explosive growth has given birth to thousands of TLDs just so companies can get their hands on domain names that fit their brand, products, or services to a tee. Don’t get left behind, venture into unexplored TLD territories.
Strengthening your cybersecurity defenses The latest stats show that a cyber attack occurs every 39 seconds. Get a list of the top domains attacked and learn from their mistakes.
Getting the domain name that works best for your brand If your competitors have already got their hands on the domain you desire, look for other top-ranking TLDs that may have that name available.
Directing your employees along the right path When creating strategies, data speaks volumes. Get automatically generated charts and tables based on relevant and accurate data sets to base your forward-looking sales and marketing strategies on.
Get the most out of your virtual real estate Identify which of your domains are performing best and find out what’s making them stand out. Apply your learning to all your websites and pages to get the most out of all your virtual properties.
Keeping tabs on the competition Connectivity has blurred the lines when it comes to doing business. It’s easy for any company to deliver to anywhere in the world now. Make sure your list of competitors is always up-to-date so you know who and what you’re up against.
Staying away from entities with skeletons in their closets Your brand defines who you are. Don’t go into business deals with registrars that have had a history with malicious dealings on the Internet (reported spam, phishing, and other malware attacks).
Tracing the origin of a threat If you’ve ever had the misfortune of or are currently suffering from a cyber attack, find out where the threat is coming from so you can block it from the source.
Keeping an eye out for emerging phenomena Spot emerging social, economic, or technological trends in the market to come up with insightful reports to help your sales and marketing clients.



Whatever online business you’re running, complacence is a no-no. The only way to stay ahead of the curve as opposed to being left behind by competitors, or falling into eagerly waiting cybercriminal traps, or going unnoticed in the ever-growing Internet space is to keep tabs on every digital phenomenon.


Find out who’s who on the Web so you can emulate them, get to know your market and competitors as best as you can to enhance the way you do business, and track down potential threat sources so as not to stray into their paths with Internet Statistics Reports. Your business’s success can only be guaranteed by keeping up with the growing market.


Would you like to learn more about the capacities of this product? Drop us a line at support@whoisxmlapi.com.

http://www.yuefa2.com.cn/blog/keep-up-with-the-world-wide-webs-massive-growth-by-using-internet-statistics-reports/feed/ 0
Screenshot API: Paving The Way For A Visual Web http://www.yuefa2.com.cn/blog/screenshot-api-paving-the-way-for-a-visual-web/ http://www.yuefa2.com.cn/blog/screenshot-api-paving-the-way-for-a-visual-web/#comments Fri, 19 Jul 2019 16:07:38 +0000 admin http://www.yuefa2.com.cn/blog/?p=2093 The rapid digitization of human interactions has opened up vistas of opportunity that were previously unheard of. Whether we consider business or social interactions, the extreme connectivity that is afforded by the web helps us to access information and communicate … Continue reading ]]>

The rapid digitization of human interactions has opened up vistas of opportunity that were previously unheard of. Whether we consider business or social interactions, the extreme connectivity that is afforded by the web helps us to access information and communicate at the speed of thought. Naturally, with such a complex system of exchanges, the need to provide proper user engagement has also become paramount.

We humans are naturally visual creatures. With a highly developed visual cortex, our minds are equipped to process visual information much better than any other form of communication. For this very reason, we prefer to interact through visual modes more than any other medium. This has led to a rise in the use of visual content on the internet.

In this pro-visual scenario, website screenshots have emerged as one of the prime currencies of communication. Whether they are used in how-to tutorials, web design or even cyber security, the ubiquitous screenshot has propelled itself to occupy a prime position in the online ecosystem. Screenshots are even finding more and more usage in business processes.

Screenshot API? from Whois API, Inc.?is a comprehensive product that makes the process of taking and integrating screenshots into your business processes a seamless experience that promises improved utility and robust integration.


The Many Uses of Screenshots

Well formatted screenshots of a webpage can have different uses. Ranging from simple presentations to legal documentation, an effective screenshot tool can help in any of the following ways, and more.


As A Protection Against Cyber-Crime

With the widespread use of online communication, cases of cybercrime have been on the rise. The Screenshot API can provide a means of protection against such incidents by providing a quick and effective way for taking high-quality snapshots of any offensive online activity, and then using the same as proof against the perpetrators. This can help in a wide range of instances covering cyber-fraud to copyright violations, just to name a few.


Competitor Analysis

Website Screenshot API can provide an invaluable source of intelligence on your competitors by enabling you to take real-time screenshots of your competitors’ websites. The insights provided by this visual data can help decision makers steer your business in the right direction, thus giving you an advantage over other players in your niche.


UX and UI Design

User Interface (UI) and User Experience (UX) designers can use the Screenshot API to automate the process of testing websites on different devices and different screen sizes. This enables them to create responsive websites that dynamically adjust themselves on multiple devices, irrespective of the varied screen sizes and resolutions.


Digital Marketing

Proper digital marketing efforts are crucial for the success of any business. Digital marketers make use of website screenshots for sending data to their clients in a properly digestible format, thus enabling greater insights and timely, dynamic decisions. SEO professionals utilize the Screenshot API to capture linked sites with embedded links for proof of a genuine back-linking and ranking process, which they can then share with their clients.


What Makes Screenshot API Stand Out?

The following are only some of the features and benefits that make Screenshot API a must have product for any business.

  • Full Website Screenshot:?Using the Screenshot API, you can get a fully scrollable webpage screenshot that perfectly captures the details the of the target website.


  • Minimum Required Inputs:?The Screenshot API gives you maximum results with just the bare minimum amount of inputs. Just put in your required API Key and the target URL to get direct screenshots.


  • Adjustable Сapture Timing:?With Screenshot API users also have the option to get real-time or specify a delay time before the screenshot is taken. Acceptable delay times range from zero to ten-thousand milliseconds.


  • Customized Image Type With Embedded Links:?All the screenshots of web pages can be received in different formats including pdf, jpg or png, along with embedded links that are present in the page.


  • Multiple Formatting Options:?Our Screenshot API gives you the freedom to format the output image across a wide range of parameters. Customize your image according to its width, height and quality to get the exact output you require for easy integration into your business processes.


  • Multiple Display Emulation:?The Screenshot API gives users the option to take screenshots corresponding to multiple screen sizes and display resolutions. Choose from among Retina Display, Landscape, Desktop, Tablet or Mobile Emulations.


  • Chrome Support:?The Screenshot API uses a Google Chrome rendering engine that has CSS3, JavaScript and Webfonts support. This translates to screenshots that are exact representations of your browser output.


  • Custom User Agents:?Our screenshot API allows you to specify custom user agents to enable multi-client emulation of screenshots.




The Screenshot API product is geared towards providing complete screenshot solutions for your business needs. With instant screenshot facilities, easy integration capability and a host of customizable features, Screenshot API aims to create a rich visual experience for web-based processes.


To access Screenshot API, please click on the link:?https://website-screenshot-api.whoisxmlapi.com/


http://www.yuefa2.com.cn/blog/screenshot-api-paving-the-way-for-a-visual-web/feed/ 0
Brand Monitor and Brand Alert API: How to Combat Brand Misrepresentation in the Retail Fashion Industry http://www.yuefa2.com.cn/blog/brand-monitor-and-brand-alert-api-how-to-combat-brand-misrepresentation-in-the-retail-fashion-industry/ http://www.yuefa2.com.cn/blog/brand-monitor-and-brand-alert-api-how-to-combat-brand-misrepresentation-in-the-retail-fashion-industry/#comments Wed, 10 Jul 2019 19:15:36 +0000 admin http://www.yuefa2.com.cn/blog/?p=2070 Negative brand equity and misrepresentations are among the worst nightmares of today’s biggest brands — and more often than not, it’s connected to cybersecurity and data breaches.   For example, the latest stats show that one in every 99 emails … Continue reading ]]>

Negative brand equity and misrepresentations are among the worst nightmares of today’s biggest brands — and more often than not, it’s connected to cybersecurity and data breaches.


For example, the latest stats show that one in every 99 emails you get each day has to do with phishing attacks, the majority of which come laced with malware specially crafted to harvest victims’ financial credentials or use popular brands as social engineering bait.


A great example would be an email offering a huge discount that the victim would find hard to resist. So she clicks on the link leading to a site where she’s asked to fill in personal details, including, for instance, her credit card that she plans to use to purchase goods. She never receives the items she supposedly bought and so complained to the store via all possible means — email, phone, and social media.


What’s worse, others who fell for the same ruse joined in the frenzy, dragging the brand’s name through the muck. What can the victim company do? Could it have prevented the phishing attack? These are just some of the things this article will answer, analyzing Zara’s real-life case study.


Table of Contents



The Attack: The Curious Case of Zara


In the recent past, phishing was largely limited to emails that people read on their computers. WIth smartphones and the millions of apps that users can choose from, that’s no longer so, as Zara’s case will show.


The Victim


Zara is a Spanish fast-fashion retailer, very popular worldwide. Apart from having physical stores in some of the biggest shopping malls the world over, it also sells clothing and accessories via country or regional sites online. To date, it has a total of 202 both physical and virtual shops.


The Attack Vector


WhatsApp is a messaging app that’s currently being used by hundreds of millions of users worldwide. It can be used on not just smartphones, but also on personal computers, so just imagine the number of potential victims a cybercriminal can have.


The Bait


Sometime in February 2016, several WhatsApp users received an instant message from someone they know and trust prodding them to forward it to 10 contacts. They were then asked to click a shortened link to a site where they could get their free Zara gift cards.


The Real Deal: Behind the Scammers’ Curtains


Here’s how the victims’ credit card and other personally identifiable information or PII ended up in phishers’ hands:


  • 1. Potential victims get the following WhatsApp instant message from a contact.
    1. Potential victims get the following WhatsApp instant message from a contact.
  • 2. They forward the message to 10 contacts as suggested (unwittingly getting the phishers more potential victims).
  • 3. They then click the shortened link to the site to get their free gift card (typically US$500 worth).
  • 4. The site (specially crafted to look like a real Zara page) asks them to fill in a form to receive the gift card and so they do.
  • 5. They click “Submit”, which sends their details to the attackers. Their personal information could then end up for sale in the Deep Web or underground marketplaces, be used by the phishers themselves for fraud, or be held for ransom.


This isn’t the first time Zara’s or other popular retailers’ brand was used for a phishing attack. A similar ruse taking advantage of Zara was seen on Facebook even earlier, in March 2014. The message appeared on potential victims’ timelines. Those fooled into clicking on the link were led to a site that harvested their personal information, including credit card details.

Zara’s brand was used for a phishing attack

Regardless of the platform and brand used, one thing always remains: it’s a sham! None of the victims ever gets free gift cards, of course, they just end up inviting more people to get phished and handing their personal information to eagerly waiting cybercriminals via their specially crafted data-stealing sites.


The promise of getting something for free always seems to do the trick when baiting digital citizens to give up their PII. They aren’t the only ones who suffer from phishing attacks though. The retailers’ brands and thus their reputations also become casualties. So now we come to the burning question: Could Zara have prevented the phishing attack from its end using Brand Monitor or Brand Alert API? Let’s find out.


The Evidence: Could Brand Monitor or Brand Alert API Have Helped Prevent the Attack?


Brand Monitor is a domain-monitoring tool that lets users keep track of their brands’ and other trademarks’ or intellectual properties’ exact matches and variations, including those with all possible typos, in order to protect their business online.


Let’s see how it could have helped in Zara’s case.


  • 1. Sign up by clicking “Open Dashboard” on the Brand Monitor site. You automatically get your free credits.
  • 2. Look for and click “Brand Monitor” on the left panel. You’ll automatically be taken to the “Basic” function. Type your brand name into the input box then click “Add to monitoring”. In this step-by-step guide, we’ll use the brand “Zara”. Note that you’ll need to wait for 24 hours to see the results because the monitoring is completed on a daily basis. Look for and click Brand Monitor
  • 3. You can, however, already choose to use Brand Monitor’s Typos function. This will help if you’re looking to spot possible phishing sites spoofing your brand. To do that, click “Edit monitor”. You should see a prompt like this: Brand Monitor's Typos function.
  • 4. Simply click on the “Typos” toggle button to on (when the icon turns red) and you’re done. You’ll see how many misspelled versions of your brand name will be added to your tracker. In this case, 135 possible matches will be added to our Zara monitoring. Click “Save”. To see a list of the typos the tool automatically added to your tracker, click the “Typos (number) >” button, you should see something like this: You’ll see how many misspelled versions of your brand name will be added to your tracker. All the possible variations of “Zara” that Brand Monitor automatically generated are made available on the drop-down list.
  • 5. A day’s monitoring would give you results similar to this: A day’s monitoring would give you results similar to this. Changes appear on the left panel, arranged by date.
  • 6. Check if any of them are piggybacking on your brand or, worse, damaging your hard-earned reputation. Our Zara monitoring revealed that among the domain names we’re tracking, misspelled ones included, there were 6,557 new additions or modified domains while 1,827 were, for one reason or another, dropped by their owners. To see the entire list, click “Show more”.
  • 7. Go through the list and build WHOIS reports on each if you have the resources to do so. If not, pick the most suspicious-looking ones and take a closer look at them. Quick tip: Focus on the list of active domains — the ones that have recently been put up or modified (those on the left-hand side). Compare each site’s content with yours. Look for typical signs indicating that cybercriminals or people with malicious intentions are trailing their sights on your business, which include:


    • Misspelled domain name, a variant of yours with typos;
    • A non-affiliated site, web page, email, newsletter, instant message, or social media post sporting your logo or its lookalike;
    • A non-affiliated site, web page, email, newsletter, instant message, or social media post tied to an email address, any URL (shortened links included), online account, or person that your company doesn’t own or employ;
    • A domain name that uses an uncommon gTLD such as “.xyz” that no company would normally use or a ccTLD that corresponds to a country that you’re sure you don’t sell to or do business in;
    • A domain name that has random numbers or special characters that aren’t part of the brand or company’s name (This defeats the purpose of making it easy for users to find a legitimate company’s site online after all.)


    Make sure though that none of the sites are yours or affiliated in some way with your company. You don’t want to make them inaccessible to users. You should find that a lot of the sites’ names may just have the same letters as your brand names or the companies that own them resell your products. Don’t be too hasty about suspecting them of foul play.


    To widen your search, you can also add other keywords to your monitor. Good examples for a brand like Zara would be “fashion,” “retail,” “clothing,” and “accessories”. To do that, just click “Edit monitor”.


    Click “+” beside “Add term” then type each additional keyword into the input box that appears. When you’re done, click “Save”. Brand Monitor will now show you results with the additional keywords in future reports. This is a great way to keep track of your competitors. You can also add their brands to your tracker if you wish to stay ahead of their sales and marketing efforts.

    Brand Monitor will now show you results with the additional keywords in future reports.

  • 7.After compiling a list of suspicious-looking sites, find out more about each of them. To do that, click “>” next to the domain name. You should see a pop-up window like this: List of suspicious-looking sites.
  • 8. If you wish to take a deeper dive, you can build WHOIS reports. A basic WHOIS report will serve our purpose. Let’s say you want to see more about “sara.xyz”. Click “Build WHOIS report” from among the choices. You should get something that looks like this: Build WHOIS reports Note that we’re not saying “sara.xyz” is malicious. We just used it as an example for building a WHOIS report. As it turns out, the domain is currently for sale.
  • 9. Should you find a domain that is malicious though, contact its registrar. If it’s not taken down, issue warnings of potential fraud to your customers on your shopping site or blog if you have one. Email subscribers to your newsletter or updates too. Tell them not to visit the potentially harmful site and that it isn’t in any way connected to your brand. Seek the aid of a law enforcement agency or the authorities. Alert them that the site may be used in a phishing attack.


If you’re the type of person who is more comfortable sifting through records offline but want to get the same benefits that Brand Monitor provides, use Brand Alert API, its RESTful API counterpart. It gives the same results as Brand Monitor in XML and JSON formats. Choose which works best for you.

Brand Alert API

For better security and peace of mind, use these other domain-monitoring tools from the Domain Research Suite that will seamlessly work with both Brand Monitor and Brand Alert API:


  • Reverse WHOIS Search: You can use the WHOIS reports that Reverse WHOIS Search generates to obtain more information on a domain you’ve been keeping tabs on with Brand Monitor to verify its legitimacy when, say, you’re investigating it for copyright infringement or any fraudulent activity.
  • WHOIS History Search: If you’re unsure of the reputation of a domain you wish to purchase and want to know its entire history, use WHOIS History Search with Brand Monitor. It gives you detailed insights on the domain’s entire life cycle, allowing you to make sure it never had ties to malicious online dealings that could harm your brand.
  • WHOIS Search: If you’re interested in purchasing a domain that will fit your company’s needs to a tee, use WHOIS Search with Brand Monitor. It can alert you when the domain is up for grabs as when its owner has given up his rights to use it or its registration has simply expired.
  • Domain Availability Check: Looking for a domain for your new product? Use Domain Availability Check with Brand Monitor. It gives you a list of all the domains that may meet your needs. If the domain you’re eyeing is currently in use, Brand Monitor can alert you when it becomes available.
  • Domain Monitor: Use Domain Monitor with Brand Monitor to keep track of any changes to the domain that has piqued your interest.
  • Registrant Monitor: Use Registrant Monitor with Brand Monitor to keep track of registrant-related changes tied to brands you’re viewing.


The Verdict: Lessons from Zara’s Case


Zara and other fashion retailers have proven lucrative phishing baits because the increase in people’s inclination to buy luxury apparel means they have good spending power. Targeting them directly can also provide perpetrators with intellectual property information that they can sell to the highest bidders (possibly a competitor). If their shopping site databases get breached, the attackers will get their greedy hands on the personal and financial data of their customers as well. And all that can land them in tons of cyber trouble. Not only would their customers suffer, their brand would certainly be damaged too.


Today’s brand protection guidelines shouldn’t just cover a company’s logo and other trademarks’ usage policies. The ubiquity of the Internet requires that they cover domain security as well. It’s not enough to expect customers not to fall for age-old phishing tactics, retailers need to do their part as well. That’s where tools like Brand Monitor and Brand API Alert will come in handy. They don’t just let you safeguard your virtual assets, they protect your customers and your good name too.

http://www.yuefa2.com.cn/blog/brand-monitor-and-brand-alert-api-how-to-combat-brand-misrepresentation-in-the-retail-fashion-industry/feed/ 0
Introducing Command-line Real-time & Historic WHOIS Tool http://www.yuefa2.com.cn/blog/introducing-command-line-real-time-historic-whois-tool/ http://www.yuefa2.com.cn/blog/introducing-command-line-real-time-historic-whois-tool/#comments Thu, 04 Jul 2019 16:41:05 +0000 admin http://www.yuefa2.com.cn/blog/?p=2049 We are really excited to announce that we are now offering our hallmark Whois via a command-line utility, “bestwhois”. This tool can be a great alternative to the standard “whois” command for domain and IP WHOIS queries, as there are … Continue reading ]]>

We are really excited to announce that we are now offering our hallmark Whois via a command-line utility, “bestwhois”. This tool can be a great alternative to the standard “whois” command for domain and IP WHOIS queries, as there are no search restrictions and the queries are made through the API service provided by Whois XML API.


Most suitable for UNIX power users and other command-line enthusiasts, bestwhois, is a cross-platform utility that works on Microsoft, Linux, Unix, Mac OS X or any other platform with Python. It is command-line front-end to Whois XML API; WHOIS API?and WHOIS History API. All the queries initiated from your end are processed through these APIs, and the output is similar to that of the original “whois” command.


The data which were available for developers via the APIs are now readily at the hands of system administrators, threat investigators, analysts, marketing experts, and all other power users who potentially prefer using command-line tools or are used to the original “whois” command. They?can now uncover domain profile data worldwide for over 5 billion historic Whois records, 300 million domain names and over 2850 gTLDs (including .com, .org, .net, .biz and more) and ccTLDs? (including .uk, .us, .ru and more). Access key data points for domains including who registered it along with their contact information, the registrar, expiry dates, last update date, who to contact about the domain name & much more.


Key features of Whois Xml Api’s bestwhois

  • Easily conduct WHOIS search for domain names or IP addresses
  • Access Real-time & Historic WHOIS records
  • No query limitations
  • Consistently structured, yet human-readable output
  • Similar to the original “whois” command
  • Runs on virtually any platform



With the growing demand for crucial domain information found in the WHOIS records, we have created bestwhois command-line utility to ease your access to this data. As one of the most reputed domain WHOIS database provider (and also one of the largest), we believe this can be a handy tool to help enable you to find the owner of a domain name or IP address and to bolster your efforts, furthermore.


In order to get all the above-discussed benefits, you just need to subscribe to the Whois API at https://whoisxmlapi.com


You can get the bestwhois utility now from GitHub:?https://github.com/whoisxmlapi/bestwhois

http://www.yuefa2.com.cn/blog/introducing-command-line-real-time-historic-whois-tool/feed/ 0
Introducing Seamless WordPress Plugins from Whois XML API! http://www.yuefa2.com.cn/blog/introducing-seamless-wordpress-plugins-from-whois-xml-api/ http://www.yuefa2.com.cn/blog/introducing-seamless-wordpress-plugins-from-whois-xml-api/#comments Fri, 21 Jun 2019 15:22:00 +0000 admin http://www.yuefa2.com.cn/blog/?p=1993 In the past few years, we have been on a mission to create domain Whois, IP, DNS & other internet Intel product solutions to fulfil the growing demand of this information for professionals from diverse industries. We currently offer APIs, … Continue reading ]]>

In the past few years, we have been on a mission to create domain Whois, IP, DNS & other internet Intel product solutions to fulfil the growing demand of this information for professionals from diverse industries. We currently offer APIs, Database Downloads, Online Web Tools, Threat Intelligence and Splunk App which is widely used by cybersecurity professionals, marketing & brand protection agencies, domain registrars, domain investors, researchers, and many more.


This time around, we have created a solution specifically for web developers and various website owners. We are glad to introduce 2 Plugins for WordPress site owners: Whois Plugin & IP Geolocation Plugin. Whether you run a business or are a blogger, WordPress plugins invariable play an important role in helping you achieve your endeavors. Our revolutionary Plugins can aid you to extend the functionality of your WordPress site, as well as, improve user experience by acquiring crucial information with just a mouse hover!


With the help of numerous strategies, you achieve success in attracting your target audience but how do you feel when they leave your site to search for the owner of a website or the Geolocation information of IP address mentioned somewhere on a page or post of your website? Yes, working hard to bring the audience and witnessing them leave is always annoying. There can be many reasons why they would want this information but your concern should be to prevent them from leaving your site.


Our plugin automatically adds a small pop-up (tooltip), so your visitors can instantly obtain domain Whois or Geolocation information of IP addresses mentioned on your page without leaving your website or clicking on multiple pages or links. Isn’t’ that cool?? Let’s take a look at both these Plugin to see its functionality.



Whois Plugin


This plugin automatically links all the domain names in your WordPress page or post to our Whois service. When your visitors move the cursor to a domain name available in the text of your site, a quick pop-up containing a summarized Whois information of that domain appears on their screen, including its availability, contact email, date of creation, and expiry date. When your audience seeks information about a particular website, this plugin not only provides to them instant data but also prevents them from moving to a different site. In case, a person, wants to check out the entire Whois record they can easily click on the link provided in the tooltip & access all the registration information of the domain.


Summarized Whois information of a domain

Domain registrars and news sites can substantially benefit from this plugin as it helps ease access to information for their users.


You can easily download the Whois Plugin?here: https://wordpress.org/plugins/whois-xml-api-whois/



IP Geolocation Plugin


IP Geolocation Plugin provides a quick preview of the location details for all the IP addresses mentioned on your website, including its country & city. In case people want to check out detailed location information then they can easily click on the link provided in the tooltip & access all the information of the IP address.


Summarized Geolocation information for an IP address


If your website displays IP data to your users, it is always helpful to add value to this information by providing Geolocation information of the IP address. But in order to avoid clamming up your website with this information for each IP, this plugin can help users get information specifically for the IP address they need to know more about in a more visually appealing manner.

It is commonly observed that sites which provide IP address along with the location attract such visitors the most.

You can easily download the IP Geolocation Plugin?here:?https://wordpress.org/plugins/ip-geolocation-info/


Benefits of the WordPress Plugin from Whois XML API

???? No backend work or systems required to access data

???? Seamless integration without affecting the content of your website

???? No more cluttering your website with all the information

???? User experience improved for your website

???? Accurate & real-time data from the largest database


If you have the name of other websites or IP addresses on your site, these plugins can be a crucial asset for you and help provide added value to your website.

http://www.yuefa2.com.cn/blog/introducing-seamless-wordpress-plugins-from-whois-xml-api/feed/ 0
Domain Name System Primer https://main.whoisxmlapi.com/domain-name-system-primer Thu, 04 Apr 2019 05:51:14 +0000 admin https://main.whoisxmlapi.com/domain-name-system-primer

In this white paper, we give an overview of the Domain Name System, or DNS, one of the pillars of the Internet. We start by understanding the goal: to assign names to named resources on the Internet and to maintain their database. For this, it is important to understand the structure of domain names and DNS zones. The roles of the actors in the system are domain maintainers, registries and Network Information Centers. The structure of delegation of authority will also be clarified. We give an overview of the structure of data available in the DNS, notably, the resource records (RRs) occurring in zone files. We also review the technology side: the DNS protocol, its operations supporting queries of name resolution, zone file transfers necessary to maintain the system and for reverse mapping. We briefly mention the most popular implementations, notably, BIND, which may be the most prevalent DNS server software. This necessitates a little insight into netblocks and Classless Inter-Domain Routing (CIDR). We address the internal security issues of the DNS as well as the crucial role it plays in cybersecurity. Finally, we provide some references for further reading.


In this white paper, we give an overview of the Domain Name System, or DNS, one of the pillars of the Internet. We start by understanding the goal: to assign names to named resources on the Internet and to maintain their database. For this, it is important to understand the structure of domain names and DNS zones. The roles of the actors in the system are domain maintainers, registries and Network Information Centers. The structure of delegation of authority will also be clarified. We give an overview of the structure of data available in the DNS, notably, the resource records (RRs) occurring in zone files. We also review the technology side: the DNS protocol, its operations supporting queries of name resolution, zone file transfers necessary to maintain the system and for reverse mapping. We briefly mention the most popular implementations, notably, BIND, which may be the most prevalent DNS server software. This necessitates a little insight into netblocks and Classless Inter-Domain Routing (CIDR). We address the internal security issues of the DNS as well as the crucial role it plays in cybersecurity. Finally, we provide some references for further reading.

Table of contents

1. The need for name servers

1.1. What is DNS?

Any network of digital devices operates by using addresses - technical numbers which enable the identification of the nodes. On the Internet, these are IP addresses. However, it is always necessary to give human-readable names to the addressable resources, thereby turning them into "named resources". Consequently, there has to be a technique to map the names into addresses; this is done by name servers.

On a large-scale network, such as the Internet, there is a tremendous number of named resources. This poses requirements against the solution of name-address mapping:

  • There is a need for a method to organize and index names in order to efficiently find them in the system.
  • It has to be decentralized for several reasons:
    • The solution needs to be scalable in order to cope with the huge number of queries for name-address assignments to be served.
    • It has to be fault-tolerant; thus, there has to be some reserve in case any element of the required infrastructure is unavailable.
    • As the resources are run by physical entities (persons or organizations), it needs to be manageable so that the administration of certain resources can be delegated to their owners.

These requirements led to the introduction of the Internet Domain Name System in the early days of the Internet. This ecosystem has been playing a crucial role in the operation of this network ever since. Its specifications were laid down by Dr. P. Mocakpetris in as early as 1987, in the RFC documents 1034 and 1035. Though many subsequent RFCs have introduced modifications, the core functionality of the system still remains intact.

1.2. Domain name system and WHOIS

To meet the above-outlined requirements, the names of the resources are organized into a hierarchical structure. At the top, there is the name of the top-level domain (TLD), then the second-level domain (SLD), and any number of lower levels, each separated by dots, e.g., "www.example.net". In this way, the management of a sub-tree in the hierarchy can be delegated to the actual owner of the resources below the top of this hierarchy. The authority over the root domain of the Internet is with ICANN (Internet Corporation of Assigned Numbers and Names, www.icann.org).

Below this, for instance, is the TLD ".com" operated by Verisign (though the actual registrations of its sub-domains are processed via registrars accredited by ICANN), whereas "domainwhoisdatabase.com" is the courtesy of WhoisXML API, Inc. — we, as an organization, administer this SLD authoritatively. There are plenty of top-level domains on the Internet. A part of them is a so-called country-code TLD (ccTLD) maintained by the respective entities of the given countries, and there are generic TLDs (gTLDs) related to other entities. Domains are registered by registrars.

When someone, say a company, purchases as a registrant a domain name from a registrar, the latter submits, after the necessary agreements, technical data to appear in the zone files we shall describe later. After this, we say the domain name "will resolve", or get the respective IP addresses in the Domain Name System. The technical data are thus located in the DNS, along with some information about the registrant entity. But not all information, unfortunately.

By design, there is a protocol separate from those used for name resolution — WHOIS, the "phone book of the Internet" which assigns real names and contact data to the registrants, the physical entities the resource belongs to. The WHOIS sub-system is thus crucial in all questions related to the ownership of domains and IP addresses, but the accuracy of WHOIS data is not a technical requirement for the domain to operate.

Meanwhile, in the DNS, all the necessary data have to be present for this operation, but the ownership data are limited. This dichotomy of WHOIS and the other parts of DNS is frequently seen as a serious shortcoming affecting the security of both subsystems. And yet, we have to live with this, as it is a consequence of the approach of the founding fathers of the Internet whose initially saw it as a network of a more-or-less trusted and friendly community. Well, it is not quite what it became.

In the present document, we will not deal with the WHOIS subsystem anymore. Even though it is a part of the domain name system, the system itself is fully functional without it. Instead, we shall focus on name servers, since these are the first which come to mind when speaking about DNS anyway.

Before turning our attention to the actual operation of name servers and the DNS, we will mention briefly a few related topics which will not be covered in detail in this document as they are only loosely related to our main topic.

1.3. Multicast DNS

Consider a local network, possibly of many computers. It is natural to wonder whether they need the same technology as the whole Internet to manage named resources. Indeed, there is a simpler solution for them: RFC 6762 specifies the "Multicast DNS protocol", which does not employ dedicated servers to maintain the name-IP assignment. If a certain site needs the IP address of another, it simply asks all nodes: which identifies itself under the given name.

Obviously, this will only work out in the case of smaller and trusted networks, but it is a great simplification. In addition, the data formats of the mDNS protocol is 99% compatible with the standard DNS protocol (referred to as "Unicast DNS") in this context. However, as we are interested in the operation of the Internet on a large scale, involving authority and delegation questions, we will not go into the details of this protocol.

1.4. IPv6

Even though the number of possible IPv4 addresses, 232, is quite impressive, it can be foreseen that these possibilities will be exhausted at some point in the future. Hence, the IPv6, a new system of identification numbers of nodes of the Internet was developed. There will be times when your Web server IP will not look something like “” but, rather, more like "2001:0db8:85a3:0000:0000:8a2e:0370:7334".

The technology for this has been developed, including its support in the Domain Name System. But it is not yet prevalent and still, to some extent, in its experimental phase. So, we shall omit the details of IPv6 handling in the Domain Name System in the present document and focus on the currently common IPv4 system.

1.5. Beyond DNS: The dark side

When someone speaks of the Internet (with capital "I"), everybody considers the network we all use and refer to under this name. This is very much in line with ICANN's motto, "One World, One Internet". We have just concluded that DNS is needed for the efficient operation of this network.

But actually, a TCP/IP network has many layers, and it is just a broadly accepted convention that it should be used via DNS. We shall see that this system that enables finding resources consists of files describing the required access information and protocols to distribute and access them. But, fortunately or not, it is not impossible for someone to introduce an alternative system on the same physical network that might use completely different standards and yet still remain operational.

And still, it is feasible. What may be the most significant example is the Tor network. It is a totally different logical network running on our physical Internet. It is hard to judge whether it is good or bad. According to its developers, its main goal is to protect privacy and it is very beneficial for many benevolent actors who just want to avoid being tracked or eavesdropped on the Internet. In reality, however, it is known to be a home of the "Dark Web", the online world of crime and nasty things not to be detailed here.

The reason for us to mention this here is to point out that the Internet Domain Name System we describe here is not the only approach that exists on the physical IPv4 network, but it is what is running the thing we call the Internet. And currently (probably luckily), this is the most prevalent one.

2. Data behind the name resolution

2.1. Zones and zone files

A DNS zone is a contiguous portion of the domain name having a single entity delegated as its manager. In the tree of the namespace, a zone starts at the root of the given domain and ends either at a leaf node, i.e., host, or at the top boundary of other independently managed zones.

Zone files are the very containers of all data describing the information necessary for the name resolution of the zone. They are text files with contents standardized by RFC 1035. (Actually, there are certain conventions used by BIND, the most prevalently used DNS server implementation which does not comply fully with this standard, but they are now generally accepted.) Thus, zone files are both human-readable and machine-parsable: DNS software reads the information from these.

Our goal here is to obtain a basic understanding of the contents of zone files, as it is needed in order to understand DNS operations.

The contents of zone files can be subdivided into three types:

  • Comments
    Like virtually all kinds of computer code, they are necessary for human readability. Here, they start with the ";" character.
  • Directives
    These start with a "$" sign. They manage the processing of the file.
  • Resource records
    Those are the actual data lines describing the properties of the domain and the entities contained within.

Let us see a little example of a zone file:

$TTL86400 ; 24 hours could have been written as 24h or 1d; $TTL used for all RRs without explicit TTL value$ORIGIN example.com.@ 1D IN SOA ns1.example.com. hostmaster.example.com. (2002022401 ; serial3H ; refresh15 ; retry1w ; expire3h ;nxdomainttl )IN NS ns1.example.com. ; in the domainIN NS ns2.smokeyjoe.com. ; external to domainIN MX 10 mail.another.com. ; external mail provider; server host definitionsns1 IN A ;name server definitionwww IN A ;web server definitionftp IN CNAME www.example.com. ;ftp server definition; non server domain hostsbill IN A IN A IN A

Most directives are not very important to us, except for the mandatory $TTL directive which defines the Time to Live (TTL) value. This is the default duration for which the Resource Records can be saved or cached by another DNS server.

The $ORIGIN directive gives the name of the domain in argument, but it is optional. If provided, however, the value of $ORIGIN will be appended to it, if any name appears in what follows and it does not end with a dot character ".".

The reason for this is that the file should use Fully Qualified Domain Names (FQDN). That is, it should define the exact location of the domain name in the DNS tree, and the terminating dot here represents the root domain. In addition, the "@" character in the SOA resource record will be substituted for its value, in our example, "example.com.".

2.2. Resource records

From our point of view, the most important elements are the Resource Records (RRs), as they are the ones containing the information on the zone. Let’s see what they tell us.


The first one, the SOA (Start of Authority) RR, has to be the first, and it is mandatory. It is a multi-line RR. Looking at our example, it should be read as follows:

  • The "@" character is the name of the domain, now as $ORIGIN has been set, it will be substituted to its value, "example.com.".
  • The "1D" stands for one day; it is the TTL (Time to Live) of this very RR. If it is omitted, then the default $TTL would be used.
  • "SOA" stands for the record type.
  • "IN" stands for the network class, "Internet" in our case. In practice, it is always "IN" in zone files; there are some other possibilities, but they almost never appear in practice.
  • "ns1.example.com." is the Primary Master name server for this domain. It will be also specified in a separate RR, but it is mandatory here. (It can have a special meaning though when it is used with Dynamic DNS configurations).
  • "hostmaster.example.com." stands for an e-mail address, the first dot should be read as "@" — so it is "hostmaster@example.com". This is the administrative e-mail address for the zone, and according to the recommendation of RFC 2142, it is typically "hostmaster@domain".
  • "2002022401" is a serial number associated with the zone; this is essentially the version number of the information. By convention, it uses the format of a date "yyyymmdd" followed by a two-digit serial number specifying the version within the day. This field has to be updated every time a change is made to the zone.
  • The following time-type fields affect the operation of slave/caching name servers, which we shall describe in detail later.

Name server records. The first few fields are just the same as we saw in the SOA record. The "name" field is empty here, meaning that it is substituted from the preceding SOA record. (This is a general rule: if no name is given in any type of record, the "name" field of the SOA record shall apply.) No TTL is specified, so the default $TTL applies. Finally, in our example, we have "ns1.example.com.", the FQDN of a name server within the zone, and "ns2.smokeyjoe.com.", which is the secondary name server in some other domain, typically at some other location. This increases the robustness of the system — even if the infrastructure of the whole domain fails for some (possibly technical) reason, a name server somewhere else in the world is likely to be available. The organizations typically find partners to run their secondary name server on the basis of a mutual trade-off business (I back you up,, you back me up).


These are the default mail servers for the domain. The syntax is just as in the case of the NS records, apart from the additional number before the last record. This is a priority level: it is a number between 0 and 65535. The lower the number, the higher priority a given mail server has.


These are the very hosts. Each IP address which can be resolved has to have a name (this is the first field) and an assigned IP (this is the last one). Note that the same IP can have multiple A records, like the Web server "www", and Joe's machine, "joe" in our example. Also note that since $ORIGIN is set, "joe" will be substituted for "joe.example.com.", illustrating how useful this directive can be.


These are essentially aliases: the name in the first record is an alias for the name on the right. It can be used for many purposes. Importantly, the alias can point to a host outside the domain. A typical use of CNAME is to enable the Web server to be seen both as "example.com" and "www.example.com":

IN A IN CNAME example.com.

The first line defines an IP resolving to $ORIGIN, that is, "example.com.", whereas the second one defines "www.example.com." as an alias to "example.com."

We reached the end of our example, and, in fact, what we understand so far is almost completely sufficient for the operation of a domain. The only exceptions are the records of type "PTR", the ones needed for finding out the host name from an IP. This is the topic of "reverse mapping", which we shall address in Section 3.2.

There are many other types of special records. For a more exhaustive list, we refer to the following blog http://www.yuefa2.com.cn/blog/dns-the-dark-knight-of-the-internet/ for a quick overview, or to the cited books for a more detailed account.

Having understood the structure of the information present in the domain name system, let us now proceed to how it is actually distributed and maintained.

3. DNS operations

Here we describe the operations of the Domain Name System. These are realized using dedicated protocols, involving both TCP and UDP communications. The standard port of this service is 53.

3.1. DNS Queries

This is the operation realizing the main goal of DNS: to translate names to IP addresses. Each networked device has a component, the stub resolver (or resolver in brief) for that purpose. If an application, e.g., a Web browser, needs the address of another system, e.g., for visiting "www.yuefa2.com.cn", it will ask the resolver: "What is the IP address of www.yuefa2.com.cn?" There are two possible ways for the resolver to get this information.

3.1.1. Iterative queries

This is the kind of query which must be supported by all name servers. The process, in this case, is as follows:

  • The resolver asks the locally configured default name server about "www.yuefa2.com.cn".
  • The locally configured nameserver looks up the address in its cache, which is built from previous queries.
    • If it finds the address, it returns the answer along with the related CNAME records (aliases), and the query is completed. This answer is non-authoritative in this case.
    • If the required information is not there in the cache, the local name server replies to the resolver with a referral to the root server of www.yuefa2.com.cn.
  • The resolver asks the root server for the list of authoritative name servers for the given TLD, ".com." in our case.
  • Using the answer, the resolver asks the TLD name server for the list of authoritative name servers of the SLD, ".whoisxmlapi.com." in our case.
  • Finally, the resolver asks the authoritative name server of the SLD about the IP address of "www.yuefa2.com.cn", and receives the authoritative answer.

Apart from IP addresses (possibly with CNAME records and referrals), there can be answers showing a temporary or permanent failure, or reflecting the absence of the domain (NXDOMAIN), which are treated in the protocol just as one would logically expect.

Note that here all the communication went between the resolver and various name servers in several iterations, hence the name. No direct communication was going on between the name servers directly, i.e., there was no recursion. But it is easy to see then that if this was the only possibility, the cache of the local name server (or any other name server) would remain empty. Therefore, at least the local name server, and possibly some others, should support the communication to other name servers. This leads us to the need for the other type of query.

3.1.2. Recursive queries

This type of query is not necessarily supported by name servers. It enables communication between the servers and thus supports building a cache. Let us see our previous example now in a scenario where the local name server supports recursion:

  • The resolver asks the local name server about "www.yuefa2.com.cn".
  • If the local nameserver finds the information in the cache, a non-authoritative answer is returned and the query is concluded.
  • In the absence of the information in the cache, the local DNS will ask a root server about the authoritative server of the TLD, ".com". A referral will be returned.
  • The local name server asks a name server of ".com." for the authoritative name servers of the SLD ".whoisxmlapi.com.", and a referral is returned.
  • The local name server asks the authoritative name server of ".whoisxmlapi.com" about "www.yuefa2.com.cn".
  • The obtained information is returned as an authoritative answer to the resolver.
  • Meanwhile, the information is cached; it will live till the prescribed time (Time To Live, TTL), so if the same question is asked from the local name server again, there is no need to ask for referrals.

The errors and non-existent domains are also treated logically here. Note that the resolver does not receive any referrals in this case. Apparently, the main difference between this protocol and the previous one is that the handling of referrals is done now by the local name server and not the resolver itself, thereby also supporting the caching activity of the local name server.

3.2. Reverse mapping

So far, it is clear how we find out the IP of a host by its name. But in many cases, the opposite is needed: we have an IP address, and we want to know the name (or names, aka aliases) it belongs to. Even though the DNS was designed to have a special kind of query for the purpose, it has never been put into practice. Finally, it was even made obsolete by RFC 3425. It happened so that in the problem of finding a name for an IP, the "reverse mapping" can be handled using the same tools as the direct name to IP mapping with a neat trick. And indeed, this is the de facto way it is done. To understand the idea, however, we need some background information about the delegation structure of IP addresses.

3.2.1. Netblocks

Do IP addresses have a hierarchical structure like that of domain names? They should have one, indeed, as the responsibility has to be delegated not only for domains but also for IP addresses somehow.

The key to this is "Classless Interdomain Routing", CIDR, which we summarize here very briefly. (If you are interested in the details, an explanation can be found, for example, here: https://ip-netblocks-whois-database.whoisxmlapi.com/blog/who-owns-the-internet-ip-netblocks-whois-data-will-tell-you)

An IP address, say,, has 4 numbers between 0 and 255. In a binary representation, this is 4*8 bits. In our example, it will be 01101000000110111001101011101011. We keep the trailing zero as we need exactly 32 bits, but we omit the dots; they do not have any role from now on: the octets are concatenated, forming a single 32-digit binary number. This is the ordinal number of the machine.

The assignment of the authority over multiple IP addresses is done in netblocks: these are contiguous intervals of IP addresses. They are defined by fixing a given number of most significant digits.The address in the above example belongs to a netblock in the CIDR notation, which means the first 12 digits define the block, and the remaining less significant ones define the actual host. So, our IP is between the beginning and the end of this interval:

011010000001.00000000000000000000 = = =

How about the hierarchy? Clearly, if we put lower digits, we get a bigger interval, and all the smaller ones will be within that one. E.g., our netblock belongs to a higher-level one as well in the hierarchy,

01101000.000000000000000000000000 = = =

This is a very elegant way of subdividing the whole IP range into a hierarchy of contiguous intervals which either do not intersect or where one contains the other. And, indeed, the delegation hierarchy of IPs is arranged on this basis.

3.2.2. The reverse mapping domain

When comparing to the hierarchy of domain names and looking at the binary numbers representing the IPs as strings, we find a significant difference. In the case of domain names, the highest level in the hierarchy, the TLD is at the end of the string, whereas in the case of IPs, the bits, that is, the characters specifying the higher order in the hierarchy, are at the beginning. And here, the big idea comes in: if we reverse the IP address character by character, the two hierarchies become compatible. Now, as the DNS has tools for handling the hierarchy of domain names, we can use the same tools for the reverse name resolution!

So, how does it work out?

  • Define a special root domain for IP addresses. This is named "IN-ADDR.ARPA.". (Historically, it used to be directly related to the organization "ARPA", but now it is meant as "Address and Routing Parameter Area".)
  • Within this domain, an IP will be represented by a name having all its digits inverted, e.g., "" will be ""
  • In the zone file, we need a special RR for these names, this is "PTR". So, a record in a reverse zone file would look like:
    235 IN PTR foo.example.com
    assuming that this IP belongs to "foo.example.com". The formal syntax of this record is "name ttl class rr name". The first name is treated as a string, albeit it looks like a number; the $ORIGIN directive is in action here as well, unless we write an FQDN, like "". If the TTL is not defined, like in our example, the default is used — IN stands for the Internet, and PTR is the type of this RR.

With these conventions, the reverse resolution can be solved exactly in the same way as the forward resolution. As for the actual administration and hierarchy, the players are somewhat different than in the case of zone files.

3.2.3. Organizations maintaining the reverse zone files

At the root of the system of IP addresses is the Internet Assigned Numbers Authority (IANA); they maintain the root name servers for .IN-ADDR.ARPA. They delegate the smaller blocks to Regional Internet Registries (RIRs) that run the servers on their level (a kind of counterpart of the TLDs in the case of domain). There are currently five of them:

These then delegate smaller blocks to smaller organizations or persons; everyone with a specific netblock has to run the respective server.

So, all that we have said about recursive and iterative queries work in the same way as in the case of inverse mapping, using the above hierarchy of servers.

3.3. Zone maintenance

This is the set of operations which enable the different authoritative name servers to keep their zone files up to date. As the details are less important from the applications' point of view, we just provide a brief overview of the involved operations. We remark, however, that these are essential for the proper operation of the domain name system, especially from the performance and robustness point of view. The main operations are as follow:

  • AXFR
    Full ZoneTransfer is simply the polling of the whole zone file, typically from a master to a slave server. It is initiated by the slave. Such polling has to take place according to the timings defined in the SOA record, where all the relevant time parameters, such as timeout, are defined. It is important that the zone file does not get updated if the one to be polled does not have a bigger serial number than the currently available one. A con of AXFR is that a zone file can be huge; an incremental update is much more efficient in some cases.
  • IXFR
    Incremental Zone Transfer is an update of the zone file restricted to the changed records only. It was introduced in RFC 1995. It is done under the same conditions as AXFR, also initiated by the slave, but it requires much less data to move, so it is much more efficient both regarding the time required to carry it out, and bandwidth-wise.
    Also introduced in RFC 1995, this is an operation to the inverse direction as compared to the previous two: it is used to notify slaves that a change in the zone file might have occurred, so it is likely that they should poll it. This has significant benefits for the propagation time of zone file changes.

All these rather logical maintenance operations are based on zone files as literally files existing on certain servers and being interchanged amongst them. With the growth of the Internet, this also became a bottleneck. The files became huge and hard to administer. In addition, if any change appears, the server has to read the whole file again sequentially, causing a possibly unacceptable unavailability time. This leads to the need for dynamic DNS introduced in RFC 2136. This enables the update of zone records from external sources. However, it does not allow for adding or deleting a new zone. In addition, it raises additional security issues as there are more servers involved in the update. Hence, the same RFC defines the concept of a primary master name server which is just one of the master name servers but authorized to control the DDNS process.

Having understood the key DNS operations, let us see what types of name server occur in the DNS system.

4. Name Servers

In this section, we take a closer look at the servers themselves which run the DNS protocol. First, we will classify them based on their role in the system, then we will briefly describe some particular implementations.

4.1. Functionality

Even though we frequently speak about types of name servers, maybe using the term "role" instead of “type” would be more in order. Actually, the same physical server can be a master of a given zone and a slave in another, and may even serve as a caching server in the meantime, depending on the configuration of its software. And the commonly-used implementations allow for very byzantine settings as well. Nevertheless, it is important to distinguish between certain roles:

  • Master Name Servers
    These read the information directly from the zone files (edited locally). They give authoritative answers about the hosts in their zone, enable the slaves to poll zone files from them, send them NOTIFY if appropriate.
  • Secondary Name Servers
    They are the slaves. They poll their zone files from their master and provide authoritative answers to queries regarding their zone.
  • Caching Name Servers
    These do not have complete zone files. They have a cache built from the non-expired results of previous queries and can provide non-authoritative answers to queries they hold the answer for. They support recursive operation and communicate with slave or master servers when they receive a query whose result is not yet cached. If they forward an authoritative answer to the resolver, their answer is also considered as authoritative.

In addition, there are some other types not directly relevant from the point of view of the global DNS ecosystem:

  • Forwarding or proxy name servers
    These forward all queries to another name server, and cache all the obtained results. At first, this sounds pretty much like a caching name server, but it is not the case. These name servers will not process referrals at all, hence the communication between them and the resolver is restricted to one query-response pair in the case of each lookup request. They are mainly useful for saving network traffic.
  • Stealth name servers
    These are the ones serving a local network whose sites are not visible from the outside. So, the hosts, except for a few servers, are within a demilitarized zone (DMZ), they have internal IPs, and they see the Internet through a firewall gateway, typically with IP masquerading. Their specialty is that they are expected to answer the queries of the internal hosts, both regarding domains on the Internet and host names within the DMZ. Sometimes, they are also called DMZ, or split name servers.

4.2. Implementation

Perhaps, the most prevalent piece of DNS software is BIND, the Berkeley Internet Name Domain, which was originally developed at the University of California, Berkeley. It is a free, open-source, and reliable implementation running on most root servers, etc.

Alternatives do exist, though. Microsoft Windows servers, for instance, have their own DNS server implementation. And there are many others. Some are designed to act as a simple proxy, some are designed to be an authoritative-only server, etc. A good comparison of these implementations are here: https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software.

Importantly, as we have described, a standard zone file can be migrated from one implementation to another. But many of the servers (including BIND) accept non-standard features in the zone file, like using time units other than seconds. This should also be taken into account if zone files are analyzed with any other type of software.

5. A simple query example

But what do end-users see from all these? Well, not too much. In most cases, they type in a name, and they are not even familiar with the existence of an IP address.

However, as professionals, we can send a query to a server and obtain the accurate answer. The very reason for putting this short section here is that in order to really understand what is going on, we need to illustrate everything that we have discussed so far.

There is a variety of tools for this. We shall use the nslookup utility available on most platforms (even though the Linux and other UNIX-flavor communities tend to prefer the command dig instead).

So, let us give it a try: on my typical Ubuntu host, the command

nslookup www.example.com

will result in the not-so-detailed non-authoritative answer:

Server: answer:Name:www.example.comAddress:

Note that the answer was given by my local host. Indeed, most Linuxes tend to run a proxy name server locally. But what if I'm interested in the related SOA record, too? The "nslookup" has many options, including this one:

nslookup -type=soa www.example.com

and the answer will be:

Server: answer: Can't find www.example.com: No answerAuthoritative answers can be found from:example.comorigin = sns.dns.icann.orgmailaddr = noc.dns.icann.orgserial = 2018112857refresh = 7200retry = 3600expire = 1209600minimum = 3600

Well, in fact, it is not "www.example.com" but "example.com" that has an SOA record. So I could have said:

nslookup -type=soa example.com

resulting in:

Server: answer:example.comorigin = sns.dns.icann.orgmailaddr = noc.dns.icann.orgserial = 2018112857refresh = 7200retry = 3600expire = 1209600minimum = 3600

Or, if I want to have an authoritative answer directly, I can specify the name server host:

nslookup -type=soa example.com sns.dns.icann.orgServer:sns.dns.icann.orgAddress: = sns.dns.icann.orgmailaddr = noc.dns.icann.orgserial = 2018112857refresh = 7200retry = 3600expire = 1209600minimum = 3600

Finally, let us demonstrate a reverse lookup:


resulting in:

Server: answer: = whoisxmlapi.com.

Of course, what we have seen here is just a small portion of the supported possibilities, and we encourage our readers to play around with them. All the types of RRs are available through these queries, even those which we have not yet discussed, e.g., the ones defined in support of security.

6. Security

In this section, we will address two points. First, we will provide an overview of potential threats against the DNS system itself and the possibilities of its protection. Then, we will discuss the role of the DNS in overall IT.

6.1. Internal security of the DNS system

The DNS protocol, by its original design, is based on unencrypted network communications. Hence, it is prone to various security threats. These even include the modification of delegation details. We go through these along with the possible means of protection.

  • Zone file corruptions
    A corrupt zone file, regardless of whether it got corrupted accidentally by some mistake made by authorized personnel or by a malicious intruder to the system, can obviously cause a lot of problems: lack of proper updates, invalid name resolutions, or even the malfunction of a master server. This is a local issue, and it can be overcome by proper system administration and ensuring the overall server security.
  • Zone file transfers
    They are vulnerable against various types of attacks. For instance, a malicious agent can intercept AFXR or IFXR communications and inject distorted information into the system, e.g., by IP address spoofing, thereby poisoning slave name servers. One way to overcome this is to disable zone transfers. But obviously, it is not always possible. Another option is the protection of the network architecture itself. Finally, the communication can be authenticated and encrypted. RFC 2845 describes the Transaction SIGnature (TSIG) protocol to facilitate an authentication step of the zone file update process. It uses shared secret keys and one-way hashing to ensure the security of the authentication. A special RR type, TKEY is used in various modes to facilitate the establishment of the shared key.
  • Dynamic updates
    The same can be said here as in the case of conventional zone file updates: address spoofing or unauthorized updates can introduce invalid data into the system. Besides TSIG, there is another related protocol, SIG(0), for request and transaction authentication based on public-key cryptography, c.f. RFC 2931.
  • Attacks against remote queries
    Subverted masters or slaves, as well as poisoning caches, are all possible attacks against Server-Client communications. A good solution is the use of DNSSEC (Domain Name System Security Extensions), designed for authenticating these communications securely, albeit lacking encryption of the actual communication. This obviously also requires a variety of additional RRs. It is not yet prevalent, but there are a lot of pilot projects and zones where it has been introduced. Additional information can be obtained from https://www.dnssec.net/projects.
  • Attacks against resolver queries
    These are similar to those mentioned in the previous item, affecting communication between remote and local clients. Besides, the use of DNSSEC, the usual SSL/TLS encryption of the communication is a good way of protection.

6.2. DNS in IT security

The connection of domain names with IP numbers is of paramount importance in IT security. For instance, many spam mail filtering methods are based on the verification of the validity and appropriateness of the DNS data of the sender. Firewall logs contain primarily IP addresses, hence, when investigating threats, it is important to see if it is possible to validly assign domain names to these. And if there are some data, they can reveal a lot of information about the opponent. Many other applications can be listed; considering that naming resources is an inherent feature of any electronic network communication, and it is naturally related to the identity - real or virtual - of the communicating entities.

7. Passive DNS

DNS has one significant shortcoming, especially when viewed from the IT security point of view. While it always contains timely information about domains and IPs, it is just a snapshot which does not allow obtaining DNS information of past time instants within this system. Of course, it is quite natural that even if the snapshot embodies a tremendous amount of data, it is virtually impossible to maintain the whole history. And yet, it would be of paramount importance.

7.1. Reasons why we need passive DNS

Imagine, for instance, that you find an IP address upon the investigation of some threat, but the IP address has ceased to exist. It is likely that at the time of the attack, it did resolve correctly, but then it has disappeared. At least, a chance to find a past resolution of the IP or domain would be a fundamental clue. And even if an IP address that has been marked as malicious does not resolve anymore, the data from the past could still provide a key for the identification of its domain, thereby preventing the malicious activity of the opponent. So, the past data has implications for the present and future security issues, too.

In another example, to detect the success of the aforementioned threats of the DNS system itself, it would be handy to have resolution data of the past. Its analysis could reveal the changes then.

These data can be used in more sophisticated ways in threat intelligence, involving a variety of big data and even machine learning tools, e.g., in order to reveal an algorithm generating short-lived domains registered by a suspicious agent.

7.2. The solution: Passive DNS

Passive DNS, which is otherwise not part of the DNS protocol, provides the very data the applications in the previous section cry for. The original idea was introduced around 2004: to use recursive name servers to log responses received from various name servers, and save the collected data, augmented with timestamps, in a compressed form, to a central database. Note that in this approach, no stub resolver to name server communication goes on; it is based on server-server communication. This saves a lot of network traffic and excludes vulnerabilities related to the avoided kind of protocols. In addition, it does not pose any privacy issues: you will not collect data on who and why a person tried to resolve an IP or a domain.

There are several passive DNS services on the market. The servers collecting the data are termed as DNS sensors, and they provide data for a central, usually very big database. Different services may have different strategies to select the communications to be logged from among the whole DNS traffic. Passive DNS has become a fundamental tool in IT security.

7.2.1 Passive DNS Applications

Passive DNS is an enabler, as it allows existing threat solutions to better perform their important roles. At the same time, it is a facilitator, as it helps produce actionable information that cybersecurity teams can use to be one step ahead of malicious actors.

These functions are made possible through a huge passive DNS database, the analysis of which can reveal the suspicious movements of past domain data which can be leveraged for threat intelligence purposes. Passive DNS data can also be correlated with other information or integrated into APIs for swift analysis.

Below are the relevant use cases of Passive DNS, and why they are crucial to cybersecurity maintenance:

Application How passive DNS can help
Locating domains connected to known malicious addresses
  • Maps all domains connected to a known malicious IP address enabling further detection.
  • Helps identify which of the domains are infected with malware and which ones are benefiting from it.
Identifying malicious infrastructure and suspicious activities
  • Helps detect when trojans have infiltrated a system and are trying to let malicious users gain access to it.
  • Helps locate and dismantle domain infrastructure that supports phishing attacks.
  • Helps detect and reduce covert communications from an organization’s infrastructure.
Fraud and domain name infringement detection
  • Helps identify if any fraudulent changes are made in the DNS system.
  • Allows pinpointing newly-registered domains since these are often used for fraud.
  • Enables mitigating the risks of shadow domain, typosquatting, or other attacks where malicious actors create websites with deliberately similar addresses to those of reputable organizations.
Getting actionable insights on the attacks and their mitigation
  • Passive DNS data combined with other data helps provide insights into what known bad actors are planning to do.
  • Helps mitigate phishing attacks, especially when the data is integrated with operational enterprise solutions.
  • Enables near real-time detection of fraudulent alterations to the DNS system such as cache poisoning attacks.

8. Summary and further reading

The present document aims to give a quick introduction to the Domain Name System, a crucial ingredient for the operation of the Internet. We have briefly reviewed its concepts, system architecture and implementation, goals and means to reach them, and, notably, its security issues and role in IT security.

This information is sufficient for a newcomer to have a basic understanding of the topic. But, of course, there are many additional details not described here. In this regard, we refer to the extensive literature on the subject.

There is a tremendous number of books and other documents available about the topic. To name a few, “Pro DNS and BIND” by Ron Aitchison provides a detailed, self-contained, and practical introduction to the topic. It is also worth mentioning Cricket Liu's classic works, such as “The DNS and BIND” cookbook. As for DNS security, “DNS Security: Defending the Domain Name System” by Allan Liska and Geoffrey Stowe is a comprehensive source.

As for passive DNS, there are many good reads, too. The original idea of passive DNS is due to Florian Weimer, who has a very informative page on this: http://www.enyo.de/fw/software/dnslogger/ Though relatively old, his original paper is still one of the best introduction to the idea of passive DNS, its functionality and applications.

Finally, we remark that WhoisXML API, Inc., offers various API and database products related to the DNS system. A DNS lookup API provides a simple and convenient way to perform DNS lookups. The Reverse IP/DNS API provides comprehensive DNS information on an IP address, including its past. The Reverse MX API reveals all domains that use the same name server, whereas the Reverse NS API finds all domains with the same name server. These APIs provide a handy way of obtaining useful information which is not very easily found in the Domain Name System otherwise. The services are based on current and historic databases, which are also available for download.

Download the full article in PDF


WHOIS Databases: Business, Cybersecurity, and Many More Applications Explored https://main.whoisxmlapi.com/whois-databases-business-cybersecurity-and-many-more-applications-explored Fri, 08 Feb 2019 13:51:14 +0000 admin https://main.whoisxmlapi.com/whois-databases-business-cybersecurity-and-many-more-applications-explored

The Web is a tangle of information. Data is everywhere and finding reliable sources can be a challenge in the era of fake news. Websites, as a prime example, can be informative or misleading. You may get your hands on something useful or be deceived – and learning more about domain owners and assessing whether they’re trustworthy is notoriously hard.

This is where the powers of WHOIS databases come in, whose applications are multiple — ranging from cybersecurity to marketing research to criminal investigation. How so? This white paper considers a variety of use cases.


The Web is a tangle of information. Data is everywhere and finding reliable sources can be a challenge in the era of fake news. Websites, as a prime example, can be informative or misleading. You may get your hands on something useful or be deceived – and learning more about domain owners and assessing whether they’re trustworthy is notoriously hard.

This is where the powers of WHOIS databases come in, whose applications are multiple — ranging from cybersecurity to marketing research to criminal investigation. How so? This white paper considers a variety of use cases.

Table of contents

A Brief Intro to WHOIS

With countless new domains registered on a daily basis, it’s difficult to stay informed about who owns the web. However, with WHOIS and WHOIS databases, this is possible. Let’s take a look at these as a starting point.

What is WHOIS?

In a nutshell, WHOIS is a suitable way to collect and verify data about individuals and organizations with an online presence. A WHOIS record is automatically created as part of each domain registration, and it includes identifiable information such as the domain owners’ names, contact details, and physical addresses alongside important dates regarding the creation, expiration, and transfer of domains.

What is a WHOIS database?

WHOIS databases are structured sets of WHOIS data that enable the reviewing of thousands or more domains simultaneously. In fact, raw WHOIS data, with each record being separate, is of little interest to large-scale users like, for example, cybersecurity and marketing departments seeking to check multiple online entities at once.

WHOIS databases are built by third-party providers, like WhoisXML API, and their utility can be evaluated according to their breadth — i.e. the number of TLDs and ccTLDs included — and accuracy — i.e. whether they are maintained and updated regularly with the latest domain information.

Cyber Security: A Safer Internet

Cybercrime activities have reached unprecedented levels. The 2018 Data Breach Investigation Report from Verizon accounted for 53,308 security incidents during the year, 2,216 of which resulted in data breaches.

Organizations and the public alike are at risk. For example, Under Armour, a sportswear manufacturer, claims nearly 150 million of its MyFitnessPal accounts to have been compromised due to hacking, while the hotel chain giant Marriott has had data from 500 million of its guests stolen as a result of a cyber attack.

Individuals are also a target of malicious emails with the average user receiving 16 shady emails on a monthly basis.

How do WHOIS databases help improve cybersecurity?

Cybersecurity teams have their hands full counteracting hackers and scammers whose nefarious skills and familiarity with modern systems make such efforts increasingly difficult.

So what’s the way forward? Comprehensive countermeasures must be put in place — combining traditional and unconventional techniques. Besides strengthening anti-virus and firewall capacities, cybersecurity personnel can look into domains and their infrastructure to identify threats and come up with solutions.

With WHOIS databases, individuals and businesses have access to accurate data to fight different cyber threats.

Application How WHOIS databases help
Counteracting phishing Leveraging WHOIS information allows users to verify, check, and compare details of domains whose owners claim to be one entity but show up differently in the record.
Combating malware Users can use WHOIS records when they suspect that a website may have been created for malicious ends. Warning signs include recent registration dates and registrants in high-risk countries.
Scoping malicious activity Users can identify connected websites, IP addresses, and domains that could be linked to fraudulent activities by cross-referencing WHOIS data with other DNS details.
Proactive cybercrime prevention Once a malicious domain has been identified through its WHOIS records, that address and the ones connected to it can be blacklisted to protect visitors from the same or similar attacks.

Threat Intelligence: The Hunt Is On

As threats continue to rise, organizations are recognizing that investing in prevention is better than mitigating the consequences of costly data breaches. Threat hunting, or actively searching networks to identify and eliminate threats, alongside threat intelligence, gathering evidence-based data to make informed decisions, has therefore gained momentum.

How does WHOIS support threat intelligence and hunting efforts?

What are the weak links in a given corporate network? Which corresponding tools should be adopted? As an SMB or a large organization, where would security budgets be best allocated? Affordable access to WHOIS databases could provide insights for threat hunting efforts and bolster existing threat intelligence platforms.

Application How WHOIS databases help
Proactively looking for threats Real-time domain WHOIS data allows users to cross-examine registration details with sources of cyber data to identify threats.
Examining newly-registered domains Automated notifications about new domains using WHOIS databases permit implementing proactive measures, such as the blocking of dubious websites.
Powering threat intelligence platforms Users can feed WHOIS data into their threat intelligence platforms to get a closer look at the infrastructure of certain hosts.

Domain Registration: A Busy Marketplace

The Internet landscape is growing by more than 7 million domain registrations each year. This surge has made the Web a crowded place and an exciting market for domainers.

Why do WHOIS databases matter to domainers?

Domainers are hard-pressed to anticipate market trends and put their hands on the right names before anyone else does. However, there are other aspects to bear in mind like ensuring domains they purchase have been lawfully used. WHOIS databases allow staying on top efficiently.

Application How WHOIS databases help
Secure and fast purchases Domainers can perform the necessary background checks on domain name availability while also getting updates on newly-registered or recently-expired domains that are available for purchase again.
Valuation and safe ownership transfer Domainers can access the full history of a domain’s transactions including the date it was created, when it is due to expire, to whom it belonged, for how long, and through which registrar.

Brand Protection: Uncompromised Intellectual Property

What’s the value of intellectual property? Well, 3,000 trademark infringement lawsuits are filed in the US every year, and to reinforce this statistic, 3,074 WIPO cases were filed by trademark owners in 2017 through the Uniform Domain Name Dispute Resolution Policy (UDRP).

How can WHOIS support infringement detection?

Disputes on domains and trademark infringement are generally costly, especially when reliable domain information is not available. Not only do they take a lot of effort to go through, but they can also result in damaged reputations arising from bad publicity and lead to lost sales and revenues.

So how can IP management teams keep company assets protected from cases involving brand violations? Here again, WHOIS databases can prove their efficacy.

Application How WHOIS databases help
Monitoring competitor moves The WHOIS protocol lets brand managers anticipate what their competition is planning through the analysis of newly registered domain names and potential launches of new products.
Preventing infringement Users can monitor domains that have similarities to their brand – perhaps to cause confusion or damage reputation – and use WHOIS contact details to start remediating the situation.
Protection from brand abuse Users can receive messages of registration attempts that contain company trademarks or similar keywords for which they own usage rights.

Marketing Research with Facts

Market researchers have been on their toes as budgets go down to maximize return on marketing investments. Indeed, Procter & Gamble saved $750 million in 2018 by reducing advertising expenditures and cutting agency costs by 50%. So where can facts be gathered to support the business rationale of upcoming campaigns?

How can WHOIS data be used for marketing activities?

Traditional research techniques are not as effective as they used to be in a digital-driven world, and they do not allow identifying trends and remain a step ahead of their competition. WHOIS databases, on the other hand, can contribute to in-depth data analysis and fuel marketing initiatives at several levels.

Application How WHOIS databases help
Recognizing new opportunities WHOIS records add to and improve the accuracy of existing business contact database, allowing companies to engage purchasers and sellers.
Having relevant information on domains Marketing departments are able to detect available neighboring domains to expand their product lines or rebrand themselves.
Staying on top of competitors and industry trends Marketers can stay updated on the movement of domain registrations, acquisitions, and other such activities to monitor and foresee upcoming trends that may affect their competitive position.

Registrars in the Know

There are almost 3,000 accredited domain registration companies present in the registrar market. Stiff competition has called for service differentiation as well as cost reduction, and that requires clarity on where the industry is heading.

How does WHOIS add value to registrars?

Let’s say you operate in the registrar market. Would you like to know where you’re positioned in the industry? What’s your market share in a given country or for certain TLDs? Are there new entrants worth watching out for? To which service are your registrants migrating or from whom have you “stolen” customers?

These are some of the questions you can answer with WHOIS data integrated into databases and track everything that’s happening with domain names.

Application How WHOIS databases help
Streamlined access to data Registrars are able to set up WHOIS APIs connected to databases, saving time and avoiding the complexity of developing the backend themselves.
Reliable domain registration, management, and transfer Registrars can use the information provided in databases to execute daily activities — checking domain names availability, confirming domain histories, identifying dangerous domains, and facilitating transfers for domain owners.
Combating phishing Registrars can help law-enforcement agencies by providing them with in-depth knowledge of domains that are involved in cybercrime.

Law Enforcement Made Possible

The current cybercrime situation is quite rampant, and law enforcement agents are never out of work. Just recently a cybercrime ring that has been accused of trafficking stolen identities was taken down by US authorities. However, not all cybercriminals are easy to catch. Perpetrators are becoming more creative and slippery than ever to prosecute.

How can WHOIS data contribute to law enforcement?

Law enforcement agents need as many insights as possible to track down lawbreakers. Having complete access to domain information can turn particularly valuable to conduct effective investigations and study and anticipate cybercriminals’ behaviors.

Application How WHOIS databases help
Getting investigative leads Agents can investigate, trace, and analyze leads to possible malware authors and fraudulent website owners who may be part of a larger group of hackers and offenders.
Gathering information to prepare cases Domain data can become part of threat data collection processes aimed to protect the public, build legal cases, as well as seize and take down suspicious domains following a trial.
Assistance during investigations Domain ownership data can be obtained immediately through WHOIS records to support investigations, locate site owners and their service providers, as well as to support communication with courts and governmental authorities.

Fraud Detection in the Loop

Fraud levels have risen from 1.58% to 1.80% in 2018, while losses due to online payment scams are expected to reach $48 billion by 2023. That’s the dark side of business increasingly being conducted online, and it’s eroding customer trust.

What is the relevance of WHOIS databases for e-commerce businesses?

Online businesses need to effectively detect and prevent malicious activities — e.g., scammers seeking to get their hands on customers’ information. However, they don’t often have the time to monitor and analyze unlawful attempts one by one. Individuals, in parallel, may think twice before disclosing their details on a new website and completing a purchase.

Being able to perform queries at scale via a trusted WHOIS database or API easily is an effective way to intercept and combat fraudulent behaviors.

Application How WHOIS databases help
Fraud prevention Users with WHOIS protocol access can investigate a website’s validity and credibility before giving up their credit card or other online payment information.
Fraud identification Being able to flag users labeled with risky email IDs and websites could help identify malicious intents.
Fraud investigation Cross-checking information in WHOIS databases enables people to investigate suspected illicit money transfers or invoices for possible scams.

Dependability for the Financial Sector

Without a doubt, cybercriminals and fraudsters are after money — and the people who hold it. For that reason, financial stakeholders are the common target of social engineering attacks where business proposals often sound too good to be true.

What are the applications of WHOIS for banks and financial institutions?

Financial organizations must show due diligence before they proceed with large transactions — e.g., payments for services and new projects, acquisition of a new technology or innovative company, etc. What’s more, deciding whether or not to commit funds to a new business is hard for venture capitalists, private equity firms, and banks.

In these and other circumstances, dependable WHOIS information is essential to make the right moves and avoid lemon investments.

Application How WHOIS databases help
Recognizing new opportunities Investors can analyze domain information from WHOIS databases and learn more about the veracity of claims made during funding decision processes.
Better understanding the business backstage Recent changes in WHOIS data and domain owner information reveal a lot about the state of possible mergers and acquisitions, investments, spinoffs, and business liquidations.
Enhancing business intelligence Investors and banks can use domain registration data to improve their business intelligence efforts. WHOIS data can provide information on the structure and dynamics of companies using data mining techniques.

Scoops in the Data

With the World Wide Web reaching more than 1.8 billion websites and the emergence of fake news, sorting and verifying information is now harder than ever. How can media specialists differentiate themselves? Is the drop in the quality of online news inevitable?

Why is WHOIS data helpful to journalists?

Journalists need to keep up by performing a deeper analysis of content that matters while disregarding irrelevant sources. In that process, WHOIS databases can serve as an investigative tool to process large amounts of data about multiple online entities and uncover scoops.

Application How WHOIS databases help
Monitoring for new stories WHOIS database can be used to keep track of target registrants and their activities such as product launches, service developments, and new ventures.
Verifying information Journalists can make sure that their facts are right by looking up WHOIS data and, if they are in doubt, contact the entities of heir interest.
Getting the data that matters Bulk WHOIS functionality allows users to obtain and filter data in batches using custom attributes and obtain the desired results for groups of domains immediately.

There are plenty of uses for domain ownership data in today’s business world. It can be applied to fortify an organization’s cybersecurity, enhance marketing strategies, collaborate with law enforcement, enhance brand protection, and much more.

Are you interested in experiencing how WHOIS databases can benefit you as an individual or organization? Send us your questions at general@whoisxmlapi.com.

Download the full article in PDF


Fight against phishing e-mail with WHOIS: A technical blog based on the 2018 "Airbnb" case https://main.whoisxmlapi.com/fight-against-phishing-e-mail-with-whois Fri, 08 Feb 2019 13:51:14 +0000 admin https://main.whoisxmlapi.com/fight-against-phishing-e-mail-with-whois

Phishing is a way to obtain sensitive information by sending electronic communication pretending to have come from a reliable, trustworthy partner. According to the 2018 IBM X-Force Threat Intelligence Index, "Despite the increased use of chat and instant messaging applications, email continues to be one of the most widely used communication methods for any organization, and phishing attacks continue to be one of the most successful means of making unknowing insiders open the door to malicious attackers."


Table of contents

On phishing scams

Phishing is a way to obtain sensitive information by sending electronic communication pretending to have come from a reliable, trustworthy partner. According to the 2018 IBM X-Force Threat Intelligence Index, "Despite the increased use of chat and instant messaging applications, email continues to be one of the most widely used communication methods for any organization, and phishing attacks continue to be one of the most successful means of making unknowing insiders open the door to malicious attackers."

Hundreds of millions of phishing e-mails are sent on the Internet every day, leading to billions of dollars stolen annually, not to mention the overtaken accounts and sensitive data obtained this way. The importance of the fight against e-mail phishing cannot thus be overemphasized.

In what follows, we present an example of such a fraudulent activity which attracted a lot of attention in the media recently and whose victim virtually anyone could fall to. Through this particular example, we illustrate the use of WHOIS data in revealing this kind of malicious activity. Whois data can be an important piece of intelligence in any anti-phishing security software/solution.

The Airbnb story

Airbnb, the popular online marketplace for arranging and offering lodgings has been prone to phishing activity for several years. As an online marketplace which assists in organizing payments, it is very attractive to malicious actors who would prefer the money transfers to ultimately end up in their temporary bank accounts.

The recipe in this scheme is simple: deceptive means convince a prospective victim that his credit or debit card data have to be sent in a reply e-mail or typed in on a short-lived, yet seemingly convincing website. Alternatively, these data can be stolen from the client's account along with other sensitive information, after a persuasive email kindly asks them to send the account name along with the password in a reply, claiming it to be necessary for whatever reason.

The active enforcement of the General Data Protection Regulation (GDPR) started across Europe on May 25, 2018. In a matter of days after this data protection legislation took effect, Airbnb saw a significant burst of phishing e-mails. Paradoxically, even though the main intention with the new regulation was that "Stronger rules on data protection mean people have more control over their personal data and businesses benefit from a level playing field." (source: this link, 2018.11.06.), its introduction has led to numerous foreseen and unforeseen consequences, some of which, in fact, seem to be introducing significant IT security risks. One of the short-term impacts of the new rules was that all the companies handling data of EU citizens in any form had to contact their clients to confirm certain new agreements.

As a consequence, e-mails with reference to the new GDPR started flooding all EU citizens (with rules that many of the latter do not even clearly understand). Because most of those e-mails urged for some activity or reply, this confusion-filled scenario became a genuine paradise for phishing schemes.

The malicious scam is simple: send e-mails to all addresses in your spam database on behalf of Airbnb and refer to the new GDPR as the reason why they need to share their sensitive data. There will be enough gullible Airbnb clients on the list who will fall for the trick.

And it happened. It is enough to look at the headlines:

  • "Airbnb Customers Targeted with Phishing Scam" (Infosecurity Magazine, 4 May 2018)
  • "Redscan warns of GDPR phishing scams," (Computer Weekly, 3 May 2018)
  • "Phishing campaign aimed at Airbnb guests uses GDPR hook" (scmagazine.com, 4 May 2018.)
  • "Gardaí warn of possible rise in email scams related to new data law" (The Irish Times, 28 May, 2018.)
  • "GDPR isn't to blame for all those dumb emails you're getting" (Wired, 11 May 2018.)

etc., just to quote some of the news in English.

Let us now look at this incident from the point of view of WHOIS data.

A WHOIS-based investigation of the Airbnb campaign

There are two general ways for anti-phishing software/human to determine if an email is malicious:

  • Without scanning the full email, as that could possibly take lots of time. For this, external data sources can be used: WHOIS, NSL, proximity of the domain to a known malicious actor/domain/IP, etc.
  • By scanning the email: the contents of the email may be helpful if the link directs to a completely different domain or another malicious domain, etc.

In what follows we demonstrate the kind of information we can get, solely from WHOIS data that can be downloaded from the data feeds of WhoisXML API, supplemented by the possible use of some APIs.

About the approach

In our little investigation looking to demonstrate the footprint of phishing attacks against Airbnb in the WHOIS ecosystem, we shall use simple Linux/BASH command-line tools on our csv files downloaded from WhoisXML API, Inc. The same is trivially doable on Mac OS X as well. For Windows 10 users who want to try it out, we recommend installing Bash on Ubuntu on Windows (see our blog on how to install it: http://www.yuefa2.com.cn/blog/using-bash-andother-linux-tools-on-windows-10-for-processing-whois-data) Users of earlier server versions of Windows can also work with Microsoft Services for UNIX.

However, all of this is doable with your favorite tools such as Windows PowerShell, or Python, etc., too.

Single WHOIS records

Our starting point will be an example described in a related article found under this link. "While the phishing messages might look legitimate at first glance, it's worth noting that they don't use the right domain - the fake messages come from '@mail.airbnb.work' as opposed to '@airbnb.com'." The mail in the example dates back to 18 April 2018, about a month before the enforcement of the new GDPR.

Let us now check the "work" top-level domain. Looking at the WHOIS data of the domain "airbnb.work". This task is doable even with a simple WHOIS lookup or entering this search term to the "Whois lookup" field on http://www.yuefa2.com.cn. By doing so we obtain information on who the domain belongs to. Is this a suspicious domain according to these WHOIS data?

First of all, phishing e-mails frequently come from domains which were registered recently and abandoned shortly afterwards. As for the relevant dates, we have:

  • Updated Date: 2018-03-22T15:47:34Z
  • Creation Date: 2015-04-07T06:47:17Z
  • Registry Expiry Date: 2019-04-07T06:47:17Z

This does not look like a very short-lived domain. However, looking at the other lines of the WHOIS record, as for the registrant, we can probably repeat all the data without the risk of privacy violation:

Domain's registrant

  • Organization: REDACTED FOR PRIVACY
  • State: Tokyo
  • Country: JAPAN
  • Country code: JP

We remark here that regarding the "Technical contact", "Billing contact", and "Administrative contact" data, all the fields are "REDACTED FOR PRIVACY". Of course, due to the "stronger rules" of the new GDPR, WHOIS records are nowadays less and less informative: much of the registrants’ data are hidden for certain privacy reasons. However, if we look at the WHOIS record of the real "airbnb.com", although there aren't as many pieces of information there which traditional WHOIS used to provide, we will still learn the following:

  • Registrant Organization: Airbnb, Inc.
  • Registrant State/Province: CA
  • Registrant Country: US

We do indeed learn to whom the domain belongs. And honestly, is there any good reason to hide the "Registrant Organization" for privacy reasons?

Here all we know about the registrant is the country: Japan. The registrar in question is in fact a known web hosting and service provider, also based in Japan, with many clients, so this part seems legitimate. It is weird though that "Tokyo" is mentioned in the "State" field, whereas the "City" is "REDACTED FOR PRIVACY". Japan does not divide into ‘states’, and Tokyo is certainly not one. In fact, the "State" field is invalid, but let’s suppose it is just an error. But then what are the benefits of a real Aibnb-related enterprise doing business correspondence from Japan, from a top-level domain ".work" which does not even reflect any Japanese character? It is hard to see any good reason.

Hence, there are multiple red flags in the WHOIS record of "airbnb.work" suggesting that any correspondence coming from here or containing an URL from here in the mail body should be treated with care and at least be subjected to further investigations. (Note, however, that we do not state with certainty that "airbnb.work" is a malicious domain. We only remark that its registrant cannot be identified at all from its current WHOIS data, and its registrar and registrant are from a country not directly related to Airbnb. And although it is claimed to be in use for malicious purposes in an incident described on a discovered public web page, someone could well have misused an otherwise honest domain. We leave the estimation of the likelihood of all these to the reader.)

So far our investigation was based on a single WHOIS lookup at the time when the e-mail is investigated. When doing this with a lot of e-mails, one will require many WHOIS lookups. So when using the WHOIS protocol itself, most servers will soon refuse to serve us as they have their limitations. This problem can be overcome by using a proper Web-based API, such as https://whoisapi.whoisxmlapi.com, which will provide an accurate and up-to-date answer in JSON or XML and can be simply used from a script, e.g. with "curl".

Even simpler, the sender address "important@mail.airbnb.work" can be checked with our e-mail verification API. For the sake of completeness we show how this can be invoked from a shell, using, e.g. "curl":

curl --get --include \"https://emailverification.whoisxmlapi.com/api/v1?apiKey=XXX&emailAddress=important@mail.airbnb.work"

Here you will need an API key provided with your API subscription; please replace "XXX" with your key. (A free subscription is available, so you can try what we are doing here.) This will result in the following JSON:

{ "audit":{ "auditCreatedDate":"2018-11-06 14:20:38.000 UTC", "auditUpdatedDate":"2018-11-06 14:20:38.000 UTC" }, "catchAllCheck":"null", "disposableCheck":"false", "dnsCheck":"Invalid hostname", "emailAddress":"important@mail.airbnb.work", "formatCheck":"true", "freeCheck":"false", "smtpCheck":"null"}

So if the mail were to be received right now, the problem would probably not be entirely at the WHOIS level, although the DNS lookup would immediately reveal that there is something wrong with it.

Let us therefore take a quick look at the DNS data of "airbnb.work". This can be easily done either with the command-line utility "dig", or with another API at whoisxmlapi.com, namely, the DNS API. On this page, there is a simple interactive entry for DNS lookup (or one may subscribe to do it from a program or with "curl"). But entering "airbnb.work" will merely give us an error message:

"Unable to retrieve DNS record for airbnb.work". Although the domain exists, it does not have a valid DNS record. This is another fact that makes the domain suspicious. A possible continuation of our investigation to the DNS direction would be the use of "passive DNS", a very important approach in forensic analysis, but we are not going into detail now, as we aim to demonstrate how far we can get with WHOIS. We’ll remark though that by using passive DNS one can find that this domain, while registered on 2015-04-07, was never seen before 2018-05-03. This is yet another red flag: it appears that it was a Newly Observed Domain (NOD) at the time of the flood of GDPR-related emails.

What if an incident has to be investigated not shortly after it happened but later on? WhoisXML API, Inc. offers downloadable WHOIS datasets, including historic ones, too. Using these data could have various benefits. One can build a local WHOIS database and keep it up-to-date so that the filtering does not rely on an external API call. Also, such a database could provide historic data. As we shall see, even without setting up a database, one can download data and find relevant information by just analyzing the files with simple tools.

An investigation based on bulk WHOIS data

We will now search for short-lived domains by using data from WhoisXML API downloadable feeds. Motivated by the previous example, we will choose a set of top-level domains whose names suggest that they may contain short-lived domains related to Airbnb. We are considering the following ones:

apartments, book, booking, business, global, hotels, international, reise, reisen, rent, rentals, trade, travel, travelers, vacations, work.

All of these are the so-called "new top level domains" in the ICANN terminology. The best approach would be to download these data for all domains, including country-code top-level domains (ccTLDs), but since this is just a quick experiment, we’ve made this subjective filtering.

Finding short-lived domains

Here we shall implement simple tools to present a proof-of-principle demonstration of how to find short-lived domains typically used in phishing attacks. Such an investigation is possible even years after the actual incident.

Downloading data

We shall use some daily data feeds, which are documented here in detail. In particular, first we shall need data from the following feeds:

  • ngtlds_domain_names_new : domains registered on a given day
  • ngtlds_domain_names_dropped : domains deleted on a given day

By examining the emergence and disappearance of domain names containing the string "airbnb", we shall be able to identify short-lived domains. We shall investigate the period from 2017-01-01 to 2018-10-30. We need the data in "CSV" format, which in this case will be just a text file with a domain name in each of its lines.

To efficiently download data we shall use a specialized download script available in the GitHub repository, in its "whoisxmlapi_download_whois_data" subdirectory. It requires series 2 Python and some modules to be installed; we shall refer to its documentation for details. Having set up this program, we change into its directory and do

./download_whois_data.py --feed ngtlds_domain_names_new \--output-dir /path_to/downloaded_ngtlds_data \--username MYUSERNAME --password MYPASSWORD \--verbose --startdate 20170101 --enddate 20181030 \--tldsapartments,book,booking,business,global,hotels,international,reise,reisen,rent,rentals,trade,travel,travelers,vacations,work \--dataformat csv

for the data of new domains each day, and

./download_whois_data.py --feed ngtlds_domain_names_dropped \--output-dir /path_to/downloaded_ngtlds_data \--username MYUSERNAME --password MYPASSWORD \--verbose --startdate 20170101 --enddate 20181030 \--tldsapartments,book,booking,business,global,hotels,international,reise,reisen,rent,rentals,trade,travel,travelers,vacations,work \--dataformat csv

for the dropped ones. (In the above command lines, please replace "MYUSERNAME" and "MYPASSWORD" with the credentials you have obtained with your subscription, and "/path_to/ downloaded_ngtlds_data" to the directory in which you want to work with the data.) Actually, those who prefer GUI mode can start this program without any command line argument, a sequence of dialog windows will then guide the user through the download process.

The result will be the following directory structure within the target directory we have specified as –output -dir: there will be two subdirectories named after the feeds, i. e., "ngtlds_domain_names_new" and "ngltds_domain_names_dropped". Within each subdirectory there will be a subdirectory named after the domain; consider "work" as an example. Within the domain's subdirectory, each date will have a subdirectory, and a CSV file and its md5 sum will be there if any domains were changed or dropped that day. Thus, the relevant files will have the path e.g.


for the added and dropped domains respectively.

Analyzing data

Let us consider all domains as short-lived which were added and also dropped in the examined period, i.e., between 2017-01-01 and 2018-10-30. Thus we are looking for all the domains which are there in both the "dropped" and "added" lists for a given TLD on some day. This can be found out using the following BASH code:

for tld in apartments book booking business global hotels international reise reisen rent rentals trade travel travelers vacations workdo echo "In TLD ${tld}:" comm -12 <((for i in ngtlds_domain_names_new/$tld/*/*.csv;do grep airbnb $i;done)|sort) <((for i in ngtlds_domain_names_dropped/$tld/*/*.csv;do grep airbnb $i;done)|sort)Done

The following output is produced:

In TLD apartments: airbnbmanager airbnbmanagerIn TLD book:In TLD booking:In TLD business:In TLD global:In TLD hotels:In TLD international: airbnb-rooms19982 booking-on-airbnbIn TLD reise:In TLD reisen:In TLD rent:In TLD rentals: airbnb-book airbnb-booking suisse-airbnbIn TLD trade: airbnb-bookings airbnb-tenantIn TLD travel:In TLD travelers:In TLD vacations: airbnb-disneyworld airbnb-guestIn TLD work:

Note that not all the examined top-level domains contain short-lived domains (in the sense defined above). However, we have found some short-lived ones which could indeed be suspicious.

Let us now choose one of them, e.g. "airbnb-rooms19982.international", and take a closer look at it. First we find out when they were registered:

grep -H airbnb-rooms19982 ngtlds_domain_names_new/international/*/*.csv

resulting in


so the domain was registered on 2018-05-17. However, doing

grep -H airbnb-rooms19982 ngtlds_domain_names_dropped/international/*/*.csv

we have the output


meaning that it was dropped on 2018-06-15, about one month later. Well, it is at least suspicious...

Finally, let us see the detailed WHOIS data of the domain "airbnb-rooms19982.international". A standard WHOIS query will not find it, as the domain has ceased to exist. However, as it was registered on 2018-05-17, all we need to do is get the data from the "ngtlds_domain_names_whois_archive" daily feed, as at the time of investigating this case the registration happened more than 3 month ago.

(Were this not the case, we would use the feed "ngtlds_domain_names_whois".) So, returning to the downloader script's directory, we do the following:

./download_whois_data.py --feed ngtlds_domain_names_whois_archive \--output-dir /home/kmatyas/Asztal/Projects/WhoisApi/tmp/ngtlds_whois_data \--output-dir /path_to/downloaded_ngtlds_data \--username MYUSERNAME --password MYPASSWORD \--verbose --startdate 20180517 \--tlds international \--dataformat regular_csv

The result will be the file


in our data directory. Thus we can look for our domain:

zgrep airbnb-rooms19982 \ngtlds_domain_names_whois_archive/2018_05_17_international.csv.gz

resulting in the following output:

"airbnb-rooms19982.international","Tucows Domains Inc.","airbnbrooms19982.international@contactprivacy.com","whois.tucows.com","ns1.renewyourna me.net|ns2.renewyourname.net|","2016-05-12T01:59:59Z","2018-05-16T03:22:02Z","2019-05-12T01:59:59Z","2016-05-1200:00:00 UTC","2018-05-16 00:00:00 UTC","2019-05-1200:00:00 UTC","clientTransferProhibited","2018-05-17 07:00:00UTC","airbnb-rooms19982.international@contactprivacy.com","Contact Privacy Inc. Customer 0143005938","Contact Privacy Inc. Customer 0143005938","96 Mowat Ave","","","","Toronto","ON","M6K3M1","CANADA","","","14165385457","","airbnbrooms19982.international@contactprivacy.com","Contact Privacy Inc. Customer 0143005938","Contact Privacy Inc. Customer 0143005938","96 Mowat Ave","","","","Toronto","ON","M6K3M1","CANADA","","","14165385457","","","","","","","","","","","","","","","","","airbnb-rooms19982.international@contactprivacy.com","Contact Privacy Inc. Customer 0143005938","Contact Privacy Inc. Customer 0143005938","96 Mowat Ave","","","","Toronto","ON","M6K3M1","CA

Granted, there is a nicer way to present this result (e.g. you may unzip the csv file and open it with some spreadsheet application). However, there is no real need to do so: essentially all registrant data are obscured and this fact could be very easily found out in an automated way, too.

Hence, if one asks whether the domain used to be a malicious domain related to the phishing campaign against Airbnb, though we cannot state it with absolute certainty, it is extremely likely to have been so.

Lessons to learn

To conclude, WHOIS data are indeed very useful in the fight against e-mail phishing and similar malicious activities. Whois data and DNS data can be an important part of any anti-phishing security solution. What we have presented here was a hindsight investigation, but as the data in the daily feeds are always fresh and accurate, it is easy to turn this into an actual mail filtering procedure. A very significant limitation of the presented example is that we did not check the e-mail contents and we were considering the sender address. In most phishing e-mails there are web links in the e-mail body, and the header of the e-mail also contains technical information on servers whose registration details are of significant relevance. Nevertheless, what we did here gives a hint on how to perform such an analysis. We have used very simple generic tools to present feasible clues, but since CSV formats can be opened or imported with virtually any kind of software for data processing, there is a broad range of possible analyses based on the WHOIS data available in WhoisXML API's Whois database download subscription. Anti-phishing security solution vendors can embed whois database feed to enhance its capabilities.

Download the full article in PDF


What you should know about WHOIS and Security https://main.whoisxmlapi.com/what-you-should-know-about-whois-and-security Fri, 08 Feb 2019 13:51:14 +0000 admin https://main.whoisxmlapi.com/what-you-should-know-about-whois-and-security

If you’ve ever looked at a WHOIS entry, you probably know how much valuable information is contained within the records of just one domain registration. When this information is accurate, it can make getting in touch with other parties on the web a lot easier. In the real world however, accessing consistently accurate WHOIS data is more of a goal than anything else. For every accurate WHOIS record, there are many more inaccurate and sometimes fraudulent records.


Table of contents

If you’ve ever looked at a WHOIS entry, you probably know how much valuable information is contained within the records of just one domain registration. When this information is accurate, it can make getting in touch with other parties on the web a lot easier. In the real world however, accessing consistently accurate WHOIS data is more of a goal than anything else. For every accurate WHOIS record, there are many more inaccurate and sometimes fraudulent records.

WHOIS is important to organizations that seek to secure against threats across their digital landscape because aside inaccurate records, there are many potential threats. These include:

  • Spam
  • Malware
  • Botnet sources
  • Advanced Persistent Threats
  • Malicious traffic
  • Ransomware
  • Insider threats
  • State-sponsored threat actors

What is WHOIS?

WHOIS information, maintenance, and collection operations are dictated by regulations set forth by The Internet Corporation for Assigned Names and Numbers (ICANN). This Internet record listing identifies the owners and operators of a domain as well as indicating how to get in contact with them.

Collectively, this base of information provides integrity for domain registrations and a path for resolution for when issues might arise.

There are two channels of information in WHOIS information, known as thin and thick.

THIN: the first level of information that can be accessed. Registrar information, registration dates, and nameservers are found at this level.

THICK: Deeper ownership information includes names, addresses, and contact information for administrative, technical, and registrant parties (often the same as that of the registrant).

Look inside a WHOIS record

In any industry, standards have a way of updating and the forces behind WHOIS are just as susceptible to standard and implementation changes over time. For the most part however, these records are designed to include all contact and registration information for the parties that register a domain name, specific to the company, group and person in charge of various operational web elements.

Each WHOIS record should contain the following information:

  • The date of domain registration
  • The domain expiration date
  • Nameserver details
  • Name and contact information of the Registrant (domain owner)
  • The name and contact information of the organization or commercial entity that registered the domain name
  • Most recent update information

Uses for WHOIS information

WHOIS has a number of important uses which include:

  • Is a domain available?
  • Alert technical contacts to security and site issues
  • Disclose contact, address information behind a given site
  • Emergency/Outage contact information
  • Provide information for domain-related transactions
  • Uncover responsible parties behind intellectual property scenarios
  • Channel for security and incident response contacts
  • Overall historical and background information behind traffic and domain sources

WHOIS, from the field

Legitimate, fully populated and compliant records are exceedingly rare, especially when the volume of records collectively scale. This makes tracking down information a challenge. In addition to the millions of domains in existence, there are countless registrars with varying implemented and enforced registration standards. Servers that run the WHOIS service are also vast in numbers. Like many systems born from the early days of the internet, the WHOIS system wasn’t built to scale into the future. And if it can be inefficient, then it can be exploited.

Despite its imperfect nature, the WHOIS system and the information contained within are still critical to the industry as WHOIS reinforces the security and stability of the internet, largely as a channel for Internet Service Providers, network administrators, and security personnel to research and contact information that is domain-related. WHOIS also provides structure to the domain registration process as well as proving itself as a channel or investigative activities and law enforcement.

On a global scale, WHOIS information assists in campaigns against technology abuses, uncovering botnet networks, nefarious actors, suspicious traffic sources, intellectual property infringements and more with the ability to track information behind domain activities.

WHOIS issues

One big issue with the system is the maintenance and updating of data. The process is reliant on the original population of data that occurs when a domain is first registered. When things change, it is up to the registrant to change this information. As phone numbers, email information, addresses, and other information change, WHOIS data may become stale. The Internet Corporation for Assigned Names and Numbers, also known as ICANN, requests yearly routine updates of this information but it is not stringently enforced.

Another element is the existence of private domain registration. That is because WHOIS information is public and earlier on, in the days of domain registration, domain registrars offered privacy services, registering domains “by proxy” on their customer’s behalf.

The Future of WHOIS

Next Generation: Registration Data Access Protocol (RDAP)

All things must change, which is the way of technology and the internet. Seeking improvement in the integrity of domain records, the RDAP standard was developed as a successor to the WHOIS protocol and it is currently making its way through the adoption curve. The object was to create a standard for nimble, portable, and accurate data without the legacy issues of WHOIS. The emerging format features a standard, machine-readable JSON standard and a foundation build on RESTful web services. This systems is HTTP-compatible, so that error codes, user identification, authentication, and access control can be delivered through the universal HTTP web protocol.

RDAP-compliant records are registered through validated hosts and the features of RDAP services include:

  • Standardized queries and responses
  • Data object language capabilities that extend beyond English
  • Redirection capabilities that allow seamless referrals to other registries
  • Network address registrations for IPV4 and IPV6

RDAP specifications

  • RFC 7480 – HTTP Usage in the Registration Data Access Protocol (RDAP)
  • RFC 7481 – Security Services for the Registration Data Access Protocol (RDAP)
  • RFC 7482 – Registration Data Access Protocol (RDAP) Query Format
  • RFC 7483 – JSON Responses for the Registration Data Access Protocol (RDAP)


General Data Protection Regulation (GDPR) became effective in early 2018 and although there haven’t been a lot of significant fines or legal cases to emerge just yet, news stories indicate that a wave is coming. This sweeping reformation of privacy laws affects European Union countries as well as any company that might retain the private information of any European individual. These regulations dictate not only the protection of data, but the retention, collection, and distribution of personal information.

The WHOIS system is at odds with GDPR, because it is public, because it has specific information, and because it retains that information for extended periods of time. The fate of WHOIS in light of GDPR is unclear. In the aftermath of GDPR, some registrars have declined to comply with ICANN WHOIS information requirements, to avoid potential GDPR fines.

Security and WHOIS

The WHOIS system is a critical research and security component. Its information provides valuable background information that helps affirm proper network connectivity, domain source information, and contributes towards critical security and service continuity.

Cybersecurity professionals use WHOIS information to quickly assess and eliminate cyberthreats every day. To limit access to this information because of GDPR and other forthcoming privacy mandates would be to hamper this resource. Even with all of its flaws and a significant data accuracy challenge, WHOIS continues to prove to be a valuable forensic tool. Due to human nature and ease of registrations, researchers can quickly cross-compare domain registration information that can be associated with foreign nationals, cybercriminal groups, and other nefarious actors.

In some cases, researchers could correlate networks belonging to bad actors through inter-related domain registrations, common IP information, and other telling information that is gathered through the WHOIS system. Some of the largest organizations today rely heavily on domain registration data to add to their organizational security intelligence, to protect networks and applications, and secure data where it expected to be protected.

Email spam, malware, ransomware, virus distribution, insider threats, data leaks, advanced persistent threats, payloaded software, and many other types of threats can often be traced back to domain-sourced certificates and registrations. Therefore, protecting information proactively by using public information is the ultimate value of WHOIS to a security-minded organization.

The future of WHOIS information and security lies in maintaining an active, open environment and open database via which intelligence can be freely gathered and referenced. Every day, thousands of incidents can be and are protected by proactive investigative discoveries through this valuable system.

Download the full article in PDF


Open WHOIS advocates push for U.S. legislation to counter GDPR https://main.whoisxmlapi.com/open-whois-advocates-push-for-usa-legislation-to-counter-gdpr Fri, 08 Feb 2019 13:51:14 +0000 admin https://main.whoisxmlapi.com/open-whois-advocates-push-for-usa-legislation-to-counter-gdpr

The domain information lookup service WHOIS publishes data about the owners of websites around the world. WHOIS also contains personal information of the European Union (EU) citizens. Further, the database maintains location and infrastructure information of cybercriminals who set up websites with malicious intent.


The domain information lookup service WHOIS publishes data about the owners of websites around the world. WHOIS also contains personal information of the European Union (EU) citizens. Further, the database maintains location and infrastructure information of cybercriminals who set up websites with malicious intent.

So far, cybersecurity professionals and law enforcement have been able to access the public information of the European Union (EU) citizens unfettered. They have been using the registry to investigate and blacklist cybercriminal operations. Occasionally, this information helps government authorities with their investigations leading to arrests. There are investigations that used WHOIS information among other sources that resulted in charges against money launderers, hackers, and child pornographers, for instance.

WHOIS collects personal contact information from domain registration companies. The Internet Corporation for Assigned Names and Numbers (ICANN) controls the WHOIS database. ICANN is facing an existential threat from EU’s General Data Protection Regulation (GDPR) because its business model depends on the collection and publication of identifying information. The data sets include contact information of EU-based hackers known to have established malicious sites...

This white paper highlights

  • Why Does GDPR Exist?
  • What are the Pros and Cons?
  • What WHOIS Data Does GDPR Affect?
  • Hackers Shun the Public Record
  • How to Catch the Bad Guys
  • Anonymity Rules
  • Opportunities Await

Download the full article in PDF


Cyber Security Investigation and Analysis https://main.whoisxmlapi.com/cyber-security-investigation-and-analysis Fri, 08 Feb 2019 13:51:14 +0000 admin https://main.whoisxmlapi.com/cyber-security-investigation-and-analysis

The Internet is not just the hotspot of all things digital and technical. Largely due to its ubiquity and countless (and frequently anonymous) points of entry, the web has given rise to a new breed of outlaw – cybercriminals who prey on the wealth of valuable information available online.


The New Crime of the Digital Age

The Internet is not just the hotspot of all things digital and technical. Largely due to its ubiquity and countless (and frequently anonymous) points of entry, the web has given rise to a new breed of outlaw – cybercriminals who prey on the wealth of valuable information available online.

Lloyd’s Insurance estimates businesses’ global losses from cybercrimes in 2015 were $400B, while some vendors believe losses totaled $500B. Only estimates are available, because manyπ thefts go unreported as security breaches can damage an organization’s reputation.

Unfortunately, there is no end in sight. Losses roughly quadrupled from 2013 to 2015 and Juniper Research recently forecasted that in 2019 global losses will reach a staggering 2.1 trillion dollars.

In addition to the enormous financial losses, these online crimes have also ruined reputations of companies and rendered victims vulnerable, as the perpetrators now have access to critical data that may be used againstthem.

With advances in digital technology, online criminals have grown even more aggressive and creative in their ways, despite efforts to strengthen and tighten online security. The rackdown on these online crimes remains a constant challenge for many law enforcement agencies and private IT security professionals...

This white paper highlights

  • The New Crime of the Digital Age
  • Types of Cybercrimes
  • The Security Strategy
  • Cracking cybercrimes
  • The Whois API Solution
  • Hosted Whois Webservice
  • Whois Database Download
  • Reverse Whois
  • Taking the Next Steps

Download the full article in PDF


GDPR’s Chilling Effect on Cybersecurity https://main.whoisxmlapi.com/gdpr-is-chilling-effect-on-cybersecurity Fri, 08 Feb 2019 13:51:14 +0000 admin https://main.whoisxmlapi.com/gdpr-is-chilling-effect-on-cybersecurity

The European Union (EU) may unintentionally be giving cyber criminals a helping hand. The EU’s well-intentioned efforts to promote data privacy through its newly launched General Data Protection Regulations (GDPR) have also put handcuffs on the efforts of cybersecurity professionals to protect individuals and organizations from hackers. Unless global Internet authorities and infosec professionals are able to achieve a rapprochement with the EU, black hats may gain unprecedented advantages over white hats. Otherwise, the cybersecurity community will have to develop new approaches to protecting individuals and enterprises against hackers.


The European Union (EU) may unintentionally be giving cyber criminals a helping hand. The EU’s well-intentioned efforts to promote data privacy through its newly launched General Data Protection Regulations (GDPR) have also put handcuffs on the efforts of cybersecurity professionals to protect individuals and organizations from hackers. Unless global Internet authorities and infosec professionals are able to achieve a rapprochement with the EU, black hats may gain unprecedented advantages over white hats. Otherwise, the cybersecurity community will have to develop new approaches to protecting individuals and enterprises against hackers.

What Is GDPR?

The EU’s GDPR mandate requires its National Data Protection Authorities ("DPAs") to enforce how organizations handle the personal data of the EU citizens. The law came into force on May 25, 2018. Companies and institutions incorporated in the EU countries will be responsible for the proper protection of personal data they collect and maintain. Most of the companies will also have to modify the ways in which they relate with customers in terms of the data, and what they should do in the event of a data breach...

This white paper highlights

  • What Is GDPR?
  • GDPR Throws Cybersecurity into Disarray
  • If ICAAN, Hackers Can Too
  • GDPR Carries A Big Stick
  • WHOIS May Become a Dispensable Tool for Infosec
  • ICANN Explores Alternatives
  • Planning for a Future without WHOIS

Download the full article in PDF