Proper WHOIS Use

I’m fairly confident that most of you reading this post are familiar with what WHOIS is, but just in case you are not, it is defined on Wikipedia as follows: “WHOIS (pronounced as the phrase who is) is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format. The WHOIS protocol is documented in RFC 3912

Basically, WHOIS is used to do a couple of things. Its main function is to connect a domain name to its real-world identity, business location, and contact information. This connection then allows the domain admin to be contacted for technical matters and the domain owner for sale possible sale of that namespace. This same information is also used by law enforcement to attempt to locate spammers and other criminals committing fraudulent acts.

Supplying WHOIS information do a domain is not optional, it is a requirement. This information also needs to be true and verifiable.  Because of these facts, querying the WHOIS information of a domain is one of the first tasks that an attacker takes when performing recon on a target. When doing so, the attackers are looking for any PII (personally identifiable information) at might aid in a spear-phishing campaign such as key employee names and email accounts (CEO/owner, IT administrator, etc.), personal addresses and phone numbers. Not only can this information be used to improve the attackers phishing/social engineering efforts, it can also be used to search the hundreds of known data breaches for possible password reuse.

Sure, most TLD’s (top-level domains) allow for the use of WHOIS Privacy to mask your real information, but not all (see https://www.name.com/support/articles/205188698-TLDs-that-do-not-support-Whois-Privacy). Plus, if you are a business to probably do not want to make your WHOIS information private as it associates your online presence with your physical one.  That being said, there are some things that you can do to help safeguard information which could be used to aid the attacker.

One of the simplest and most effective steps is to provide generic (but valid) information. For example, if you were to perform a WHOIS lookup on google.com you would see that they used their main physical address, their publicly advertised phone number and a generic name and email address.

On top of being generic, this information should solely be used on the domain WHOIS.  Reusing the same information for other resources such as software registration, web accounts (GitHub, LinkedIn, Adobe, etc.) is almost as bad as using personal information as it increases the chances of an account/password reuse being used against you. This doesn’t mean that you need to have a separate email account for every single resource, but you should at least use aliases and your companies publicly listed phone numbers.

Before you go ahead and make everything generic you will need to check that you are still complying with the regulations of your TLD.  For example, with google.com both the names and email addresses can be completely generic, however, for google.ca (.ca TLD) does require more specific information.

For more information about the rules and regulation around the TLD’s go to https://whois.icann.org/en