Whois API Blog http://www.nahnuh.com/blog Mon, 22 Jul 2019 09:48:21 +0000 en-US hourly 1 http://wordpress.org/?v=3.5.1 Keep Up with the World Wide Web’s Massive Growth by Using Internet Statistics Reports http://www.nahnuh.com/blog/keep-up-with-the-world-wide-webs-massive-growth-by-using-internet-statistics-reports/ http://www.nahnuh.com/blog/keep-up-with-the-world-wide-webs-massive-growth-by-using-internet-statistics-reports/#comments Mon, 22 Jul 2019 09:48:21 +0000 admin http://www.nahnuh.com/blog/?p=2137 The Internet has marked an explosive growth in the past few years, with around 380 new websites created every second. It’s physically impossible to keep up with even if your job calls for that. But anyone and everyone that needs … Continue reading ]]>

The Internet has marked an explosive growth in the past few years, with around 380 new websites created every second. It’s physically impossible to keep up with even if your job calls for that. But anyone and everyone that needs to keep tabs on the competition and look for new sales and marketing opportunities, has got their hearts set on specific domains or wants to safeguard their digital assets can do so easily with Internet Statistics Reports.


What Is Behind Internet Statistics Reports?


Internet Statistics Reports is backed by an extensive database containing billions of WHOIS records that cover thousands of TLDs and track millions of domain names.


582+ M
domain names
6+ B
WHOIS records
1.2+ B
domains and subdomains


Our huge collection of WHOIS records allows us to gather information on not only commonly used or gTLDs, but also on locale-specific or ccTLDs, less-seen internationalized TLDs, and newly launched TLDs.


7 gTLDs
178,123,569 domains
322 ccTLDs
127,067,383 domains
1,243 new TLDs
41,684,542 domains
Internationalized TLDs
and many more
and many more
在線 (online)
????? (organization)
セール (sale)
?? (dot com)
verm?gensberater (financial advisor)


For comprehensive lists of the gTLDs and ccTLDs in our database, visit the following pages: supported gTLDs and supported ccTLDs.


What Kinds of TLD Information Do You Get from Internet Statistics Reports?


Internet Statistics Reports can provide you with:


  • A list of all changes a specific domain name undergoes (registration, modifications, and expiration) on a daily basis;
  • All domains a registrar owns, allowing you to compare market shares;
  • All domains in a specific location (country, region, or city), informing you of specific user base sizes;
  • The number of active domain names worldwide or in specific locales, allowing you to gauge the size of the Internet;
  • Top N domain registrants or owners.


Note that this list is in no way exhaustive, and you can do so much more with Internet Statistics Reports.


Who Can Benefit from Internet Statistics Reports?


With Internet Statistics Reports, you can get customized TLD reports using various domain name, WHOIS, and DNS categories to cater to your specific business requirements, such as:


Expanding your market coverage The Internet’s explosive growth has given birth to thousands of TLDs just so companies can get their hands on domain names that fit their brand, products, or services to a tee. Don’t get left behind, venture into unexplored TLD territories.
Strengthening your cybersecurity defenses The latest stats show that a cyber attack occurs every 39 seconds. Get a list of the top domains attacked and learn from their mistakes.
Getting the domain name that works best for your brand If your competitors have already got their hands on the domain you desire, look for other top-ranking TLDs that may have that name available.
Directing your employees along the right path When creating strategies, data speaks volumes. Get automatically generated charts and tables based on relevant and accurate data sets to base your forward-looking sales and marketing strategies on.
Get the most out of your virtual real estate Identify which of your domains are performing best and find out what’s making them stand out. Apply your learning to all your websites and pages to get the most out of all your virtual properties.
Keeping tabs on the competition Connectivity has blurred the lines when it comes to doing business. It’s easy for any company to deliver to anywhere in the world now. Make sure your list of competitors is always up-to-date so you know who and what you’re up against.
Staying away from entities with skeletons in their closets Your brand defines who you are. Don’t go into business deals with registrars that have had a history with malicious dealings on the Internet (reported spam, phishing, and other malware attacks).
Tracing the origin of a threat If you’ve ever had the misfortune of or are currently suffering from a cyber attack, find out where the threat is coming from so you can block it from the source.
Keeping an eye out for emerging phenomena Spot emerging social, economic, or technological trends in the market to come up with insightful reports to help your sales and marketing clients.



Whatever online business you’re running, complacence is a no-no. The only way to stay ahead of the curve as opposed to being left behind by competitors, or falling into eagerly waiting cybercriminal traps, or going unnoticed in the ever-growing Internet space is to keep tabs on every digital phenomenon.


Find out who’s who on the Web so you can emulate them, get to know your market and competitors as best as you can to enhance the way you do business, and track down potential threat sources so as not to stray into their paths with Internet Statistics Reports. Your business’s success can only be guaranteed by keeping up with the growing market.


Would you like to learn more about the capacities of this product? Drop us a line at support@whoisxmlapi.com.

http://www.nahnuh.com/blog/keep-up-with-the-world-wide-webs-massive-growth-by-using-internet-statistics-reports/feed/ 0
Screenshot API: Paving The Way For A Visual Web http://www.nahnuh.com/blog/screenshot-api-paving-the-way-for-a-visual-web/ http://www.nahnuh.com/blog/screenshot-api-paving-the-way-for-a-visual-web/#comments Fri, 19 Jul 2019 16:07:38 +0000 admin http://www.nahnuh.com/blog/?p=2093 The rapid digitization of human interactions has opened up vistas of opportunity that were previously unheard of. Whether we consider business or social interactions, the extreme connectivity that is afforded by the web helps us to access information and communicate … Continue reading ]]>

The rapid digitization of human interactions has opened up vistas of opportunity that were previously unheard of. Whether we consider business or social interactions, the extreme connectivity that is afforded by the web helps us to access information and communicate at the speed of thought. Naturally, with such a complex system of exchanges, the need to provide proper user engagement has also become paramount.

We humans are naturally visual creatures. With a highly developed visual cortex, our minds are equipped to process visual information much better than any other form of communication. For this very reason, we prefer to interact through visual modes more than any other medium. This has led to a rise in the use of visual content on the internet.

In this pro-visual scenario, website screenshots have emerged as one of the prime currencies of communication. Whether they are used in how-to tutorials, web design or even cyber security, the ubiquitous screenshot has propelled itself to occupy a prime position in the online ecosystem. Screenshots are even finding more and more usage in business processes.

Screenshot API? from Whois API, Inc.?is a comprehensive product that makes the process of taking and integrating screenshots into your business processes a seamless experience that promises improved utility and robust integration.


The Many Uses of Screenshots

Well formatted screenshots of a webpage can have different uses. Ranging from simple presentations to legal documentation, an effective screenshot tool can help in any of the following ways, and more.


As A Protection Against Cyber-Crime

With the widespread use of online communication, cases of cybercrime have been on the rise. The Screenshot API can provide a means of protection against such incidents by providing a quick and effective way for taking high-quality snapshots of any offensive online activity, and then using the same as proof against the perpetrators. This can help in a wide range of instances covering cyber-fraud to copyright violations, just to name a few.


Competitor Analysis

Website Screenshot API can provide an invaluable source of intelligence on your competitors by enabling you to take real-time screenshots of your competitors’ websites. The insights provided by this visual data can help decision makers steer your business in the right direction, thus giving you an advantage over other players in your niche.


UX and UI Design

User Interface (UI) and User Experience (UX) designers can use the Screenshot API to automate the process of testing websites on different devices and different screen sizes. This enables them to create responsive websites that dynamically adjust themselves on multiple devices, irrespective of the varied screen sizes and resolutions.


Digital Marketing

Proper digital marketing efforts are crucial for the success of any business. Digital marketers make use of website screenshots for sending data to their clients in a properly digestible format, thus enabling greater insights and timely, dynamic decisions. SEO professionals utilize the Screenshot API to capture linked sites with embedded links for proof of a genuine back-linking and ranking process, which they can then share with their clients.


What Makes Screenshot API Stand Out?

The following are only some of the features and benefits that make Screenshot API a must have product for any business.

  • Full Website Screenshot:?Using the Screenshot API, you can get a fully scrollable webpage screenshot that perfectly captures the details the of the target website.


  • Minimum Required Inputs:?The Screenshot API gives you maximum results with just the bare minimum amount of inputs. Just put in your required API Key and the target URL to get direct screenshots.


  • Adjustable Сapture Timing:?With Screenshot API users also have the option to get real-time or specify a delay time before the screenshot is taken. Acceptable delay times range from zero to ten-thousand milliseconds.


  • Customized Image Type With Embedded Links:?All the screenshots of web pages can be received in different formats including pdf, jpg or png, along with embedded links that are present in the page.


  • Multiple Formatting Options:?Our Screenshot API gives you the freedom to format the output image across a wide range of parameters. Customize your image according to its width, height and quality to get the exact output you require for easy integration into your business processes.


  • Multiple Display Emulation:?The Screenshot API gives users the option to take screenshots corresponding to multiple screen sizes and display resolutions. Choose from among Retina Display, Landscape, Desktop, Tablet or Mobile Emulations.


  • Chrome Support:?The Screenshot API uses a Google Chrome rendering engine that has CSS3, JavaScript and Webfonts support. This translates to screenshots that are exact representations of your browser output.


  • Custom User Agents:?Our screenshot API allows you to specify custom user agents to enable multi-client emulation of screenshots.




The Screenshot API product is geared towards providing complete screenshot solutions for your business needs. With instant screenshot facilities, easy integration capability and a host of customizable features, Screenshot API aims to create a rich visual experience for web-based processes.


To access Screenshot API, please click on the link:?https://website-screenshot-api.whoisxmlapi.com/


http://www.nahnuh.com/blog/screenshot-api-paving-the-way-for-a-visual-web/feed/ 0
Brand Monitor and Brand Alert API: How to Combat Brand Misrepresentation in the Retail Fashion Industry http://www.nahnuh.com/blog/brand-monitor-and-brand-alert-api-how-to-combat-brand-misrepresentation-in-the-retail-fashion-industry/ http://www.nahnuh.com/blog/brand-monitor-and-brand-alert-api-how-to-combat-brand-misrepresentation-in-the-retail-fashion-industry/#comments Wed, 10 Jul 2019 19:15:36 +0000 admin http://www.nahnuh.com/blog/?p=2070 Negative brand equity and misrepresentations are among the worst nightmares of today’s biggest brands — and more often than not, it’s connected to cybersecurity and data breaches.   For example, the latest stats show that one in every 99 emails … Continue reading ]]>

Negative brand equity and misrepresentations are among the worst nightmares of today’s biggest brands — and more often than not, it’s connected to cybersecurity and data breaches.


For example, the latest stats show that one in every 99 emails you get each day has to do with phishing attacks, the majority of which come laced with malware specially crafted to harvest victims’ financial credentials or use popular brands as social engineering bait.


A great example would be an email offering a huge discount that the victim would find hard to resist. So she clicks on the link leading to a site where she’s asked to fill in personal details, including, for instance, her credit card that she plans to use to purchase goods. She never receives the items she supposedly bought and so complained to the store via all possible means — email, phone, and social media.


What’s worse, others who fell for the same ruse joined in the frenzy, dragging the brand’s name through the muck. What can the victim company do? Could it have prevented the phishing attack? These are just some of the things this article will answer, analyzing Zara’s real-life case study.


Table of Contents



The Attack: The Curious Case of Zara


In the recent past, phishing was largely limited to emails that people read on their computers. WIth smartphones and the millions of apps that users can choose from, that’s no longer so, as Zara’s case will show.


The Victim


Zara is a Spanish fast-fashion retailer, very popular worldwide. Apart from having physical stores in some of the biggest shopping malls the world over, it also sells clothing and accessories via country or regional sites online. To date, it has a total of 202 both physical and virtual shops.


The Attack Vector


WhatsApp is a messaging app that’s currently being used by hundreds of millions of users worldwide. It can be used on not just smartphones, but also on personal computers, so just imagine the number of potential victims a cybercriminal can have.


The Bait


Sometime in February 2016, several WhatsApp users received an instant message from someone they know and trust prodding them to forward it to 10 contacts. They were then asked to click a shortened link to a site where they could get their free Zara gift cards.


The Real Deal: Behind the Scammers’ Curtains


Here’s how the victims’ credit card and other personally identifiable information or PII ended up in phishers’ hands:


  • 1. Potential victims get the following WhatsApp instant message from a contact.
    1. Potential victims get the following WhatsApp instant message from a contact.
  • 2. They forward the message to 10 contacts as suggested (unwittingly getting the phishers more potential victims).
  • 3. They then click the shortened link to the site to get their free gift card (typically US$500 worth).
  • 4. The site (specially crafted to look like a real Zara page) asks them to fill in a form to receive the gift card and so they do.
  • 5. They click “Submit”, which sends their details to the attackers. Their personal information could then end up for sale in the Deep Web or underground marketplaces, be used by the phishers themselves for fraud, or be held for ransom.


This isn’t the first time Zara’s or other popular retailers’ brand was used for a phishing attack. A similar ruse taking advantage of Zara was seen on Facebook even earlier, in March 2014. The message appeared on potential victims’ timelines. Those fooled into clicking on the link were led to a site that harvested their personal information, including credit card details.

Zara’s brand was used for a phishing attack

Regardless of the platform and brand used, one thing always remains: it’s a sham! None of the victims ever gets free gift cards, of course, they just end up inviting more people to get phished and handing their personal information to eagerly waiting cybercriminals via their specially crafted data-stealing sites.


The promise of getting something for free always seems to do the trick when baiting digital citizens to give up their PII. They aren’t the only ones who suffer from phishing attacks though. The retailers’ brands and thus their reputations also become casualties. So now we come to the burning question: Could Zara have prevented the phishing attack from its end using Brand Monitor or Brand Alert API? Let’s find out.


The Evidence: Could Brand Monitor or Brand Alert API Have Helped Prevent the Attack?


Brand Monitor is a domain-monitoring tool that lets users keep track of their brands’ and other trademarks’ or intellectual properties’ exact matches and variations, including those with all possible typos, in order to protect their business online.


Let’s see how it could have helped in Zara’s case.


  • 1. Sign up by clicking “Open Dashboard” on the Brand Monitor site. You automatically get your free credits.
  • 2. Look for and click “Brand Monitor” on the left panel. You’ll automatically be taken to the “Basic” function. Type your brand name into the input box then click “Add to monitoring”. In this step-by-step guide, we’ll use the brand “Zara”. Note that you’ll need to wait for 24 hours to see the results because the monitoring is completed on a daily basis. Look for and click Brand Monitor
  • 3. You can, however, already choose to use Brand Monitor’s Typos function. This will help if you’re looking to spot possible phishing sites spoofing your brand. To do that, click “Edit monitor”. You should see a prompt like this: Brand Monitor's Typos function.
  • 4. Simply click on the “Typos” toggle button to on (when the icon turns red) and you’re done. You’ll see how many misspelled versions of your brand name will be added to your tracker. In this case, 135 possible matches will be added to our Zara monitoring. Click “Save”. To see a list of the typos the tool automatically added to your tracker, click the “Typos (number) >” button, you should see something like this: You’ll see how many misspelled versions of your brand name will be added to your tracker. All the possible variations of “Zara” that Brand Monitor automatically generated are made available on the drop-down list.
  • 5. A day’s monitoring would give you results similar to this: A day’s monitoring would give you results similar to this. Changes appear on the left panel, arranged by date.
  • 6. Check if any of them are piggybacking on your brand or, worse, damaging your hard-earned reputation. Our Zara monitoring revealed that among the domain names we’re tracking, misspelled ones included, there were 6,557 new additions or modified domains while 1,827 were, for one reason or another, dropped by their owners. To see the entire list, click “Show more”.
  • 7. Go through the list and build WHOIS reports on each if you have the resources to do so. If not, pick the most suspicious-looking ones and take a closer look at them. Quick tip: Focus on the list of active domains — the ones that have recently been put up or modified (those on the left-hand side). Compare each site’s content with yours. Look for typical signs indicating that cybercriminals or people with malicious intentions are trailing their sights on your business, which include:


    • Misspelled domain name, a variant of yours with typos;
    • A non-affiliated site, web page, email, newsletter, instant message, or social media post sporting your logo or its lookalike;
    • A non-affiliated site, web page, email, newsletter, instant message, or social media post tied to an email address, any URL (shortened links included), online account, or person that your company doesn’t own or employ;
    • A domain name that uses an uncommon gTLD such as “.xyz” that no company would normally use or a ccTLD that corresponds to a country that you’re sure you don’t sell to or do business in;
    • A domain name that has random numbers or special characters that aren’t part of the brand or company’s name (This defeats the purpose of making it easy for users to find a legitimate company’s site online after all.)


    Make sure though that none of the sites are yours or affiliated in some way with your company. You don’t want to make them inaccessible to users. You should find that a lot of the sites’ names may just have the same letters as your brand names or the companies that own them resell your products. Don’t be too hasty about suspecting them of foul play.


    To widen your search, you can also add other keywords to your monitor. Good examples for a brand like Zara would be “fashion,” “retail,” “clothing,” and “accessories”. To do that, just click “Edit monitor”.


    Click “+” beside “Add term” then type each additional keyword into the input box that appears. When you’re done, click “Save”. Brand Monitor will now show you results with the additional keywords in future reports. This is a great way to keep track of your competitors. You can also add their brands to your tracker if you wish to stay ahead of their sales and marketing efforts.

    Brand Monitor will now show you results with the additional keywords in future reports.

  • 7.After compiling a list of suspicious-looking sites, find out more about each of them. To do that, click “>” next to the domain name. You should see a pop-up window like this: List of suspicious-looking sites.
  • 8. If you wish to take a deeper dive, you can build WHOIS reports. A basic WHOIS report will serve our purpose. Let’s say you want to see more about “sara.xyz”. Click “Build WHOIS report” from among the choices. You should get something that looks like this: Build WHOIS reports Note that we’re not saying “sara.xyz” is malicious. We just used it as an example for building a WHOIS report. As it turns out, the domain is currently for sale.
  • 9. Should you find a domain that is malicious though, contact its registrar. If it’s not taken down, issue warnings of potential fraud to your customers on your shopping site or blog if you have one. Email subscribers to your newsletter or updates too. Tell them not to visit the potentially harmful site and that it isn’t in any way connected to your brand. Seek the aid of a law enforcement agency or the authorities. Alert them that the site may be used in a phishing attack.


If you’re the type of person who is more comfortable sifting through records offline but want to get the same benefits that Brand Monitor provides, use Brand Alert API, its RESTful API counterpart. It gives the same results as Brand Monitor in XML and JSON formats. Choose which works best for you.

Brand Alert API

For better security and peace of mind, use these other domain-monitoring tools from the Domain Research Suite that will seamlessly work with both Brand Monitor and Brand Alert API:


  • Reverse WHOIS Search: You can use the WHOIS reports that Reverse WHOIS Search generates to obtain more information on a domain you’ve been keeping tabs on with Brand Monitor to verify its legitimacy when, say, you’re investigating it for copyright infringement or any fraudulent activity.
  • WHOIS History Search: If you’re unsure of the reputation of a domain you wish to purchase and want to know its entire history, use WHOIS History Search with Brand Monitor. It gives you detailed insights on the domain’s entire life cycle, allowing you to make sure it never had ties to malicious online dealings that could harm your brand.
  • WHOIS Search: If you’re interested in purchasing a domain that will fit your company’s needs to a tee, use WHOIS Search with Brand Monitor. It can alert you when the domain is up for grabs as when its owner has given up his rights to use it or its registration has simply expired.
  • Domain Availability Check: Looking for a domain for your new product? Use Domain Availability Check with Brand Monitor. It gives you a list of all the domains that may meet your needs. If the domain you’re eyeing is currently in use, Brand Monitor can alert you when it becomes available.
  • Domain Monitor: Use Domain Monitor with Brand Monitor to keep track of any changes to the domain that has piqued your interest.
  • Registrant Monitor: Use Registrant Monitor with Brand Monitor to keep track of registrant-related changes tied to brands you’re viewing.


The Verdict: Lessons from Zara’s Case


Zara and other fashion retailers have proven lucrative phishing baits because the increase in people’s inclination to buy luxury apparel means they have good spending power. Targeting them directly can also provide perpetrators with intellectual property information that they can sell to the highest bidders (possibly a competitor). If their shopping site databases get breached, the attackers will get their greedy hands on the personal and financial data of their customers as well. And all that can land them in tons of cyber trouble. Not only would their customers suffer, their brand would certainly be damaged too.


Today’s brand protection guidelines shouldn’t just cover a company’s logo and other trademarks’ usage policies. The ubiquity of the Internet requires that they cover domain security as well. It’s not enough to expect customers not to fall for age-old phishing tactics, retailers need to do their part as well. That’s where tools like Brand Monitor and Brand API Alert will come in handy. They don’t just let you safeguard your virtual assets, they protect your customers and your good name too.

http://www.nahnuh.com/blog/brand-monitor-and-brand-alert-api-how-to-combat-brand-misrepresentation-in-the-retail-fashion-industry/feed/ 0
Introducing Command-line Real-time & Historic WHOIS Tool http://www.nahnuh.com/blog/introducing-command-line-real-time-historic-whois-tool/ http://www.nahnuh.com/blog/introducing-command-line-real-time-historic-whois-tool/#comments Thu, 04 Jul 2019 16:41:05 +0000 admin http://www.nahnuh.com/blog/?p=2049 We are really excited to announce that we are now offering our hallmark Whois via a command-line utility, “bestwhois”. This tool can be a great alternative to the standard “whois” command for domain and IP WHOIS queries, as there are … Continue reading ]]>

We are really excited to announce that we are now offering our hallmark Whois via a command-line utility, “bestwhois”. This tool can be a great alternative to the standard “whois” command for domain and IP WHOIS queries, as there are no search restrictions and the queries are made through the API service provided by Whois XML API.


Most suitable for UNIX power users and other command-line enthusiasts, bestwhois, is a cross-platform utility that works on Microsoft, Linux, Unix, Mac OS X or any other platform with Python. It is command-line front-end to Whois XML API; WHOIS API?and WHOIS History API. All the queries initiated from your end are processed through these APIs, and the output is similar to that of the original “whois” command.


The data which were available for developers via the APIs are now readily at the hands of system administrators, threat investigators, analysts, marketing experts, and all other power users who potentially prefer using command-line tools or are used to the original “whois” command. They?can now uncover domain profile data worldwide for over 5 billion historic Whois records, 300 million domain names and over 2850 gTLDs (including .com, .org, .net, .biz and more) and ccTLDs? (including .uk, .us, .ru and more). Access key data points for domains including who registered it along with their contact information, the registrar, expiry dates, last update date, who to contact about the domain name & much more.


Key features of Whois Xml Api’s bestwhois

  • Easily conduct WHOIS search for domain names or IP addresses
  • Access Real-time & Historic WHOIS records
  • No query limitations
  • Consistently structured, yet human-readable output
  • Similar to the original “whois” command
  • Runs on virtually any platform



With the growing demand for crucial domain information found in the WHOIS records, we have created bestwhois command-line utility to ease your access to this data. As one of the most reputed domain WHOIS database provider (and also one of the largest), we believe this can be a handy tool to help enable you to find the owner of a domain name or IP address and to bolster your efforts, furthermore.


In order to get all the above-discussed benefits, you just need to subscribe to the Whois API at https://whoisxmlapi.com


You can get the bestwhois utility now from GitHub:?https://github.com/whoisxmlapi/bestwhois

http://www.nahnuh.com/blog/introducing-command-line-real-time-historic-whois-tool/feed/ 0
Introducing Seamless WordPress Plugins from Whois XML API! http://www.nahnuh.com/blog/introducing-seamless-wordpress-plugins-from-whois-xml-api/ http://www.nahnuh.com/blog/introducing-seamless-wordpress-plugins-from-whois-xml-api/#comments Fri, 21 Jun 2019 15:22:00 +0000 admin http://www.nahnuh.com/blog/?p=1993 In the past few years, we have been on a mission to create domain Whois, IP, DNS & other internet Intel product solutions to fulfil the growing demand of this information for professionals from diverse industries. We currently offer APIs, … Continue reading ]]>

In the past few years, we have been on a mission to create domain Whois, IP, DNS & other internet Intel product solutions to fulfil the growing demand of this information for professionals from diverse industries. We currently offer APIs, Database Downloads, Online Web Tools, Threat Intelligence and Splunk App which is widely used by cybersecurity professionals, marketing & brand protection agencies, domain registrars, domain investors, researchers, and many more.


This time around, we have created a solution specifically for web developers and various website owners. We are glad to introduce 2 Plugins for WordPress site owners: Whois Plugin & IP Geolocation Plugin. Whether you run a business or are a blogger, WordPress plugins invariable play an important role in helping you achieve your endeavors. Our revolutionary Plugins can aid you to extend the functionality of your WordPress site, as well as, improve user experience by acquiring crucial information with just a mouse hover!


With the help of numerous strategies, you achieve success in attracting your target audience but how do you feel when they leave your site to search for the owner of a website or the Geolocation information of IP address mentioned somewhere on a page or post of your website? Yes, working hard to bring the audience and witnessing them leave is always annoying. There can be many reasons why they would want this information but your concern should be to prevent them from leaving your site.


Our plugin automatically adds a small pop-up (tooltip), so your visitors can instantly obtain domain Whois or Geolocation information of IP addresses mentioned on your page without leaving your website or clicking on multiple pages or links. Isn’t’ that cool?? Let’s take a look at both these Plugin to see its functionality.



Whois Plugin


This plugin automatically links all the domain names in your WordPress page or post to our Whois service. When your visitors move the cursor to a domain name available in the text of your site, a quick pop-up containing a summarized Whois information of that domain appears on their screen, including its availability, contact email, date of creation, and expiry date. When your audience seeks information about a particular website, this plugin not only provides to them instant data but also prevents them from moving to a different site. In case, a person, wants to check out the entire Whois record they can easily click on the link provided in the tooltip & access all the registration information of the domain.


Summarized Whois information of a domain

Domain registrars and news sites can substantially benefit from this plugin as it helps ease access to information for their users.


You can easily download the Whois Plugin?here: https://wordpress.org/plugins/whois-xml-api-whois/



IP Geolocation Plugin


IP Geolocation Plugin provides a quick preview of the location details for all the IP addresses mentioned on your website, including its country & city. In case people want to check out detailed location information then they can easily click on the link provided in the tooltip & access all the information of the IP address.


Summarized Geolocation information for an IP address


If your website displays IP data to your users, it is always helpful to add value to this information by providing Geolocation information of the IP address. But in order to avoid clamming up your website with this information for each IP, this plugin can help users get information specifically for the IP address they need to know more about in a more visually appealing manner.

It is commonly observed that sites which provide IP address along with the location attract such visitors the most.

You can easily download the IP Geolocation Plugin?here:?https://wordpress.org/plugins/ip-geolocation-info/


Benefits of the WordPress Plugin from Whois XML API

???? No backend work or systems required to access data

???? Seamless integration without affecting the content of your website

???? No more cluttering your website with all the information

???? User experience improved for your website

???? Accurate & real-time data from the largest database


If you have the name of other websites or IP addresses on your site, these plugins can be a crucial asset for you and help provide added value to your website.

http://www.nahnuh.com/blog/introducing-seamless-wordpress-plugins-from-whois-xml-api/feed/ 0
Want to Find & Contact Websites Based On Specific Categories & Location? http://www.nahnuh.com/blog/want-to-find-contact-websites-based-on-specific-categories-location/ http://www.nahnuh.com/blog/want-to-find-contact-websites-based-on-specific-categories-location/#comments Thu, 13 Jun 2019 14:23:30 +0000 admin http://www.nahnuh.com/blog/?p=1954 Sometime back we introduced 2 product solutions to help provide clearly defined website Intel in the form of Website Categorization API & Website Contacts API. Both the APIs combine the application of machine learning with the versatility of rules defined … Continue reading ]]>

Sometime back we introduced 2 product solutions to help provide clearly defined website Intel in the form of Website Categorization API & Website Contacts API. Both the APIs combine the application of machine learning with the versatility of rules defined by experts and deploy artificial intelligence to obtain precise results. This enables our users to conduct their research from a single source instead of manually examining multiple sources.


Our premier Web Categorization solution conducts multiple layers of filtering & analysis of the content found on the website as well as its code to ensure every website is categorized accurately.


Once you have identified your target websites, in order to connect with them, we created Website Contacts API, where our users could find the various contact points of all the websites including phone number, email address, associated companies, address, and the various social media links. Essentially, a user can get various touch points to contact or verify the owners of the queried website.


Since both these solutions complement each other, we have now combined the power of these 2 products & created Website Contacts & Categorization Database. You can now get a holistic solution & instantly access the required website information by getting downloadable custom data lists.



Our users can filter the websites based on 2 key criteria:

???? Website Location: Find website information for a particular country, multiple countries or all the countries, for location-specific & precise targeting. Our database covers websites registered globally and includes gTLDs, new gTLDs, and ccTLDs.


???? Website Category: At present, we categorize websites into 25 categories and for each website result we provide up to 3 categories that it can belong to. You can request data for one or even several categories, depending on your requirements.



Besides filtering the database based on the above 2 categories, users have the choice to get ‘Domain Names Only Database’, which provides the entire website list based on the category & location selected. Besides this, you can also opt for ‘Domain Names and Contact Information’ which will also provide contact details for all filtered websites. To know the specifics of the information, you can get in the database, check: https://website-contacts-database.whoisxmlapi.com/specifications


Some of the practical applications of this custom website information can be:

1) Generate leads by finding websites that you can target

2) Minimize risks & prevent fraud by identifying malicious websites

3) Restrict employee access to certain websites based on content

4) Investigate websites



Currently, we have over 150 million websites in our database and approximately 4 million websites are added each day. So now leave out the hassle and expense of web scraping or conducting manual research from multiple sources to identify who & what’s really behind a website! Get accurate & reliable website information from your one-stop domain Intel solution provider, Whois XML API.



To get started with Website Contacts & Categorization Database, please click on the link: https://website-contacts-database.whoisxmlapi.com/

http://www.nahnuh.com/blog/want-to-find-contact-websites-based-on-specific-categories-location/feed/ 0
Protecting Brands & Trademarks On The Internet! http://www.nahnuh.com/blog/protecting-brands-trademarks-on-the-internet/ http://www.nahnuh.com/blog/protecting-brands-trademarks-on-the-internet/#comments Thu, 23 May 2019 11:20:59 +0000 admin http://www.nahnuh.com/blog/?p=1930 Importance of online brand The ease & gigantic potential that the Internet provides to businesses to expand their reach amongst their customers and tap markets that traditionally would have required way too much effort & resources is definitely remarkable. Being … Continue reading ]]>

Importance of online brand

The ease & gigantic potential that the Internet provides to businesses to expand their reach amongst their customers and tap markets that traditionally would have required way too much effort & resources is definitely remarkable. Being present on the Web via their websites has become a cornerstone for businesses to create brand awareness, showcase their products & service and also for selling their offerings directly online. And with each passing day, people are beginning to rely more and more on this virtual presence of brands and are increasingly interacting with them.


Domain names to that effect have become a very critical component for expanding and building a brand identity online. And just like any valuable asset in plain sight, there are a lot of bad guys who either want to cause harm or exploit your brand’s potential for their own benefit. Which is of course not a great news for you!


What is online brand abuse?

The destruction caused by malicious entities against your domain name can cause damage to your brand reputation, bleed into customer trust, affect your organization’s bottom line with counterfeit products, result in brand abuse, identify theft and intellectual property abuse, just to name a few.


Some of the ways in which these are carried out are:

1) CyberSquatting

This involves buying domain names which are associated with a popular company, brand, trademark or the name of a well-known person with the intent to profit from their reputation. In this case, the malicious entity can sell counterfeit products/ services pretending to be someone else thereby causing damage to the reputation of the brand. Though in most cases these domain names are purchased to be sold to the person or company who owns the trademark contained within the name at a much-inflated price.


2) Typosquatting

Typosquatting, on the other hand, is registering of domain names that look confusingly similar to your brand, with variations in the spelling or by using a different TLD. Often used for phishing attacks so as to lead people to fake websites or to distribute a malicious code. Besides this, it can also be used to generate advertising revenues, deviate traffic or get customer details unknowingly.


In such cases, the company can find a bad actor and pay them directly to buy the domain name. There are of course legal proceeding to procure the domain name too, but it takes up a lot of time and is costly. Many companies also defensively register similar spellings of their domain name but again it’s not feasible to buy every variation of your brand name. Also with the launch of new gTLDs, this task has only become more difficult.


Faced with such a situation, it is no more feasible for companies to solely rely on traditional strategies to protect their brands and trademarks and tackle such unpleasant scenarios.



So you’ve built your business and your brand, now how do you protect it?

If you want to proactively keep your brand and trademark safe from such infringement, and are looking for optimal protection from fraudsters, you can count on the comprehensive solution provided by our Brand Monitoring Tool. Our Domain Name Trademark Monitoring Service uses AI driven predictive monitoring and tracks all domain name registrations globally for potential breaches against your valuable brand.

You can better protect your brand and detect malicious entities trying to leverage your reputation with our tool in the following ways:


Keyword Monitoring

Add & monitor keywords related to your brands and trademark in our easy-to-use online tool. Each day, WhoisXmlApi’s advanced system observes millions of existing domains for changes and detects more than hundreds of thousands of newly registered domains. With the best in class infrastructure, you can be assured of being notified of any new domain registrations or changes occurring on the web that could be related to your brand.


Predictive Domain Typo Finder

Get a predictive list of all the possible typos, misspellings & variations of your brand name or trademark & track them. Our sophisticated system identifies similarly named domains using various algorithms and finds all the deceptive entities who are pretending to be you. The AI driven predictive monitor provides a holistic typosquatting tracking coverage to your precious brand.


Advantages of Brand Monitoring Tool for proactively protecting your online assets

  • Daily tracking of any changes in domains containing specific words, phrases, or partial words
  • Discover any new domain name registrations, recently expired domains or even changes in the existing domain’s Whois records that include the monitored term
  • Get up to 300 domain typo variation for a comprehensive list to catch violations
  • Coverage includes gTLDs, new gTLDs, and ccTLDs
  • You can blacklist terms by adding them as ‘Exclude’ in the domain’s Whois record, so you can focus on the items that need your attention
  • Get email alerts of any changes in the monitored terms, so you can stay updated.
  • With just a single click directly investigate the discovered domain’s historic and current profile to learn more about the actors who registered them and their connected infrastructure
  • The online tool displays records of changes for easy reference
  • Quickly & easily integrate our Brand monitoring tools into your applications with API access.



Use Cases of Brand Monitoring Tool

Brand Monitoring Tool uses an industry leading online monitoring platform to look for registrations that match your trademarks, including close matches and typosquatting from the world’s largest database of domains. We’ve made domain name monitoring easier and more cost-efficient than ever.

Successful companies rely on our global web presence to build and strengthen their brands and prevent the following threats to their brands and trademarks:


→?Combat Phishing Attacks

One of the largest cyber crime in today’s time, phishing attacks use slightly misspelled domain names of known popular brands for deception. Malicious entities use cleverly crafted emails claiming to be from your company to victimize your employees, customers, or even partners and try to obtain their financial or other confidential information be sending them to fake websites or sometimes even distribute malicious code.


→?Prevent Unethical Domain Parking

Brand owners can prevent exploitation by cyber squatters who purchase their registered trademarks in advance and hold onto them with the intent of selling the domain name in the future at inflated prices.


→?Battle Counterfeit Websites

The aim here is to imitate a brand owner’s actual website as precisely as possible, and then to successfully market counterfeit products, sometimes without the knowledge of the customer.


→?Prevent Copy-cat Brands from Tapping Your Traffic

Sometimes small businesses deliberately choose names that are similar or sometimes even identical to a well-known brands and try to leverage from their reputation. Also adopting an industry-leading brand name increases the likelihood of receiving more traffic without these copy cats actually earning it rightfully. It is the quickest and easiest way for an unknown company to get traffic to their website, where they sell their own company’s products.


→?Avert Unknown Promotion of Competitor’s Brand

Rival companies can register domain names using a variation of your brand to divert your customers away. This can result in lost traffic along with lower online revenue, and not to forget your competitor gaining your customers!


→?Avoid Damage to Brand Image

A variation of your domain name can be used to drive people who actually want to visit your website to a pornographic or another malicious web site. This can cause immense damage to your brand reputation.


→?Prevent Customer Data Breach

Cyber squatters sometimes create similar domain names and replicate a reputed brand so they can steal the visitor’s financial and personal information. This again can result in people losing faith in the brand even though the brand was not directly affiliated with the fake site.


→?Stop Wrongful Discrediting

Sometimes a disgruntled employee, a hater, an unsatisfied customer or even your competitor may create variations of your domain name with abusive or derogatory words to bring down your brand image and spread false news about your brand.


These are some of the important areas in which Brand Monitoring Tool can help prevent damage to your online brand. With the rise and innovation in attacks from bad actors, staying on top of their activities is a must for companies with an online presence.




With more than 300 million domains registered and thousands being added daily, your domain name is a valuable corporate asset and requires round-the-clock protection. With our best-in-class technology find existing and new domains that spoof your brand, trademark, product, organization or other names and carry out defensive or investigative actions against them.


Setup Brand Monitoring Tool which can be tailored to your needs to safely and effectively manage your valuable domain portfolios. Receive all the updates and monitoring alerts directly to your account & via email and stop worrying about brand-hijacking and start focusing on building your business. Rely on our global reach and expertise to safeguard your valuable brands from infringement.

Get started:?https://domain-research-monitoring.whoisxmlapi.com/brand-monitor


http://www.nahnuh.com/blog/protecting-brands-trademarks-on-the-internet/feed/ 0
How Traffic Filtering Works using IP Geolocation http://www.nahnuh.com/blog/how-traffic-filtering-works-using-ip-geolocation/ http://www.nahnuh.com/blog/how-traffic-filtering-works-using-ip-geolocation/#comments Mon, 20 May 2019 09:09:28 +0000 admin http://www.nahnuh.com/blog/?p=1925 The cyber threat landscape changes daily. These days, it’s the real people that are launching spam attacks and other malicious activities against networks. Traditional security measures that have previously been effective against various forms of attack are no longer adequate. … Continue reading ]]>

The cyber threat landscape changes daily. These days, it’s the real people that are launching spam attacks and other malicious activities against networks. Traditional security measures that have previously been effective against various forms of attack are no longer adequate. With the growing number of sophisticated attacks, new security measures are needed.


How is Network Traffic Managed?


Traffic management, sometimes called traffic filtering, refers to the use of network traffic attributes to grant or deny access to your network. It also involves the use of the source country attribute to grant or deny specific IP addresses access to your network in what’s called geo IP filtering.


How is IP Geological Filtering Used for Traffic Management?


The first line of defense in any network is the firewalls which monitor the data received and sent on their assigned network. To verify the traffic is legitimate, they analyze any flagged transmissions to see if access is to be denied or granted. The firewall will use a lot of criteria when filtering out traffic that is suspesious.


A more popular solution along the filtering is blocking traffic from specific countries. The most popular firewalls have the ability to filter out IP addresses from specific countries. Many web servers like Apache and IIS can also do that. Any country that ends up blacklisted by using such filtering will see their traffic denied to the given network. You won’t be able to send data to them either.


IP Geolocation API, for example, provides a geolocation tool for IP addresses to identify users from any country of origin. Their service helps you detect risky accounts and behaviors from a given location.

Geological filtering in traffic management


How is IP Geological Filtering Used to Combat Malicious Traffic?


If a pattern reveals that a series of attacks is coming from the same country or countries, blocking all traffic to and from those countries would seem to be the quickest and easiest solution. How practical is that? Not very.


Rejecting traffic from entire countries could interfere with the genuine need to interact with lawful systems or servers there. It’s one of the reasons people have been hesitant about traffic management with an IP geolocation.


It should also be understood that the attacker may not be in the country where the traffic is coming from. It could be that they are running data packets through systems that have been compromised in the identified countries. Using open proxies to multiply his threats, the attacker can make it look like the traffic is coming from a number of places in order to protect himself and hide his patterns. It’s also meant to try to slide past the security measures in place.


With the advances in threat security, like IP Geolocation API, an additional layer of screening is added to traffic going both ways.

So how does IP geolocation-based traffic management help filter traffic that’s malicious? Security applications like IP Geolocation API can help you handle malicious traffic in a variety of ways. And it can do way more than just filter traffic.


  • Detect Fraud: Using the API, you can match visitor geolocation IP data with customer data you already have to catch fraud and identity theft attempts.
  • Identify Malicious Activity: Detects questionable activity and specifies the country where it comes from.
  • Insights for Marketing: Using the geolocation data provides truly invaluable insights about those visiting your website, allowing you to find new opportunities or patterns you can use to enhance your online marketing efforts.
  • Strengthen Indicators of Compromise: Data from the API can strengthen indicators of compromise (IoCs) within a strong threat intelligence platforms and security information and event management (SIEM) systems.


A Powerful Tool in the Battle Against Cyber Threats


Cyber attack and malicious traffic are increasing, but we have more advanced ways to identify where it’s coming from by using geolocation. In using powerful geo-specific filtering methods, you gain far better control of your network. You’ll be better able to remove a lot of undesirable traffic from your network. You’ll also be able to keep traffic from being directed beyond your network for improved security.

http://www.nahnuh.com/blog/how-traffic-filtering-works-using-ip-geolocation/feed/ 0
Domain Name System Primer https://main.whoisxmlapi.com/domain-name-system-primer Thu, 04 Apr 2019 05:51:14 +0000 admin https://main.whoisxmlapi.com/domain-name-system-primer

In this white paper, we give an overview of the Domain Name System, or DNS, one of the pillars of the Internet. We start by understanding the goal: to assign names to named resources on the Internet and to maintain their database. For this, it is important to understand the structure of domain names and DNS zones. The roles of the actors in the system are domain maintainers, registries and Network Information Centers. The structure of delegation of authority will also be clarified. We give an overview of the structure of data available in the DNS, notably, the resource records (RRs) occurring in zone files. We also review the technology side: the DNS protocol, its operations supporting queries of name resolution, zone file transfers necessary to maintain the system and for reverse mapping. We briefly mention the most popular implementations, notably, BIND, which may be the most prevalent DNS server software. This necessitates a little insight into netblocks and Classless Inter-Domain Routing (CIDR). We address the internal security issues of the DNS as well as the crucial role it plays in cybersecurity. Finally, we provide some references for further reading.


In this white paper, we give an overview of the Domain Name System, or DNS, one of the pillars of the Internet. We start by understanding the goal: to assign names to named resources on the Internet and to maintain their database. For this, it is important to understand the structure of domain names and DNS zones. The roles of the actors in the system are domain maintainers, registries and Network Information Centers. The structure of delegation of authority will also be clarified. We give an overview of the structure of data available in the DNS, notably, the resource records (RRs) occurring in zone files. We also review the technology side: the DNS protocol, its operations supporting queries of name resolution, zone file transfers necessary to maintain the system and for reverse mapping. We briefly mention the most popular implementations, notably, BIND, which may be the most prevalent DNS server software. This necessitates a little insight into netblocks and Classless Inter-Domain Routing (CIDR). We address the internal security issues of the DNS as well as the crucial role it plays in cybersecurity. Finally, we provide some references for further reading.

Table of contents

1. The need for name servers

1.1. What is DNS?

Any network of digital devices operates by using addresses - technical numbers which enable the identification of the nodes. On the Internet, these are IP addresses. However, it is always necessary to give human-readable names to the addressable resources, thereby turning them into "named resources". Consequently, there has to be a technique to map the names into addresses; this is done by name servers.

On a large-scale network, such as the Internet, there is a tremendous number of named resources. This poses requirements against the solution of name-address mapping:

  • There is a need for a method to organize and index names in order to efficiently find them in the system.
  • It has to be decentralized for several reasons:
    • The solution needs to be scalable in order to cope with the huge number of queries for name-address assignments to be served.
    • It has to be fault-tolerant; thus, there has to be some reserve in case any element of the required infrastructure is unavailable.
    • As the resources are run by physical entities (persons or organizations), it needs to be manageable so that the administration of certain resources can be delegated to their owners.

These requirements led to the introduction of the Internet Domain Name System in the early days of the Internet. This ecosystem has been playing a crucial role in the operation of this network ever since. Its specifications were laid down by Dr. P. Mocakpetris in as early as 1987, in the RFC documents 1034 and 1035. Though many subsequent RFCs have introduced modifications, the core functionality of the system still remains intact.

1.2. Domain name system and WHOIS

To meet the above-outlined requirements, the names of the resources are organized into a hierarchical structure. At the top, there is the name of the top-level domain (TLD), then the second-level domain (SLD), and any number of lower levels, each separated by dots, e.g., "www.example.net". In this way, the management of a sub-tree in the hierarchy can be delegated to the actual owner of the resources below the top of this hierarchy. The authority over the root domain of the Internet is with ICANN (Internet Corporation of Assigned Numbers and Names, www.icann.org).

Below this, for instance, is the TLD ".com" operated by Verisign (though the actual registrations of its sub-domains are processed via registrars accredited by ICANN), whereas "domainwhoisdatabase.com" is the courtesy of WhoisXML API, Inc. — we, as an organization, administer this SLD authoritatively. There are plenty of top-level domains on the Internet. A part of them is a so-called country-code TLD (ccTLD) maintained by the respective entities of the given countries, and there are generic TLDs (gTLDs) related to other entities. Domains are registered by registrars.

When someone, say a company, purchases as a registrant a domain name from a registrar, the latter submits, after the necessary agreements, technical data to appear in the zone files we shall describe later. After this, we say the domain name "will resolve", or get the respective IP addresses in the Domain Name System. The technical data are thus located in the DNS, along with some information about the registrant entity. But not all information, unfortunately.

By design, there is a protocol separate from those used for name resolution — WHOIS, the "phone book of the Internet" which assigns real names and contact data to the registrants, the physical entities the resource belongs to. The WHOIS sub-system is thus crucial in all questions related to the ownership of domains and IP addresses, but the accuracy of WHOIS data is not a technical requirement for the domain to operate.

Meanwhile, in the DNS, all the necessary data have to be present for this operation, but the ownership data are limited. This dichotomy of WHOIS and the other parts of DNS is frequently seen as a serious shortcoming affecting the security of both subsystems. And yet, we have to live with this, as it is a consequence of the approach of the founding fathers of the Internet whose initially saw it as a network of a more-or-less trusted and friendly community. Well, it is not quite what it became.

In the present document, we will not deal with the WHOIS subsystem anymore. Even though it is a part of the domain name system, the system itself is fully functional without it. Instead, we shall focus on name servers, since these are the first which come to mind when speaking about DNS anyway.

Before turning our attention to the actual operation of name servers and the DNS, we will mention briefly a few related topics which will not be covered in detail in this document as they are only loosely related to our main topic.

1.3. Multicast DNS

Consider a local network, possibly of many computers. It is natural to wonder whether they need the same technology as the whole Internet to manage named resources. Indeed, there is a simpler solution for them: RFC 6762 specifies the "Multicast DNS protocol", which does not employ dedicated servers to maintain the name-IP assignment. If a certain site needs the IP address of another, it simply asks all nodes: which identifies itself under the given name.

Obviously, this will only work out in the case of smaller and trusted networks, but it is a great simplification. In addition, the data formats of the mDNS protocol is 99% compatible with the standard DNS protocol (referred to as "Unicast DNS") in this context. However, as we are interested in the operation of the Internet on a large scale, involving authority and delegation questions, we will not go into the details of this protocol.

1.4. IPv6

Even though the number of possible IPv4 addresses, 232, is quite impressive, it can be foreseen that these possibilities will be exhausted at some point in the future. Hence, the IPv6, a new system of identification numbers of nodes of the Internet was developed. There will be times when your Web server IP will not look something like “” but, rather, more like "2001:0db8:85a3:0000:0000:8a2e:0370:7334".

The technology for this has been developed, including its support in the Domain Name System. But it is not yet prevalent and still, to some extent, in its experimental phase. So, we shall omit the details of IPv6 handling in the Domain Name System in the present document and focus on the currently common IPv4 system.

1.5. Beyond DNS: The dark side

When someone speaks of the Internet (with capital "I"), everybody considers the network we all use and refer to under this name. This is very much in line with ICANN's motto, "One World, One Internet". We have just concluded that DNS is needed for the efficient operation of this network.

But actually, a TCP/IP network has many layers, and it is just a broadly accepted convention that it should be used via DNS. We shall see that this system that enables finding resources consists of files describing the required access information and protocols to distribute and access them. But, fortunately or not, it is not impossible for someone to introduce an alternative system on the same physical network that might use completely different standards and yet still remain operational.

And still, it is feasible. What may be the most significant example is the Tor network. It is a totally different logical network running on our physical Internet. It is hard to judge whether it is good or bad. According to its developers, its main goal is to protect privacy and it is very beneficial for many benevolent actors who just want to avoid being tracked or eavesdropped on the Internet. In reality, however, it is known to be a home of the "Dark Web", the online world of crime and nasty things not to be detailed here.

The reason for us to mention this here is to point out that the Internet Domain Name System we describe here is not the only approach that exists on the physical IPv4 network, but it is what is running the thing we call the Internet. And currently (probably luckily), this is the most prevalent one.

2. Data behind the name resolution

2.1. Zones and zone files

A DNS zone is a contiguous portion of the domain name having a single entity delegated as its manager. In the tree of the namespace, a zone starts at the root of the given domain and ends either at a leaf node, i.e., host, or at the top boundary of other independently managed zones.

Zone files are the very containers of all data describing the information necessary for the name resolution of the zone. They are text files with contents standardized by RFC 1035. (Actually, there are certain conventions used by BIND, the most prevalently used DNS server implementation which does not comply fully with this standard, but they are now generally accepted.) Thus, zone files are both human-readable and machine-parsable: DNS software reads the information from these.

Our goal here is to obtain a basic understanding of the contents of zone files, as it is needed in order to understand DNS operations.

The contents of zone files can be subdivided into three types:

  • Comments
    Like virtually all kinds of computer code, they are necessary for human readability. Here, they start with the ";" character.
  • Directives
    These start with a "$" sign. They manage the processing of the file.
  • Resource records
    Those are the actual data lines describing the properties of the domain and the entities contained within.

Let us see a little example of a zone file:

$TTL86400 ; 24 hours could have been written as 24h or 1d; $TTL used for all RRs without explicit TTL value$ORIGIN example.com.@ 1D IN SOA ns1.example.com. hostmaster.example.com. (2002022401 ; serial3H ; refresh15 ; retry1w ; expire3h ;nxdomainttl )IN NS ns1.example.com. ; in the domainIN NS ns2.smokeyjoe.com. ; external to domainIN MX 10 mail.another.com. ; external mail provider; server host definitionsns1 IN A ;name server definitionwww IN A ;web server definitionftp IN CNAME www.example.com. ;ftp server definition; non server domain hostsbill IN A IN A IN A

Most directives are not very important to us, except for the mandatory $TTL directive which defines the Time to Live (TTL) value. This is the default duration for which the Resource Records can be saved or cached by another DNS server.

The $ORIGIN directive gives the name of the domain in argument, but it is optional. If provided, however, the value of $ORIGIN will be appended to it, if any name appears in what follows and it does not end with a dot character ".".

The reason for this is that the file should use Fully Qualified Domain Names (FQDN). That is, it should define the exact location of the domain name in the DNS tree, and the terminating dot here represents the root domain. In addition, the "@" character in the SOA resource record will be substituted for its value, in our example, "example.com.".

2.2. Resource records

From our point of view, the most important elements are the Resource Records (RRs), as they are the ones containing the information on the zone. Let’s see what they tell us.


The first one, the SOA (Start of Authority) RR, has to be the first, and it is mandatory. It is a multi-line RR. Looking at our example, it should be read as follows:

  • The "@" character is the name of the domain, now as $ORIGIN has been set, it will be substituted to its value, "example.com.".
  • The "1D" stands for one day; it is the TTL (Time to Live) of this very RR. If it is omitted, then the default $TTL would be used.
  • "SOA" stands for the record type.
  • "IN" stands for the network class, "Internet" in our case. In practice, it is always "IN" in zone files; there are some other possibilities, but they almost never appear in practice.
  • "ns1.example.com." is the Primary Master name server for this domain. It will be also specified in a separate RR, but it is mandatory here. (It can have a special meaning though when it is used with Dynamic DNS configurations).
  • "hostmaster.example.com." stands for an e-mail address, the first dot should be read as "@" — so it is "hostmaster@example.com". This is the administrative e-mail address for the zone, and according to the recommendation of RFC 2142, it is typically "hostmaster@domain".
  • "2002022401" is a serial number associated with the zone; this is essentially the version number of the information. By convention, it uses the format of a date "yyyymmdd" followed by a two-digit serial number specifying the version within the day. This field has to be updated every time a change is made to the zone.
  • The following time-type fields affect the operation of slave/caching name servers, which we shall describe in detail later.

Name server records. The first few fields are just the same as we saw in the SOA record. The "name" field is empty here, meaning that it is substituted from the preceding SOA record. (This is a general rule: if no name is given in any type of record, the "name" field of the SOA record shall apply.) No TTL is specified, so the default $TTL applies. Finally, in our example, we have "ns1.example.com.", the FQDN of a name server within the zone, and "ns2.smokeyjoe.com.", which is the secondary name server in some other domain, typically at some other location. This increases the robustness of the system — even if the infrastructure of the whole domain fails for some (possibly technical) reason, a name server somewhere else in the world is likely to be available. The organizations typically find partners to run their secondary name server on the basis of a mutual trade-off business (I back you up,, you back me up).


These are the default mail servers for the domain. The syntax is just as in the case of the NS records, apart from the additional number before the last record. This is a priority level: it is a number between 0 and 65535. The lower the number, the higher priority a given mail server has.


These are the very hosts. Each IP address which can be resolved has to have a name (this is the first field) and an assigned IP (this is the last one). Note that the same IP can have multiple A records, like the Web server "www", and Joe's machine, "joe" in our example. Also note that since $ORIGIN is set, "joe" will be substituted for "joe.example.com.", illustrating how useful this directive can be.


These are essentially aliases: the name in the first record is an alias for the name on the right. It can be used for many purposes. Importantly, the alias can point to a host outside the domain. A typical use of CNAME is to enable the Web server to be seen both as "example.com" and "www.example.com":

IN A IN CNAME example.com.

The first line defines an IP resolving to $ORIGIN, that is, "example.com.", whereas the second one defines "www.example.com." as an alias to "example.com."

We reached the end of our example, and, in fact, what we understand so far is almost completely sufficient for the operation of a domain. The only exceptions are the records of type "PTR", the ones needed for finding out the host name from an IP. This is the topic of "reverse mapping", which we shall address in Section 3.2.

There are many other types of special records. For a more exhaustive list, we refer to the following blog http://www.nahnuh.com/blog/dns-the-dark-knight-of-the-internet/ for a quick overview, or to the cited books for a more detailed account.

Having understood the structure of the information present in the domain name system, let us now proceed to how it is actually distributed and maintained.

3. DNS operations

Here we describe the operations of the Domain Name System. These are realized using dedicated protocols, involving both TCP and UDP communications. The standard port of this service is 53.

3.1. DNS Queries

This is the operation realizing the main goal of DNS: to translate names to IP addresses. Each networked device has a component, the stub resolver (or resolver in brief) for that purpose. If an application, e.g., a Web browser, needs the address of another system, e.g., for visiting "www.nahnuh.com", it will ask the resolver: "What is the IP address of www.nahnuh.com?" There are two possible ways for the resolver to get this information.

3.1.1. Iterative queries

This is the kind of query which must be supported by all name servers. The process, in this case, is as follows:

  • The resolver asks the locally configured default name server about "www.nahnuh.com".
  • The locally configured nameserver looks up the address in its cache, which is built from previous queries.
    • If it finds the address, it returns the answer along with the related CNAME records (aliases), and the query is completed. This answer is non-authoritative in this case.
    • If the required information is not there in the cache, the local name server replies to the resolver with a referral to the root server of www.nahnuh.com.
  • The resolver asks the root server for the list of authoritative name servers for the given TLD, ".com." in our case.
  • Using the answer, the resolver asks the TLD name server for the list of authoritative name servers of the SLD, ".whoisxmlapi.com." in our case.
  • Finally, the resolver asks the authoritative name server of the SLD about the IP address of "www.nahnuh.com", and receives the authoritative answer.

Apart from IP addresses (possibly with CNAME records and referrals), there can be answers showing a temporary or permanent failure, or reflecting the absence of the domain (NXDOMAIN), which are treated in the protocol just as one would logically expect.

Note that here all the communication went between the resolver and various name servers in several iterations, hence the name. No direct communication was going on between the name servers directly, i.e., there was no recursion. But it is easy to see then that if this was the only possibility, the cache of the local name server (or any other name server) would remain empty. Therefore, at least the local name server, and possibly some others, should support the communication to other name servers. This leads us to the need for the other type of query.

3.1.2. Recursive queries

This type of query is not necessarily supported by name servers. It enables communication between the servers and thus supports building a cache. Let us see our previous example now in a scenario where the local name server supports recursion:

  • The resolver asks the local name server about "www.nahnuh.com".
  • If the local nameserver finds the information in the cache, a non-authoritative answer is returned and the query is concluded.
  • In the absence of the information in the cache, the local DNS will ask a root server about the authoritative server of the TLD, ".com". A referral will be returned.
  • The local name server asks a name server of ".com." for the authoritative name servers of the SLD ".whoisxmlapi.com.", and a referral is returned.
  • The local name server asks the authoritative name server of ".whoisxmlapi.com" about "www.nahnuh.com".
  • The obtained information is returned as an authoritative answer to the resolver.
  • Meanwhile, the information is cached; it will live till the prescribed time (Time To Live, TTL), so if the same question is asked from the local name server again, there is no need to ask for referrals.

The errors and non-existent domains are also treated logically here. Note that the resolver does not receive any referrals in this case. Apparently, the main difference between this protocol and the previous one is that the handling of referrals is done now by the local name server and not the resolver itself, thereby also supporting the caching activity of the local name server.

3.2. Reverse mapping

So far, it is clear how we find out the IP of a host by its name. But in many cases, the opposite is needed: we have an IP address, and we want to know the name (or names, aka aliases) it belongs to. Even though the DNS was designed to have a special kind of query for the purpose, it has never been put into practice. Finally, it was even made obsolete by RFC 3425. It happened so that in the problem of finding a name for an IP, the "reverse mapping" can be handled using the same tools as the direct name to IP mapping with a neat trick. And indeed, this is the de facto way it is done. To understand the idea, however, we need some background information about the delegation structure of IP addresses.

3.2.1. Netblocks

Do IP addresses have a hierarchical structure like that of domain names? They should have one, indeed, as the responsibility has to be delegated not only for domains but also for IP addresses somehow.

The key to this is "Classless Interdomain Routing", CIDR, which we summarize here very briefly. (If you are interested in the details, an explanation can be found, for example, here: https://ip-netblocks-whois-database.whoisxmlapi.com/blog/who-owns-the-internet-ip-netblocks-whois-data-will-tell-you)

An IP address, say,, has 4 numbers between 0 and 255. In a binary representation, this is 4*8 bits. In our example, it will be 01101000000110111001101011101011. We keep the trailing zero as we need exactly 32 bits, but we omit the dots; they do not have any role from now on: the octets are concatenated, forming a single 32-digit binary number. This is the ordinal number of the machine.

The assignment of the authority over multiple IP addresses is done in netblocks: these are contiguous intervals of IP addresses. They are defined by fixing a given number of most significant digits.The address in the above example belongs to a netblock in the CIDR notation, which means the first 12 digits define the block, and the remaining less significant ones define the actual host. So, our IP is between the beginning and the end of this interval:

011010000001.00000000000000000000 = = =

How about the hierarchy? Clearly, if we put lower digits, we get a bigger interval, and all the smaller ones will be within that one. E.g., our netblock belongs to a higher-level one as well in the hierarchy,

01101000.000000000000000000000000 = = =

This is a very elegant way of subdividing the whole IP range into a hierarchy of contiguous intervals which either do not intersect or where one contains the other. And, indeed, the delegation hierarchy of IPs is arranged on this basis.

3.2.2. The reverse mapping domain

When comparing to the hierarchy of domain names and looking at the binary numbers representing the IPs as strings, we find a significant difference. In the case of domain names, the highest level in the hierarchy, the TLD is at the end of the string, whereas in the case of IPs, the bits, that is, the characters specifying the higher order in the hierarchy, are at the beginning. And here, the big idea comes in: if we reverse the IP address character by character, the two hierarchies become compatible. Now, as the DNS has tools for handling the hierarchy of domain names, we can use the same tools for the reverse name resolution!

So, how does it work out?

  • Define a special root domain for IP addresses. This is named "IN-ADDR.ARPA.". (Historically, it used to be directly related to the organization "ARPA", but now it is meant as "Address and Routing Parameter Area".)
  • Within this domain, an IP will be represented by a name having all its digits inverted, e.g., "" will be ""
  • In the zone file, we need a special RR for these names, this is "PTR". So, a record in a reverse zone file would look like:
    235 IN PTR foo.example.com
    assuming that this IP belongs to "foo.example.com". The formal syntax of this record is "name ttl class rr name". The first name is treated as a string, albeit it looks like a number; the $ORIGIN directive is in action here as well, unless we write an FQDN, like "". If the TTL is not defined, like in our example, the default is used — IN stands for the Internet, and PTR is the type of this RR.

With these conventions, the reverse resolution can be solved exactly in the same way as the forward resolution. As for the actual administration and hierarchy, the players are somewhat different than in the case of zone files.

3.2.3. Organizations maintaining the reverse zone files

At the root of the system of IP addresses is the Internet Assigned Numbers Authority (IANA); they maintain the root name servers for .IN-ADDR.ARPA. They delegate the smaller blocks to Regional Internet Registries (RIRs) that run the servers on their level (a kind of counterpart of the TLDs in the case of domain). There are currently five of them:

These then delegate smaller blocks to smaller organizations or persons; everyone with a specific netblock has to run the respective server.

So, all that we have said about recursive and iterative queries work in the same way as in the case of inverse mapping, using the above hierarchy of servers.

3.3. Zone maintenance

This is the set of operations which enable the different authoritative name servers to keep their zone files up to date. As the details are less important from the applications' point of view, we just provide a brief overview of the involved operations. We remark, however, that these are essential for the proper operation of the domain name system, especially from the performance and robustness point of view. The main operations are as follow:

  • AXFR
    Full ZoneTransfer is simply the polling of the whole zone file, typically from a master to a slave server. It is initiated by the slave. Such polling has to take place according to the timings defined in the SOA record, where all the relevant time parameters, such as timeout, are defined. It is important that the zone file does not get updated if the one to be polled does not have a bigger serial number than the currently available one. A con of AXFR is that a zone file can be huge; an incremental update is much more efficient in some cases.
  • IXFR
    Incremental Zone Transfer is an update of the zone file restricted to the changed records only. It was introduced in RFC 1995. It is done under the same conditions as AXFR, also initiated by the slave, but it requires much less data to move, so it is much more efficient both regarding the time required to carry it out, and bandwidth-wise.
    Also introduced in RFC 1995, this is an operation to the inverse direction as compared to the previous two: it is used to notify slaves that a change in the zone file might have occurred, so it is likely that they should poll it. This has significant benefits for the propagation time of zone file changes.

All these rather logical maintenance operations are based on zone files as literally files existing on certain servers and being interchanged amongst them. With the growth of the Internet, this also became a bottleneck. The files became huge and hard to administer. In addition, if any change appears, the server has to read the whole file again sequentially, causing a possibly unacceptable unavailability time. This leads to the need for dynamic DNS introduced in RFC 2136. This enables the update of zone records from external sources. However, it does not allow for adding or deleting a new zone. In addition, it raises additional security issues as there are more servers involved in the update. Hence, the same RFC defines the concept of a primary master name server which is just one of the master name servers but authorized to control the DDNS process.

Having understood the key DNS operations, let us see what types of name server occur in the DNS system.

4. Name Servers

In this section, we take a closer look at the servers themselves which run the DNS protocol. First, we will classify them based on their role in the system, then we will briefly describe some particular implementations.

4.1. Functionality

Even though we frequently speak about types of name servers, maybe using the term "role" instead of “type” would be more in order. Actually, the same physical server can be a master of a given zone and a slave in another, and may even serve as a caching server in the meantime, depending on the configuration of its software. And the commonly-used implementations allow for very byzantine settings as well. Nevertheless, it is important to distinguish between certain roles:

  • Master Name Servers
    These read the information directly from the zone files (edited locally). They give authoritative answers about the hosts in their zone, enable the slaves to poll zone files from them, send them NOTIFY if appropriate.
  • Secondary Name Servers
    They are the slaves. They poll their zone files from their master and provide authoritative answers to queries regarding their zone.
  • Caching Name Servers
    These do not have complete zone files. They have a cache built from the non-expired results of previous queries and can provide non-authoritative answers to queries they hold the answer for. They support recursive operation and communicate with slave or master servers when they receive a query whose result is not yet cached. If they forward an authoritative answer to the resolver, their answer is also considered as authoritative.

In addition, there are some other types not directly relevant from the point of view of the global DNS ecosystem:

  • Forwarding or proxy name servers
    These forward all queries to another name server, and cache all the obtained results. At first, this sounds pretty much like a caching name server, but it is not the case. These name servers will not process referrals at all, hence the communication between them and the resolver is restricted to one query-response pair in the case of each lookup request. They are mainly useful for saving network traffic.
  • Stealth name servers
    These are the ones serving a local network whose sites are not visible from the outside. So, the hosts, except for a few servers, are within a demilitarized zone (DMZ), they have internal IPs, and they see the Internet through a firewall gateway, typically with IP masquerading. Their specialty is that they are expected to answer the queries of the internal hosts, both regarding domains on the Internet and host names within the DMZ. Sometimes, they are also called DMZ, or split name servers.

4.2. Implementation

Perhaps, the most prevalent piece of DNS software is BIND, the Berkeley Internet Name Domain, which was originally developed at the University of California, Berkeley. It is a free, open-source, and reliable implementation running on most root servers, etc.

Alternatives do exist, though. Microsoft Windows servers, for instance, have their own DNS server implementation. And there are many others. Some are designed to act as a simple proxy, some are designed to be an authoritative-only server, etc. A good comparison of these implementations are here: https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software.

Importantly, as we have described, a standard zone file can be migrated from one implementation to another. But many of the servers (including BIND) accept non-standard features in the zone file, like using time units other than seconds. This should also be taken into account if zone files are analyzed with any other type of software.

5. A simple query example

But what do end-users see from all these? Well, not too much. In most cases, they type in a name, and they are not even familiar with the existence of an IP address.

However, as professionals, we can send a query to a server and obtain the accurate answer. The very reason for putting this short section here is that in order to really understand what is going on, we need to illustrate everything that we have discussed so far.

There is a variety of tools for this. We shall use the nslookup utility available on most platforms (even though the Linux and other UNIX-flavor communities tend to prefer the command dig instead).

So, let us give it a try: on my typical Ubuntu host, the command

nslookup www.example.com

will result in the not-so-detailed non-authoritative answer:

Server: answer:Name:www.example.comAddress:

Note that the answer was given by my local host. Indeed, most Linuxes tend to run a proxy name server locally. But what if I'm interested in the related SOA record, too? The "nslookup" has many options, including this one:

nslookup -type=soa www.example.com

and the answer will be:

Server: answer: Can't find www.example.com: No answerAuthoritative answers can be found from:example.comorigin = sns.dns.icann.orgmailaddr = noc.dns.icann.orgserial = 2018112857refresh = 7200retry = 3600expire = 1209600minimum = 3600

Well, in fact, it is not "www.example.com" but "example.com" that has an SOA record. So I could have said:

nslookup -type=soa example.com

resulting in:

Server: answer:example.comorigin = sns.dns.icann.orgmailaddr = noc.dns.icann.orgserial = 2018112857refresh = 7200retry = 3600expire = 1209600minimum = 3600

Or, if I want to have an authoritative answer directly, I can specify the name server host:

nslookup -type=soa example.com sns.dns.icann.orgServer:sns.dns.icann.orgAddress: = sns.dns.icann.orgmailaddr = noc.dns.icann.orgserial = 2018112857refresh = 7200retry = 3600expire = 1209600minimum = 3600

Finally, let us demonstrate a reverse lookup:


resulting in:

Server: answer: = whoisxmlapi.com.

Of course, what we have seen here is just a small portion of the supported possibilities, and we encourage our readers to play around with them. All the types of RRs are available through these queries, even those which we have not yet discussed, e.g., the ones defined in support of security.

6. Security

In this section, we will address two points. First, we will provide an overview of potential threats against the DNS system itself and the possibilities of its protection. Then, we will discuss the role of the DNS in overall IT.

6.1. Internal security of the DNS system

The DNS protocol, by its original design, is based on unencrypted network communications. Hence, it is prone to various security threats. These even include the modification of delegation details. We go through these along with the possible means of protection.

  • Zone file corruptions
    A corrupt zone file, regardless of whether it got corrupted accidentally by some mistake made by authorized personnel or by a malicious intruder to the system, can obviously cause a lot of problems: lack of proper updates, invalid name resolutions, or even the malfunction of a master server. This is a local issue, and it can be overcome by proper system administration and ensuring the overall server security.
  • Zone file transfers
    They are vulnerable against various types of attacks. For instance, a malicious agent can intercept AFXR or IFXR communications and inject distorted information into the system, e.g., by IP address spoofing, thereby poisoning slave name servers. One way to overcome this is to disable zone transfers. But obviously, it is not always possible. Another option is the protection of the network architecture itself. Finally, the communication can be authenticated and encrypted. RFC 2845 describes the Transaction SIGnature (TSIG) protocol to facilitate an authentication step of the zone file update process. It uses shared secret keys and one-way hashing to ensure the security of the authentication. A special RR type, TKEY is used in various modes to facilitate the establishment of the shared key.
  • Dynamic updates
    The same can be said here as in the case of conventional zone file updates: address spoofing or unauthorized updates can introduce invalid data into the system. Besides TSIG, there is another related protocol, SIG(0), for request and transaction authentication based on public-key cryptography, c.f. RFC 2931.
  • Attacks against remote queries
    Subverted masters or slaves, as well as poisoning caches, are all possible attacks against Server-Client communications. A good solution is the use of DNSSEC (Domain Name System Security Extensions), designed for authenticating these communications securely, albeit lacking encryption of the actual communication. This obviously also requires a variety of additional RRs. It is not yet prevalent, but there are a lot of pilot projects and zones where it has been introduced. Additional information can be obtained from https://www.dnssec.net/projects.
  • Attacks against resolver queries
    These are similar to those mentioned in the previous item, affecting communication between remote and local clients. Besides, the use of DNSSEC, the usual SSL/TLS encryption of the communication is a good way of protection.

6.2. DNS in IT security

The connection of domain names with IP numbers is of paramount importance in IT security. For instance, many spam mail filtering methods are based on the verification of the validity and appropriateness of the DNS data of the sender. Firewall logs contain primarily IP addresses, hence, when investigating threats, it is important to see if it is possible to validly assign domain names to these. And if there are some data, they can reveal a lot of information about the opponent. Many other applications can be listed; considering that naming resources is an inherent feature of any electronic network communication, and it is naturally related to the identity - real or virtual - of the communicating entities.

7. Passive DNS

DNS has one significant shortcoming, especially when viewed from the IT security point of view. While it always contains timely information about domains and IPs, it is just a snapshot which does not allow obtaining DNS information of past time instants within this system. Of course, it is quite natural that even if the snapshot embodies a tremendous amount of data, it is virtually impossible to maintain the whole history. And yet, it would be of paramount importance.

7.1. Reasons why we need passive DNS

Imagine, for instance, that you find an IP address upon the investigation of some threat, but the IP address has ceased to exist. It is likely that at the time of the attack, it did resolve correctly, but then it has disappeared. At least, a chance to find a past resolution of the IP or domain would be a fundamental clue. And even if an IP address that has been marked as malicious does not resolve anymore, the data from the past could still provide a key for the identification of its domain, thereby preventing the malicious activity of the opponent. So, the past data has implications for the present and future security issues, too.

In another example, to detect the success of the aforementioned threats of the DNS system itself, it would be handy to have resolution data of the past. Its analysis could reveal the changes then.

These data can be used in more sophisticated ways in threat intelligence, involving a variety of big data and even machine learning tools, e.g., in order to reveal an algorithm generating short-lived domains registered by a suspicious agent.

7.2. The solution: Passive DNS

Passive DNS, which is otherwise not part of the DNS protocol, provides the very data the applications in the previous section cry for. The original idea was introduced around 2004: to use recursive name servers to log responses received from various name servers, and save the collected data, augmented with timestamps, in a compressed form, to a central database. Note that in this approach, no stub resolver to name server communication goes on; it is based on server-server communication. This saves a lot of network traffic and excludes vulnerabilities related to the avoided kind of protocols. In addition, it does not pose any privacy issues: you will not collect data on who and why a person tried to resolve an IP or a domain.

There are several passive DNS services on the market. The servers collecting the data are termed as DNS sensors, and they provide data for a central, usually very big database. Different services may have different strategies to select the communications to be logged from among the whole DNS traffic. Passive DNS has become a fundamental tool in IT security.

7.2.1 Passive DNS Applications

Passive DNS is an enabler, as it allows existing threat solutions to better perform their important roles. At the same time, it is a facilitator, as it helps produce actionable information that cybersecurity teams can use to be one step ahead of malicious actors.

These functions are made possible through a huge passive DNS database, the analysis of which can reveal the suspicious movements of past domain data which can be leveraged for threat intelligence purposes. Passive DNS data can also be correlated with other information or integrated into APIs for swift analysis.

Below are the relevant use cases of Passive DNS, and why they are crucial to cybersecurity maintenance:

Application How passive DNS can help
Locating domains connected to known malicious addresses
  • Maps all domains connected to a known malicious IP address enabling further detection.
  • Helps identify which of the domains are infected with malware and which ones are benefiting from it.
Identifying malicious infrastructure and suspicious activities
  • Helps detect when trojans have infiltrated a system and are trying to let malicious users gain access to it.
  • Helps locate and dismantle domain infrastructure that supports phishing attacks.
  • Helps detect and reduce covert communications from an organization’s infrastructure.
Fraud and domain name infringement detection
  • Helps identify if any fraudulent changes are made in the DNS system.
  • Allows pinpointing newly-registered domains since these are often used for fraud.
  • Enables mitigating the risks of shadow domain, typosquatting, or other attacks where malicious actors create websites with deliberately similar addresses to those of reputable organizations.
Getting actionable insights on the attacks and their mitigation
  • Passive DNS data combined with other data helps provide insights into what known bad actors are planning to do.
  • Helps mitigate phishing attacks, especially when the data is integrated with operational enterprise solutions.
  • Enables near real-time detection of fraudulent alterations to the DNS system such as cache poisoning attacks.

8. Summary and further reading

The present document aims to give a quick introduction to the Domain Name System, a crucial ingredient for the operation of the Internet. We have briefly reviewed its concepts, system architecture and implementation, goals and means to reach them, and, notably, its security issues and role in IT security.

This information is sufficient for a newcomer to have a basic understanding of the topic. But, of course, there are many additional details not described here. In this regard, we refer to the extensive literature on the subject.

There is a tremendous number of books and other documents available about the topic. To name a few, “Pro DNS and BIND” by Ron Aitchison provides a detailed, self-contained, and practical introduction to the topic. It is also worth mentioning Cricket Liu's classic works, such as “The DNS and BIND” cookbook. As for DNS security, “DNS Security: Defending the Domain Name System” by Allan Liska and Geoffrey Stowe is a comprehensive source.

As for passive DNS, there are many good reads, too. The original idea of passive DNS is due to Florian Weimer, who has a very informative page on this: http://www.enyo.de/fw/software/dnslogger/ Though relatively old, his original paper is still one of the best introduction to the idea of passive DNS, its functionality and applications.

Finally, we remark that WhoisXML API, Inc., offers various API and database products related to the DNS system. A DNS lookup API provides a simple and convenient way to perform DNS lookups. The Reverse IP/DNS API provides comprehensive DNS information on an IP address, including its past. The Reverse MX API reveals all domains that use the same name server, whereas the Reverse NS API finds all domains with the same name server. These APIs provide a handy way of obtaining useful information which is not very easily found in the Domain Name System otherwise. The services are based on current and historic databases, which are also available for download.

Download the full article in PDF


WHOIS Databases: Business, Cybersecurity, and Many More Applications Explored https://main.whoisxmlapi.com/whois-databases-business-cybersecurity-and-many-more-applications-explored Fri, 08 Feb 2019 13:51:14 +0000 admin https://main.whoisxmlapi.com/whois-databases-business-cybersecurity-and-many-more-applications-explored

The Web is a tangle of information. Data is everywhere and finding reliable sources can be a challenge in the era of fake news. Websites, as a prime example, can be informative or misleading. You may get your hands on something useful or be deceived – and learning more about domain owners and assessing whether they’re trustworthy is notoriously hard.

This is where the powers of WHOIS databases come in, whose applications are multiple — ranging from cybersecurity to marketing research to criminal investigation. How so? This white paper considers a variety of use cases.


The Web is a tangle of information. Data is everywhere and finding reliable sources can be a challenge in the era of fake news. Websites, as a prime example, can be informative or misleading. You may get your hands on something useful or be deceived – and learning more about domain owners and assessing whether they’re trustworthy is notoriously hard.

This is where the powers of WHOIS databases come in, whose applications are multiple — ranging from cybersecurity to marketing research to criminal investigation. How so? This white paper considers a variety of use cases.

Table of contents

A Brief Intro to WHOIS

With countless new domains registered on a daily basis, it’s difficult to stay informed about who owns the web. However, with WHOIS and WHOIS databases, this is possible. Let’s take a look at these as a starting point.

What is WHOIS?

In a nutshell, WHOIS is a suitable way to collect and verify data about individuals and organizations with an online presence. A WHOIS record is automatically created as part of each domain registration, and it includes identifiable information such as the domain owners’ names, contact details, and physical addresses alongside important dates regarding the creation, expiration, and transfer of domains.

What is a WHOIS database?

WHOIS databases are structured sets of WHOIS data that enable the reviewing of thousands or more domains simultaneously. In fact, raw WHOIS data, with each record being separate, is of little interest to large-scale users like, for example, cybersecurity and marketing departments seeking to check multiple online entities at once.

WHOIS databases are built by third-party providers, like WhoisXML API, and their utility can be evaluated according to their breadth — i.e. the number of TLDs and ccTLDs included — and accuracy — i.e. whether they are maintained and updated regularly with the latest domain information.

Cyber Security: A Safer Internet

Cybercrime activities have reached unprecedented levels. The 2018 Data Breach Investigation Report from Verizon accounted for 53,308 security incidents during the year, 2,216 of which resulted in data breaches.

Organizations and the public alike are at risk. For example, Under Armour, a sportswear manufacturer, claims nearly 150 million of its MyFitnessPal accounts to have been compromised due to hacking, while the hotel chain giant Marriott has had data from 500 million of its guests stolen as a result of a cyber attack.

Individuals are also a target of malicious emails with the average user receiving 16 shady emails on a monthly basis.

How do WHOIS databases help improve cybersecurity?

Cybersecurity teams have their hands full counteracting hackers and scammers whose nefarious skills and familiarity with modern systems make such efforts increasingly difficult.

So what’s the way forward? Comprehensive countermeasures must be put in place — combining traditional and unconventional techniques. Besides strengthening anti-virus and firewall capacities, cybersecurity personnel can look into domains and their infrastructure to identify threats and come up with solutions.

With WHOIS databases, individuals and businesses have access to accurate data to fight different cyber threats.

Application How WHOIS databases help
Counteracting phishing Leveraging WHOIS information allows users to verify, check, and compare details of domains whose owners claim to be one entity but show up differently in the record.
Combating malware Users can use WHOIS records when they suspect that a website may have been created for malicious ends. Warning signs include recent registration dates and registrants in high-risk countries.
Scoping malicious activity Users can identify connected websites, IP addresses, and domains that could be linked to fraudulent activities by cross-referencing WHOIS data with other DNS details.
Proactive cybercrime prevention Once a malicious domain has been identified through its WHOIS records, that address and the ones connected to it can be blacklisted to protect visitors from the same or similar attacks.

Threat Intelligence: The Hunt Is On

As threats continue to rise, organizations are recognizing that investing in prevention is better than mitigating the consequences of costly data breaches. Threat hunting, or actively searching networks to identify and eliminate threats, alongside threat intelligence, gathering evidence-based data to make informed decisions, has therefore gained momentum.

How does WHOIS support threat intelligence and hunting efforts?

What are the weak links in a given corporate network? Which corresponding tools should be adopted? As an SMB or a large organization, where would security budgets be best allocated? Affordable access to WHOIS databases could provide insights for threat hunting efforts and bolster existing threat intelligence platforms.

Application How WHOIS databases help
Proactively looking for threats Real-time domain WHOIS data allows users to cross-examine registration details with sources of cyber data to identify threats.
Examining newly-registered domains Automated notifications about new domains using WHOIS databases permit implementing proactive measures, such as the blocking of dubious websites.
Powering threat intelligence platforms Users can feed WHOIS data into their threat intelligence platforms to get a closer look at the infrastructure of certain hosts.

Domain Registration: A Busy Marketplace

The Internet landscape is growing by more than 7 million domain registrations each year. This surge has made the Web a crowded place and an exciting market for domainers.

Why do WHOIS databases matter to domainers?

Domainers are hard-pressed to anticipate market trends and put their hands on the right names before anyone else does. However, there are other aspects to bear in mind like ensuring domains they purchase have been lawfully used. WHOIS databases allow staying on top efficiently.

Application How WHOIS databases help
Secure and fast purchases Domainers can perform the necessary background checks on domain name availability while also getting updates on newly-registered or recently-expired domains that are available for purchase again.
Valuation and safe ownership transfer Domainers can access the full history of a domain’s transactions including the date it was created, when it is due to expire, to whom it belonged, for how long, and through which registrar.

Brand Protection: Uncompromised Intellectual Property

What’s the value of intellectual property? Well, 3,000 trademark infringement lawsuits are filed in the US every year, and to reinforce this statistic, 3,074 WIPO cases were filed by trademark owners in 2017 through the Uniform Domain Name Dispute Resolution Policy (UDRP).

How can WHOIS support infringement detection?

Disputes on domains and trademark infringement are generally costly, especially when reliable domain information is not available. Not only do they take a lot of effort to go through, but they can also result in damaged reputations arising from bad publicity and lead to lost sales and revenues.

So how can IP management teams keep company assets protected from cases involving brand violations? Here again, WHOIS databases can prove their efficacy.

Application How WHOIS databases help
Monitoring competitor moves The WHOIS protocol lets brand managers anticipate what their competition is planning through the analysis of newly registered domain names and potential launches of new products.
Preventing infringement Users can monitor domains that have similarities to their brand – perhaps to cause confusion or damage reputation – and use WHOIS contact details to start remediating the situation.
Protection from brand abuse Users can receive messages of registration attempts that contain company trademarks or similar keywords for which they own usage rights.

Marketing Research with Facts

Market researchers have been on their toes as budgets go down to maximize return on marketing investments. Indeed, Procter & Gamble saved $750 million in 2018 by reducing advertising expenditures and cutting agency costs by 50%. So where can facts be gathered to support the business rationale of upcoming campaigns?

How can WHOIS data be used for marketing activities?

Traditional research techniques are not as effective as they used to be in a digital-driven world, and they do not allow identifying trends and remain a step ahead of their competition. WHOIS databases, on the other hand, can contribute to in-depth data analysis and fuel marketing initiatives at several levels.

Application How WHOIS databases help
Recognizing new opportunities WHOIS records add to and improve the accuracy of existing business contact database, allowing companies to engage purchasers and sellers.
Having relevant information on domains Marketing departments are able to detect available neighboring domains to expand their product lines or rebrand themselves.
Staying on top of competitors and industry trends Marketers can stay updated on the movement of domain registrations, acquisitions, and other such activities to monitor and foresee upcoming trends that may affect their competitive position.

Registrars in the Know

There are almost 3,000 accredited domain registration companies present in the registrar market. Stiff competition has called for service differentiation as well as cost reduction, and that requires clarity on where the industry is heading.

How does WHOIS add value to registrars?

Let’s say you operate in the registrar market. Would you like to know where you’re positioned in the industry? What’s your market share in a given country or for certain TLDs? Are there new entrants worth watching out for? To which service are your registrants migrating or from whom have you “stolen” customers?

These are some of the questions you can answer with WHOIS data integrated into databases and track everything that’s happening with domain names.

Application How WHOIS databases help
Streamlined access to data Registrars are able to set up WHOIS APIs connected to databases, saving time and avoiding the complexity of developing the backend themselves.
Reliable domain registration, management, and transfer Registrars can use the information provided in databases to execute daily activities — checking domain names availability, confirming domain histories, identifying dangerous domains, and facilitating transfers for domain owners.
Combating phishing Registrars can help law-enforcement agencies by providing them with in-depth knowledge of domains that are involved in cybercrime.

Law Enforcement Made Possible

The current cybercrime situation is quite rampant, and law enforcement agents are never out of work. Just recently a cybercrime ring that has been accused of trafficking stolen identities was taken down by US authorities. However, not all cybercriminals are easy to catch. Perpetrators are becoming more creative and slippery than ever to prosecute.

How can WHOIS data contribute to law enforcement?

Law enforcement agents need as many insights as possible to track down lawbreakers. Having complete access to domain information can turn particularly valuable to conduct effective investigations and study and anticipate cybercriminals’ behaviors.

Application How WHOIS databases help
Getting investigative leads Agents can investigate, trace, and analyze leads to possible malware authors and fraudulent website owners who may be part of a larger group of hackers and offenders.
Gathering information to prepare cases Domain data can become part of threat data collection processes aimed to protect the public, build legal cases, as well as seize and take down suspicious domains following a trial.
Assistance during investigations Domain ownership data can be obtained immediately through WHOIS records to support investigations, locate site owners and their service providers, as well as to support communication with courts and governmental authorities.

Fraud Detection in the Loop

Fraud levels have risen from 1.58% to 1.80% in 2018, while losses due to online payment scams are expected to reach $48 billion by 2023. That’s the dark side of business increasingly being conducted online, and it’s eroding customer trust.

What is the relevance of WHOIS databases for e-commerce businesses?

Online businesses need to effectively detect and prevent malicious activities — e.g., scammers seeking to get their hands on customers’ information. However, they don’t often have the time to monitor and analyze unlawful attempts one by one. Individuals, in parallel, may think twice before disclosing their details on a new website and completing a purchase.

Being able to perform queries at scale via a trusted WHOIS database or API easily is an effective way to intercept and combat fraudulent behaviors.

Application How WHOIS databases help
Fraud prevention Users with WHOIS protocol access can investigate a website’s validity and credibility before giving up their credit card or other online payment information.
Fraud identification Being able to flag users labeled with risky email IDs and websites could help identify malicious intents.
Fraud investigation Cross-checking information in WHOIS databases enables people to investigate suspected illicit money transfers or invoices for possible scams.

Dependability for the Financial Sector

Without a doubt, cybercriminals and fraudsters are after money — and the people who hold it. For that reason, financial stakeholders are the common target of social engineering attacks where business proposals often sound too good to be true.

What are the applications of WHOIS for banks and financial institutions?

Financial organizations must show due diligence before they proceed with large transactions — e.g., payments for services and new projects, acquisition of a new technology or innovative company, etc. What’s more, deciding whether or not to commit funds to a new business is hard for venture capitalists, private equity firms, and banks.

In these and other circumstances, dependable WHOIS information is essential to make the right moves and avoid lemon investments.

Application How WHOIS databases help
Recognizing new opportunities Investors can analyze domain information from WHOIS databases and learn more about the veracity of claims made during funding decision processes.
Better understanding the business backstage Recent changes in WHOIS data and domain owner information reveal a lot about the state of possible mergers and acquisitions, investments, spinoffs, and business liquidations.
Enhancing business intelligence Investors and banks can use domain registration data to improve their business intelligence efforts. WHOIS data can provide information on the structure and dynamics of companies using data mining techniques.

Scoops in the Data

With the World Wide Web reaching more than 1.8 billion websites and the emergence of fake news, sorting and verifying information is now harder than ever. How can media specialists differentiate themselves? Is the drop in the quality of online news inevitable?

Why is WHOIS data helpful to journalists?

Journalists need to keep up by performing a deeper analysis of content that matters while disregarding irrelevant sources. In that process, WHOIS databases can serve as an investigative tool to process large amounts of data about multiple online entities and uncover scoops.

Application How WHOIS databases help
Monitoring for new stories WHOIS database can be used to keep track of target registrants and their activities such as product launches, service developments, and new ventures.
Verifying information Journalists can make sure that their facts are right by looking up WHOIS data and, if they are in doubt, contact the entities of heir interest.
Getting the data that matters Bulk WHOIS functionality allows users to obtain and filter data in batches using custom attributes and obtain the desired results for groups of domains immediately.

There are plenty of uses for domain ownership data in today’s business world. It can be applied to fortify an organization’s cybersecurity, enhance marketing strategies, collaborate with law enforcement, enhance brand protection, and much more.

Are you interested in experiencing how WHOIS databases can benefit you as an individual or organization? Send us your questions at general@whoisxmlapi.com.

Download the full article in PDF


Fight against phishing e-mail with WHOIS: A technical blog based on the 2018 "Airbnb" case https://main.whoisxmlapi.com/fight-against-phishing-e-mail-with-whois Fri, 08 Feb 2019 13:51:14 +0000 admin https://main.whoisxmlapi.com/fight-against-phishing-e-mail-with-whois

Phishing is a way to obtain sensitive information by sending electronic communication pretending to have come from a reliable, trustworthy partner. According to the 2018 IBM X-Force Threat Intelligence Index, "Despite the increased use of chat and instant messaging applications, email continues to be one of the most widely used communication methods for any organization, and phishing attacks continue to be one of the most successful means of making unknowing insiders open the door to malicious attackers."


Table of contents

On phishing scams

Phishing is a way to obtain sensitive information by sending electronic communication pretending to have come from a reliable, trustworthy partner. According to the 2018 IBM X-Force Threat Intelligence Index, "Despite the increased use of chat and instant messaging applications, email continues to be one of the most widely used communication methods for any organization, and phishing attacks continue to be one of the most successful means of making unknowing insiders open the door to malicious attackers."

Hundreds of millions of phishing e-mails are sent on the Internet every day, leading to billions of dollars stolen annually, not to mention the overtaken accounts and sensitive data obtained this way. The importance of the fight against e-mail phishing cannot thus be overemphasized.

In what follows, we present an example of such a fraudulent activity which attracted a lot of attention in the media recently and whose victim virtually anyone could fall to. Through this particular example, we illustrate the use of WHOIS data in revealing this kind of malicious activity. Whois data can be an important piece of intelligence in any anti-phishing security software/solution.

The Airbnb story

Airbnb, the popular online marketplace for arranging and offering lodgings has been prone to phishing activity for several years. As an online marketplace which assists in organizing payments, it is very attractive to malicious actors who would prefer the money transfers to ultimately end up in their temporary bank accounts.

The recipe in this scheme is simple: deceptive means convince a prospective victim that his credit or debit card data have to be sent in a reply e-mail or typed in on a short-lived, yet seemingly convincing website. Alternatively, these data can be stolen from the client's account along with other sensitive information, after a persuasive email kindly asks them to send the account name along with the password in a reply, claiming it to be necessary for whatever reason.

The active enforcement of the General Data Protection Regulation (GDPR) started across Europe on May 25, 2018. In a matter of days after this data protection legislation took effect, Airbnb saw a significant burst of phishing e-mails. Paradoxically, even though the main intention with the new regulation was that "Stronger rules on data protection mean people have more control over their personal data and businesses benefit from a level playing field." (source: this link, 2018.11.06.), its introduction has led to numerous foreseen and unforeseen consequences, some of which, in fact, seem to be introducing significant IT security risks. One of the short-term impacts of the new rules was that all the companies handling data of EU citizens in any form had to contact their clients to confirm certain new agreements.

As a consequence, e-mails with reference to the new GDPR started flooding all EU citizens (with rules that many of the latter do not even clearly understand). Because most of those e-mails urged for some activity or reply, this confusion-filled scenario became a genuine paradise for phishing schemes.

The malicious scam is simple: send e-mails to all addresses in your spam database on behalf of Airbnb and refer to the new GDPR as the reason why they need to share their sensitive data. There will be enough gullible Airbnb clients on the list who will fall for the trick.

And it happened. It is enough to look at the headlines:

  • "Airbnb Customers Targeted with Phishing Scam" (Infosecurity Magazine, 4 May 2018)
  • "Redscan warns of GDPR phishing scams," (Computer Weekly, 3 May 2018)
  • "Phishing campaign aimed at Airbnb guests uses GDPR hook" (scmagazine.com, 4 May 2018.)
  • "Gardaí warn of possible rise in email scams related to new data law" (The Irish Times, 28 May, 2018.)
  • "GDPR isn't to blame for all those dumb emails you're getting" (Wired, 11 May 2018.)

etc., just to quote some of the news in English.

Let us now look at this incident from the point of view of WHOIS data.

A WHOIS-based investigation of the Airbnb campaign

There are two general ways for anti-phishing software/human to determine if an email is malicious:

  • Without scanning the full email, as that could possibly take lots of time. For this, external data sources can be used: WHOIS, NSL, proximity of the domain to a known malicious actor/domain/IP, etc.
  • By scanning the email: the contents of the email may be helpful if the link directs to a completely different domain or another malicious domain, etc.

In what follows we demonstrate the kind of information we can get, solely from WHOIS data that can be downloaded from the data feeds of WhoisXML API, supplemented by the possible use of some APIs.

About the approach

In our little investigation looking to demonstrate the footprint of phishing attacks against Airbnb in the WHOIS ecosystem, we shall use simple Linux/BASH command-line tools on our csv files downloaded from WhoisXML API, Inc. The same is trivially doable on Mac OS X as well. For Windows 10 users who want to try it out, we recommend installing Bash on Ubuntu on Windows (see our blog on how to install it: http://www.nahnuh.com/blog/using-bash-andother-linux-tools-on-windows-10-for-processing-whois-data) Users of earlier server versions of Windows can also work with Microsoft Services for UNIX.

However, all of this is doable with your favorite tools such as Windows PowerShell, or Python, etc., too.

Single WHOIS records

Our starting point will be an example described in a related article found under this link. "While the phishing messages might look legitimate at first glance, it's worth noting that they don't use the right domain - the fake messages come from '@mail.airbnb.work' as opposed to '@airbnb.com'." The mail in the example dates back to 18 April 2018, about a month before the enforcement of the new GDPR.

Let us now check the "work" top-level domain. Looking at the WHOIS data of the domain "airbnb.work". This task is doable even with a simple WHOIS lookup or entering this search term to the "Whois lookup" field on http://www.nahnuh.com. By doing so we obtain information on who the domain belongs to. Is this a suspicious domain according to these WHOIS data?

First of all, phishing e-mails frequently come from domains which were registered recently and abandoned shortly afterwards. As for the relevant dates, we have:

  • Updated Date: 2018-03-22T15:47:34Z
  • Creation Date: 2015-04-07T06:47:17Z
  • Registry Expiry Date: 2019-04-07T06:47:17Z

This does not look like a very short-lived domain. However, looking at the other lines of the WHOIS record, as for the registrant, we can probably repeat all the data without the risk of privacy violation:

Domain's registrant

  • Organization: REDACTED FOR PRIVACY
  • State: Tokyo
  • Country: JAPAN
  • Country code: JP

We remark here that regarding the "Technical contact", "Billing contact", and "Administrative contact" data, all the fields are "REDACTED FOR PRIVACY". Of course, due to the "stronger rules" of the new GDPR, WHOIS records are nowadays less and less informative: much of the registrants’ data are hidden for certain privacy reasons. However, if we look at the WHOIS record of the real "airbnb.com", although there aren't as many pieces of information there which traditional WHOIS used to provide, we will still learn the following:

  • Registrant Organization: Airbnb, Inc.
  • Registrant State/Province: CA
  • Registrant Country: US

We do indeed learn to whom the domain belongs. And honestly, is there any good reason to hide the "Registrant Organization" for privacy reasons?

Here all we know about the registrant is the country: Japan. The registrar in question is in fact a known web hosting and service provider, also based in Japan, with many clients, so this part seems legitimate. It is weird though that "Tokyo" is mentioned in the "State" field, whereas the "City" is "REDACTED FOR PRIVACY". Japan does not divide into ‘states’, and Tokyo is certainly not one. In fact, the "State" field is invalid, but let’s suppose it is just an error. But then what are the benefits of a real Aibnb-related enterprise doing business correspondence from Japan, from a top-level domain ".work" which does not even reflect any Japanese character? It is hard to see any good reason.

Hence, there are multiple red flags in the WHOIS record of "airbnb.work" suggesting that any correspondence coming from here or containing an URL from here in the mail body should be treated with care and at least be subjected to further investigations. (Note, however, that we do not state with certainty that "airbnb.work" is a malicious domain. We only remark that its registrant cannot be identified at all from its current WHOIS data, and its registrar and registrant are from a country not directly related to Airbnb. And although it is claimed to be in use for malicious purposes in an incident described on a discovered public web page, someone could well have misused an otherwise honest domain. We leave the estimation of the likelihood of all these to the reader.)

So far our investigation was based on a single WHOIS lookup at the time when the e-mail is investigated. When doing this with a lot of e-mails, one will require many WHOIS lookups. So when using the WHOIS protocol itself, most servers will soon refuse to serve us as they have their limitations. This problem can be overcome by using a proper Web-based API, such as https://whoisapi.whoisxmlapi.com, which will provide an accurate and up-to-date answer in JSON or XML and can be simply used from a script, e.g. with "curl".

Even simpler, the sender address "important@mail.airbnb.work" can be checked with our e-mail verification API. For the sake of completeness we show how this can be invoked from a shell, using, e.g. "curl":

curl --get --include \"https://emailverification.whoisxmlapi.com/api/v1?apiKey=XXX&emailAddress=important@mail.airbnb.work"

Here you will need an API key provided with your API subscription; please replace "XXX" with your key. (A free subscription is available, so you can try what we are doing here.) This will result in the following JSON:

{ "audit":{ "auditCreatedDate":"2018-11-06 14:20:38.000 UTC", "auditUpdatedDate":"2018-11-06 14:20:38.000 UTC" }, "catchAllCheck":"null", "disposableCheck":"false", "dnsCheck":"Invalid hostname", "emailAddress":"important@mail.airbnb.work", "formatCheck":"true", "freeCheck":"false", "smtpCheck":"null"}

So if the mail were to be received right now, the problem would probably not be entirely at the WHOIS level, although the DNS lookup would immediately reveal that there is something wrong with it.

Let us therefore take a quick look at the DNS data of "airbnb.work". This can be easily done either with the command-line utility "dig", or with another API at whoisxmlapi.com, namely, the DNS API. On this page, there is a simple interactive entry for DNS lookup (or one may subscribe to do it from a program or with "curl"). But entering "airbnb.work" will merely give us an error message:

"Unable to retrieve DNS record for airbnb.work". Although the domain exists, it does not have a valid DNS record. This is another fact that makes the domain suspicious. A possible continuation of our investigation to the DNS direction would be the use of "passive DNS", a very important approach in forensic analysis, but we are not going into detail now, as we aim to demonstrate how far we can get with WHOIS. We’ll remark though that by using passive DNS one can find that this domain, while registered on 2015-04-07, was never seen before 2018-05-03. This is yet another red flag: it appears that it was a Newly Observed Domain (NOD) at the time of the flood of GDPR-related emails.

What if an incident has to be investigated not shortly after it happened but later on? WhoisXML API, Inc. offers downloadable WHOIS datasets, including historic ones, too. Using these data could have various benefits. One can build a local WHOIS database and keep it up-to-date so that the filtering does not rely on an external API call. Also, such a database could provide historic data. As we shall see, even without setting up a database, one can download data and find relevant information by just analyzing the files with simple tools.

An investigation based on bulk WHOIS data

We will now search for short-lived domains by using data from WhoisXML API downloadable feeds. Motivated by the previous example, we will choose a set of top-level domains whose names suggest that they may contain short-lived domains related to Airbnb. We are considering the following ones:

apartments, book, booking, business, global, hotels, international, reise, reisen, rent, rentals, trade, travel, travelers, vacations, work.

All of these are the so-called "new top level domains" in the ICANN terminology. The best approach would be to download these data for all domains, including country-code top-level domains (ccTLDs), but since this is just a quick experiment, we’ve made this subjective filtering.

Finding short-lived domains

Here we shall implement simple tools to present a proof-of-principle demonstration of how to find short-lived domains typically used in phishing attacks. Such an investigation is possible even years after the actual incident.

Downloading data

We shall use some daily data feeds, which are documented here in detail. In particular, first we shall need data from the following feeds:

  • ngtlds_domain_names_new : domains registered on a given day
  • ngtlds_domain_names_dropped : domains deleted on a given day

By examining the emergence and disappearance of domain names containing the string "airbnb", we shall be able to identify short-lived domains. We shall investigate the period from 2017-01-01 to 2018-10-30. We need the data in "CSV" format, which in this case will be just a text file with a domain name in each of its lines.

To efficiently download data we shall use a specialized download script available in the GitHub repository, in its "whoisxmlapi_download_whois_data" subdirectory. It requires series 2 Python and some modules to be installed; we shall refer to its documentation for details. Having set up this program, we change into its directory and do

./download_whois_data.py --feed ngtlds_domain_names_new \--output-dir /path_to/downloaded_ngtlds_data \--username MYUSERNAME --password MYPASSWORD \--verbose --startdate 20170101 --enddate 20181030 \--tldsapartments,book,booking,business,global,hotels,international,reise,reisen,rent,rentals,trade,travel,travelers,vacations,work \--dataformat csv

for the data of new domains each day, and

./download_whois_data.py --feed ngtlds_domain_names_dropped \--output-dir /path_to/downloaded_ngtlds_data \--username MYUSERNAME --password MYPASSWORD \--verbose --startdate 20170101 --enddate 20181030 \--tldsapartments,book,booking,business,global,hotels,international,reise,reisen,rent,rentals,trade,travel,travelers,vacations,work \--dataformat csv

for the dropped ones. (In the above command lines, please replace "MYUSERNAME" and "MYPASSWORD" with the credentials you have obtained with your subscription, and "/path_to/ downloaded_ngtlds_data" to the directory in which you want to work with the data.) Actually, those who prefer GUI mode can start this program without any command line argument, a sequence of dialog windows will then guide the user through the download process.

The result will be the following directory structure within the target directory we have specified as –output -dir: there will be two subdirectories named after the feeds, i. e., "ngtlds_domain_names_new" and "ngltds_domain_names_dropped". Within each subdirectory there will be a subdirectory named after the domain; consider "work" as an example. Within the domain's subdirectory, each date will have a subdirectory, and a CSV file and its md5 sum will be there if any domains were changed or dropped that day. Thus, the relevant files will have the path e.g.


for the added and dropped domains respectively.

Analyzing data

Let us consider all domains as short-lived which were added and also dropped in the examined period, i.e., between 2017-01-01 and 2018-10-30. Thus we are looking for all the domains which are there in both the "dropped" and "added" lists for a given TLD on some day. This can be found out using the following BASH code:

for tld in apartments book booking business global hotels international reise reisen rent rentals trade travel travelers vacations workdo echo "In TLD ${tld}:" comm -12 <((for i in ngtlds_domain_names_new/$tld/*/*.csv;do grep airbnb $i;done)|sort) <((for i in ngtlds_domain_names_dropped/$tld/*/*.csv;do grep airbnb $i;done)|sort)Done

The following output is produced:

In TLD apartments: airbnbmanager airbnbmanagerIn TLD book:In TLD booking:In TLD business:In TLD global:In TLD hotels:In TLD international: airbnb-rooms19982 booking-on-airbnbIn TLD reise:In TLD reisen:In TLD rent:In TLD rentals: airbnb-book airbnb-booking suisse-airbnbIn TLD trade: airbnb-bookings airbnb-tenantIn TLD travel:In TLD travelers:In TLD vacations: airbnb-disneyworld airbnb-guestIn TLD work:

Note that not all the examined top-level domains contain short-lived domains (in the sense defined above). However, we have found some short-lived ones which could indeed be suspicious.

Let us now choose one of them, e.g. "airbnb-rooms19982.international", and take a closer look at it. First we find out when they were registered:

grep -H airbnb-rooms19982 ngtlds_domain_names_new/international/*/*.csv

resulting in


so the domain was registered on 2018-05-17. However, doing

grep -H airbnb-rooms19982 ngtlds_domain_names_dropped/international/*/*.csv

we have the output


meaning that it was dropped on 2018-06-15, about one month later. Well, it is at least suspicious...

Finally, let us see the detailed WHOIS data of the domain "airbnb-rooms19982.international". A standard WHOIS query will not find it, as the domain has ceased to exist. However, as it was registered on 2018-05-17, all we need to do is get the data from the "ngtlds_domain_names_whois_archive" daily feed, as at the time of investigating this case the registration happened more than 3 month ago.

(Were this not the case, we would use the feed "ngtlds_domain_names_whois".) So, returning to the downloader script's directory, we do the following:

./download_whois_data.py --feed ngtlds_domain_names_whois_archive \--output-dir /home/kmatyas/Asztal/Projects/WhoisApi/tmp/ngtlds_whois_data \--output-dir /path_to/downloaded_ngtlds_data \--username MYUSERNAME --password MYPASSWORD \--verbose --startdate 20180517 \--tlds international \--dataformat regular_csv

The result will be the file


in our data directory. Thus we can look for our domain:

zgrep airbnb-rooms19982 \ngtlds_domain_names_whois_archive/2018_05_17_international.csv.gz

resulting in the following output:

"airbnb-rooms19982.international","Tucows Domains Inc.","airbnbrooms19982.international@contactprivacy.com","whois.tucows.com","ns1.renewyourna me.net|ns2.renewyourname.net|","2016-05-12T01:59:59Z","2018-05-16T03:22:02Z","2019-05-12T01:59:59Z","2016-05-1200:00:00 UTC","2018-05-16 00:00:00 UTC","2019-05-1200:00:00 UTC","clientTransferProhibited","2018-05-17 07:00:00UTC","airbnb-rooms19982.international@contactprivacy.com","Contact Privacy Inc. Customer 0143005938","Contact Privacy Inc. Customer 0143005938","96 Mowat Ave","","","","Toronto","ON","M6K3M1","CANADA","","","14165385457","","airbnbrooms19982.international@contactprivacy.com","Contact Privacy Inc. Customer 0143005938","Contact Privacy Inc. Customer 0143005938","96 Mowat Ave","","","","Toronto","ON","M6K3M1","CANADA","","","14165385457","","","","","","","","","","","","","","","","","airbnb-rooms19982.international@contactprivacy.com","Contact Privacy Inc. Customer 0143005938","Contact Privacy Inc. Customer 0143005938","96 Mowat Ave","","","","Toronto","ON","M6K3M1","CA

Granted, there is a nicer way to present this result (e.g. you may unzip the csv file and open it with some spreadsheet application). However, there is no real need to do so: essentially all registrant data are obscured and this fact could be very easily found out in an automated way, too.

Hence, if one asks whether the domain used to be a malicious domain related to the phishing campaign against Airbnb, though we cannot state it with absolute certainty, it is extremely likely to have been so.

Lessons to learn

To conclude, WHOIS data are indeed very useful in the fight against e-mail phishing and similar malicious activities. Whois data and DNS data can be an important part of any anti-phishing security solution. What we have presented here was a hindsight investigation, but as the data in the daily feeds are always fresh and accurate, it is easy to turn this into an actual mail filtering procedure. A very significant limitation of the presented example is that we did not check the e-mail contents and we were considering the sender address. In most phishing e-mails there are web links in the e-mail body, and the header of the e-mail also contains technical information on servers whose registration details are of significant relevance. Nevertheless, what we did here gives a hint on how to perform such an analysis. We have used very simple generic tools to present feasible clues, but since CSV formats can be opened or imported with virtually any kind of software for data processing, there is a broad range of possible analyses based on the WHOIS data available in WhoisXML API's Whois database download subscription. Anti-phishing security solution vendors can embed whois database feed to enhance its capabilities.

Download the full article in PDF


What you should know about WHOIS and Security https://main.whoisxmlapi.com/what-you-should-know-about-whois-and-security Fri, 08 Feb 2019 13:51:14 +0000 admin https://main.whoisxmlapi.com/what-you-should-know-about-whois-and-security

If you’ve ever looked at a WHOIS entry, you probably know how much valuable information is contained within the records of just one domain registration. When this information is accurate, it can make getting in touch with other parties on the web a lot easier. In the real world however, accessing consistently accurate WHOIS data is more of a goal than anything else. For every accurate WHOIS record, there are many more inaccurate and sometimes fraudulent records.


Table of contents

If you’ve ever looked at a WHOIS entry, you probably know how much valuable information is contained within the records of just one domain registration. When this information is accurate, it can make getting in touch with other parties on the web a lot easier. In the real world however, accessing consistently accurate WHOIS data is more of a goal than anything else. For every accurate WHOIS record, there are many more inaccurate and sometimes fraudulent records.

WHOIS is important to organizations that seek to secure against threats across their digital landscape because aside inaccurate records, there are many potential threats. These include:

  • Spam
  • Malware
  • Botnet sources
  • Advanced Persistent Threats
  • Malicious traffic
  • Ransomware
  • Insider threats
  • State-sponsored threat actors

What is WHOIS?

WHOIS information, maintenance, and collection operations are dictated by regulations set forth by The Internet Corporation for Assigned Names and Numbers (ICANN). This Internet record listing identifies the owners and operators of a domain as well as indicating how to get in contact with them.

Collectively, this base of information provides integrity for domain registrations and a path for resolution for when issues might arise.

There are two channels of information in WHOIS information, known as thin and thick.

THIN: the first level of information that can be accessed. Registrar information, registration dates, and nameservers are found at this level.

THICK: Deeper ownership information includes names, addresses, and contact information for administrative, technical, and registrant parties (often the same as that of the registrant).

Look inside a WHOIS record

In any industry, standards have a way of updating and the forces behind WHOIS are just as susceptible to standard and implementation changes over time. For the most part however, these records are designed to include all contact and registration information for the parties that register a domain name, specific to the company, group and person in charge of various operational web elements.

Each WHOIS record should contain the following information:

  • The date of domain registration
  • The domain expiration date
  • Nameserver details
  • Name and contact information of the Registrant (domain owner)
  • The name and contact information of the organization or commercial entity that registered the domain name
  • Most recent update information

Uses for WHOIS information

WHOIS has a number of important uses which include:

  • Is a domain available?
  • Alert technical contacts to security and site issues
  • Disclose contact, address information behind a given site
  • Emergency/Outage contact information
  • Provide information for domain-related transactions
  • Uncover responsible parties behind intellectual property scenarios
  • Channel for security and incident response contacts
  • Overall historical and background information behind traffic and domain sources

WHOIS, from the field

Legitimate, fully populated and compliant records are exceedingly rare, especially when the volume of records collectively scale. This makes tracking down information a challenge. In addition to the millions of domains in existence, there are countless registrars with varying implemented and enforced registration standards. Servers that run the WHOIS service are also vast in numbers. Like many systems born from the early days of the internet, the WHOIS system wasn’t built to scale into the future. And if it can be inefficient, then it can be exploited.

Despite its imperfect nature, the WHOIS system and the information contained within are still critical to the industry as WHOIS reinforces the security and stability of the internet, largely as a channel for Internet Service Providers, network administrators, and security personnel to research and contact information that is domain-related. WHOIS also provides structure to the domain registration process as well as proving itself as a channel or investigative activities and law enforcement.

On a global scale, WHOIS information assists in campaigns against technology abuses, uncovering botnet networks, nefarious actors, suspicious traffic sources, intellectual property infringements and more with the ability to track information behind domain activities.

WHOIS issues

One big issue with the system is the maintenance and updating of data. The process is reliant on the original population of data that occurs when a domain is first registered. When things change, it is up to the registrant to change this information. As phone numbers, email information, addresses, and other information change, WHOIS data may become stale. The Internet Corporation for Assigned Names and Numbers, also known as ICANN, requests yearly routine updates of this information but it is not stringently enforced.

Another element is the existence of private domain registration. That is because WHOIS information is public and earlier on, in the days of domain registration, domain registrars offered privacy services, registering domains “by proxy” on their customer’s behalf.

The Future of WHOIS

Next Generation: Registration Data Access Protocol (RDAP)

All things must change, which is the way of technology and the internet. Seeking improvement in the integrity of domain records, the RDAP standard was developed as a successor to the WHOIS protocol and it is currently making its way through the adoption curve. The object was to create a standard for nimble, portable, and accurate data without the legacy issues of WHOIS. The emerging format features a standard, machine-readable JSON standard and a foundation build on RESTful web services. This systems is HTTP-compatible, so that error codes, user identification, authentication, and access control can be delivered through the universal HTTP web protocol.

RDAP-compliant records are registered through validated hosts and the features of RDAP services include:

  • Standardized queries and responses
  • Data object language capabilities that extend beyond English
  • Redirection capabilities that allow seamless referrals to other registries
  • Network address registrations for IPV4 and IPV6

RDAP specifications

  • RFC 7480 – HTTP Usage in the Registration Data Access Protocol (RDAP)
  • RFC 7481 – Security Services for the Registration Data Access Protocol (RDAP)
  • RFC 7482 – Registration Data Access Protocol (RDAP) Query Format
  • RFC 7483 – JSON Responses for the Registration Data Access Protocol (RDAP)


General Data Protection Regulation (GDPR) became effective in early 2018 and although there haven’t been a lot of significant fines or legal cases to emerge just yet, news stories indicate that a wave is coming. This sweeping reformation of privacy laws affects European Union countries as well as any company that might retain the private information of any European individual. These regulations dictate not only the protection of data, but the retention, collection, and distribution of personal information.

The WHOIS system is at odds with GDPR, because it is public, because it has specific information, and because it retains that information for extended periods of time. The fate of WHOIS in light of GDPR is unclear. In the aftermath of GDPR, some registrars have declined to comply with ICANN WHOIS information requirements, to avoid potential GDPR fines.

Security and WHOIS

The WHOIS system is a critical research and security component. Its information provides valuable background information that helps affirm proper network connectivity, domain source information, and contributes towards critical security and service continuity.

Cybersecurity professionals use WHOIS information to quickly assess and eliminate cyberthreats every day. To limit access to this information because of GDPR and other forthcoming privacy mandates would be to hamper this resource. Even with all of its flaws and a significant data accuracy challenge, WHOIS continues to prove to be a valuable forensic tool. Due to human nature and ease of registrations, researchers can quickly cross-compare domain registration information that can be associated with foreign nationals, cybercriminal groups, and other nefarious actors.

In some cases, researchers could correlate networks belonging to bad actors through inter-related domain registrations, common IP information, and other telling information that is gathered through the WHOIS system. Some of the largest organizations today rely heavily on domain registration data to add to their organizational security intelligence, to protect networks and applications, and secure data where it expected to be protected.

Email spam, malware, ransomware, virus distribution, insider threats, data leaks, advanced persistent threats, payloaded software, and many other types of threats can often be traced back to domain-sourced certificates and registrations. Therefore, protecting information proactively by using public information is the ultimate value of WHOIS to a security-minded organization.

The future of WHOIS information and security lies in maintaining an active, open environment and open database via which intelligence can be freely gathered and referenced. Every day, thousands of incidents can be and are protected by proactive investigative discoveries through this valuable system.

Download the full article in PDF


Open WHOIS advocates push for U.S. legislation to counter GDPR https://main.whoisxmlapi.com/open-whois-advocates-push-for-usa-legislation-to-counter-gdpr Fri, 08 Feb 2019 13:51:14 +0000 admin https://main.whoisxmlapi.com/open-whois-advocates-push-for-usa-legislation-to-counter-gdpr

The domain information lookup service WHOIS publishes data about the owners of websites around the world. WHOIS also contains personal information of the European Union (EU) citizens. Further, the database maintains location and infrastructure information of cybercriminals who set up websites with malicious intent.


The domain information lookup service WHOIS publishes data about the owners of websites around the world. WHOIS also contains personal information of the European Union (EU) citizens. Further, the database maintains location and infrastructure information of cybercriminals who set up websites with malicious intent.

So far, cybersecurity professionals and law enforcement have been able to access the public information of the European Union (EU) citizens unfettered. They have been using the registry to investigate and blacklist cybercriminal operations. Occasionally, this information helps government authorities with their investigations leading to arrests. There are investigations that used WHOIS information among other sources that resulted in charges against money launderers, hackers, and child pornographers, for instance.

WHOIS collects personal contact information from domain registration companies. The Internet Corporation for Assigned Names and Numbers (ICANN) controls the WHOIS database. ICANN is facing an existential threat from EU’s General Data Protection Regulation (GDPR) because its business model depends on the collection and publication of identifying information. The data sets include contact information of EU-based hackers known to have established malicious sites...

This white paper highlights

  • Why Does GDPR Exist?
  • What are the Pros and Cons?
  • What WHOIS Data Does GDPR Affect?
  • Hackers Shun the Public Record
  • How to Catch the Bad Guys
  • Anonymity Rules
  • Opportunities Await

Download the full article in PDF


Cyber Security Investigation and Analysis https://main.whoisxmlapi.com/cyber-security-investigation-and-analysis Fri, 08 Feb 2019 13:51:14 +0000 admin https://main.whoisxmlapi.com/cyber-security-investigation-and-analysis

The Internet is not just the hotspot of all things digital and technical. Largely due to its ubiquity and countless (and frequently anonymous) points of entry, the web has given rise to a new breed of outlaw – cybercriminals who prey on the wealth of valuable information available online.


The New Crime of the Digital Age

The Internet is not just the hotspot of all things digital and technical. Largely due to its ubiquity and countless (and frequently anonymous) points of entry, the web has given rise to a new breed of outlaw – cybercriminals who prey on the wealth of valuable information available online.

Lloyd’s Insurance estimates businesses’ global losses from cybercrimes in 2015 were $400B, while some vendors believe losses totaled $500B. Only estimates are available, because manyπ thefts go unreported as security breaches can damage an organization’s reputation.

Unfortunately, there is no end in sight. Losses roughly quadrupled from 2013 to 2015 and Juniper Research recently forecasted that in 2019 global losses will reach a staggering 2.1 trillion dollars.

In addition to the enormous financial losses, these online crimes have also ruined reputations of companies and rendered victims vulnerable, as the perpetrators now have access to critical data that may be used againstthem.

With advances in digital technology, online criminals have grown even more aggressive and creative in their ways, despite efforts to strengthen and tighten online security. The rackdown on these online crimes remains a constant challenge for many law enforcement agencies and private IT security professionals...

This white paper highlights

  • The New Crime of the Digital Age
  • Types of Cybercrimes
  • The Security Strategy
  • Cracking cybercrimes
  • The Whois API Solution
  • Hosted Whois Webservice
  • Whois Database Download
  • Reverse Whois
  • Taking the Next Steps

Download the full article in PDF


GDPR’s Chilling Effect on Cybersecurity https://main.whoisxmlapi.com/gdpr-is-chilling-effect-on-cybersecurity Fri, 08 Feb 2019 13:51:14 +0000 admin https://main.whoisxmlapi.com/gdpr-is-chilling-effect-on-cybersecurity

The European Union (EU) may unintentionally be giving cyber criminals a helping hand. The EU’s well-intentioned efforts to promote data privacy through its newly launched General Data Protection Regulations (GDPR) have also put handcuffs on the efforts of cybersecurity professionals to protect individuals and organizations from hackers. Unless global Internet authorities and infosec professionals are able to achieve a rapprochement with the EU, black hats may gain unprecedented advantages over white hats. Otherwise, the cybersecurity community will have to develop new approaches to protecting individuals and enterprises against hackers.


The European Union (EU) may unintentionally be giving cyber criminals a helping hand. The EU’s well-intentioned efforts to promote data privacy through its newly launched General Data Protection Regulations (GDPR) have also put handcuffs on the efforts of cybersecurity professionals to protect individuals and organizations from hackers. Unless global Internet authorities and infosec professionals are able to achieve a rapprochement with the EU, black hats may gain unprecedented advantages over white hats. Otherwise, the cybersecurity community will have to develop new approaches to protecting individuals and enterprises against hackers.

What Is GDPR?

The EU’s GDPR mandate requires its National Data Protection Authorities ("DPAs") to enforce how organizations handle the personal data of the EU citizens. The law came into force on May 25, 2018. Companies and institutions incorporated in the EU countries will be responsible for the proper protection of personal data they collect and maintain. Most of the companies will also have to modify the ways in which they relate with customers in terms of the data, and what they should do in the event of a data breach...

This white paper highlights

  • What Is GDPR?
  • GDPR Throws Cybersecurity into Disarray
  • If ICAAN, Hackers Can Too
  • GDPR Carries A Big Stick
  • WHOIS May Become a Dispensable Tool for Infosec
  • ICANN Explores Alternatives
  • Planning for a Future without WHOIS

Download the full article in PDF