7. WHOIS Access

7.1 Issue / Definition

The RAPWG found that the basic accessibility of WHOIS has an inherent relationship to domain registration process abuses, and is a key issue related to the malicious use of domain names. It appears that WHOIS data is not always accessible on a guaranteed or enforceable basis, is not always provided by registrars in a reliable, consistent, or predictable fashion, and that users sometimes receive different WHOIS results depending on where or how they perform the lookup. These issues interfere with registration processes, registrant decision-making, and with the ability of parties across the Internet to solve a variety of problems.

WHOIS is an area within GNSO policy-making scope and has had a long history of discussion. Below, the RAPWG comments on the basic availability of and access to WHOIS data, and not the accuracy of contact data or the use of proxy contact services. To avoid duplication of effort and charter scope problems, the RAPWG decided to identify when WHOIS is seen to be a contributing factor in other problems, and not to discuss WHOIS issues for which the GNSO has already commissioned studies. (Those are: WHOIS contact data accuracy, the use of proxy contact and privacy services, implications of non-ASCII registration data in WHOIS records, and technical requirements for the WHOIS service itself – including potential replacements. For background, please see: http://gnso.icann.org/issues/whois/).

WHOIS data availability problems have been discussed in other GNSO working groups, for example:

The Post-Expiration Domain Name Recovery Working Group (PEDNR-WG) discussed how access to WHOIS data is essential for parties to determine if contact data has been updated upon the expiration of a domain name, and to check domain name expiration dates. A majority of the registrars polled may make substantial updates to WHOIS data upon expiration.[1]
The Inter-Registrar Transfer Policy Part A PDP Working Group (IRTP-WG)[2] noted in its final report that gaining registrars sometimes have difficulty accessing WHOIS data, and therefore Administrative Contact e-mail addresses.
The Fast-Flux PDP Working Group (FFWG) discussed how responders must access WHOIS data when mitigating illicit uses of domain names.

Published WHOIS data for domain names involved in malicious conduct is an irreplaceable part of the investigation and mitigation processes used by registrars, registry operators, registrants, security companies, brand owners, victims, and law enforcement.

The national law enforcement agencies of the United States, the United Kingdom, Australia, Canada, and New Zealand have recommended that “ICANN should require Registrars to have a Service Level Agreement for their Port 43 servers.” These authorities consider that this is required in order “to aid the prevention and disruption of efforts to exploit domain registration procedures by criminal groups for criminal purposes.”[3]
The Anti-Phishing Working Group’s DNS Policy Committee has stated that published WHOIS is “an invaluable resource, in fact, without which most of the cited cases would not have been successful. For cases in which legitimate machines or services have been hacked or defrauded, published domain name WHOIS information is an important tool used to quickly locate and communicate with site owners and service providers. For cases where domain names are fraudulently registered, the published domain name WHOIS information can often be tied to other bogus registrations or proven false to allow for quick shutdown.”[4]

7.2 Background

ICANN’s current registry contracts require registry operators to adhere to port 43 WHOIS Service Level Agreements (SLAs). TheseSLAs require that port 43 WHOIS service be highly accessible and fast. For example, the .ORG contract requires that WHOIS service be functional at least 99.31% of the time per month (with exceptions for scheduled maintenance), and that responses be provided in less than 800 milliseconds. Failure of registries to meet these SLAs have been very rare according to monthly registry reports.[5]

The majority of gTLD registries are “thick” registries, in which all authoritative WHOIS data—including contact data—is maintained at the registry. The .COM and .NET registries are “thin,” and contact data is located only at each domain name’s sponsoring registrar. Registrars are therefore responsible for providing WHOIS service for .COM/.NET names so that contactdata may be retrieved. The .COM/.NET registry contains approximately 85% of the gTLD domains in existence,[6] so registrar WHOIS accessibility is very important. When displaying WHOIS data for thick TLD domains names—especially on their Web sites—registrars often query the registry’s WHOIS, and display that output to users.

The Registrar Accreditation Agreements (RAAs)[7] require that registrars provide:

port 43 WHOIS access
a Web-based WHOIS
a listed set of information (WHOIS data fields), including:

identity of the registrar
domain name’s expiration date
nameservers associated to the domain; and
specified fields of data for the Registrant Contact, Administrative Contact, and Technical Contact.

There are no service levels (SLAs) in the Registrar Accreditation Agreements (RAAs). A registrar-provided WHOIS service is not required to be online for any particular amount of time, nor provided with any particular response speed.

Port 43 is designed for use with automated and machinequeries. It can also be queried manually by users who know how to perform telnet sessions and the “whois" command in Linux/Unix/macosx shell. The percentage of Internet users who are technically fluent enough to perform these types of queries (or even know about port 43 at all) is small. Thus, it is required that registrars have a Web-based WHOIS query on their sites.

A sub-team of RAPWG members performed some basic research by querying the Web-based and port 43 servers of 50 registrars. This set included the top 20 registrars by gTLD market share, 15 randomly-chosen mid-sized registrars, and 15 randomly-chosen small registrars. When a registrar’s site was in a language other than English, the assistance of a native speaker was obtained. In addition to manual checks, automated queries of port 43 were performed to test availability over time.

The sub-team members found WHOIS accessibility situations with 19 of the 50 registrars sampled. Four registrars may have been in violation of their contractual WHOIS access requirements:

Two did not provide a functional Web-based WHOIS.
One registrar's WHOIS listed a sponsoring registrar different from that provided by the .COM/.NET registry WHOIS. The registrar’s port 43 server provided an expiration date different from that listed in the registry. The registrar’s Web WHOIS provided two different expiration dates for the same domain name.
One registrar did not identify the sponsoring registrar of its domains. The registrar does not operate its port 43 server on the domain indicated by the .COM/.NET registry WHOIS; the registrar’s WHOIS service is evidently subcontracted to a second registrar on that registrar’s domain; and the sponsoring registrar’s Web WHOIS is provided on a third domain not branded as the sponsoring registrar.

In addition, one registrar provided facially invalid registrant contact data for its own .COM name -- including a registrant contact e-mail address on the domain “icann.org”. This appears to be a violation of the RAA.

Fifteen other registrars presented these situations:

Three registrars had port 43 servers that did not return replies for a notable number of queries. One was offline/nonresponsive 21% of the time, one was offline/nonresponsive 20% of the time, and one was offline/nonresponsive 14% of the time. (Based on 100 queries per registrar, spread out over several weeks).
Ten provided different WHOIS data on their port 43 servers than they did via their Web WHOIS.

Four provided only thin contact data via their Web WHOIS, while providing thick contact data only on port 43.
In two cases, registrars provided two different expiration dates for each domain name via the Web WHOISes. One of the two expiration dates did not match the expiration date provided by the .COM/.NET registry.
Two sometimes provided full contact data on their Port 43 servers, and sometimes provided just Registrant contact data (and no Admin or Tech contact data) on their port 43 servers. It is unknown if this was due to a rate-limiting activity.
One registrar did not provide registrant contact data via port 43, and did not provide Admin or Tech contact data via its Web WHOIS.
One registrar provided a required data field (Tech and Admin contact phone numbers) on port 43 but not via its Web WHOIS.

Four cut off telnet sessions to port 43 very quickly--effectively disallowing manual queries via that method.

These results indicate that:

Some registrars appear to be in violation of their contractual WHOIS accessibility obligations;
Users are occasionally unable to obtain contact data due to WHOIS availability problems.
Registrars occasionally provide registration data that differs from that provided by the registry.
Users are sometimes given different registration data depending on the method they use to access the sponsoring registrar’s WHOIS.
Users are sometimes given different registration data depending upon who they are; perhaps depending upon whether they are being rate-limited.

These issues were distributed across a notable number of registrars, with different sizes, business models, and locations around theworld.

The reasons why registrars provide different data on port 43 versus their Web sites requires further investigation. Some might be attempts to prevent automated data mining by spammers, competitors, and other parties. The RAPWG notes that reasonable rate-limiting WHOIS can be a valid, prudent practice – for example it can prevent spammers from mining WHOIS information[8], and can prevent WHOIS servers from being overwhelmed by excessive queries. During Web-based WHOIS sampling, the RAPWG members observed that only some registrars employ CAPCHAs on their Web-based WHOIS services as a protectionagainst automated queries.

In addition to the research conducted by working-groupmembers, the RAPWG requested information from the ICANN Compliance Department about how it monitors registrar WHOIS access. The ICANN Compliance Department noted: "ICANN has developed a Whois server audit tool which monitors access to registrars’ Whois servers over a Port 43 connection. The script developed for this task retrieves data for 4 registered domain names for each accredited registrar…. The purpose of the audit is to flag Whois servers that are down for an amount of time that is suspect and probably not just a manifestation of periodic server maintenance or scheduled update. … What is the “reasonable amount of time” for a server to be down? Probably no more than an hour or so per day, although these are ICANN internal, ‘soft metrics’, not agreed-upon timeframes with registrars. The script records the results and flags registrars that prevent access to data on registered names. Transient network problems are less of a concern, so ICANN focuses on long-term behavior, i.e., registrars which ICANN is unable to communicate with for several days in a row. ….ICANN also reaches out toregistrars that provide access to data on registered names but provide ‘thin’, not ‘thick’, Whois data. The former does not provide details on the registered name holder and additional contacts, which is required by the RAA.”[9]

Over the last three years, ICANN’s Compliance Department has sent seven escalated compliance notices (e.g. notices of breach, termination, or RAA non-renewal) to seven registrars for failure to comply with WHOIS access requirements of the Registrar Accreditation Agreement:

· One registrar did not have its contract renewed solely for failure to provide WHOIS access. (South America Domains dba NameFrog.com, which had less than 300 gTLD names under sponsorship at the time.)

· The other six registrars were cited for both WHOIS access breaches AND at least one other contract violation, such as failure to pay ICANN fees, failure to escrow data, and/or failure to respond to WHOIS accuracy complaints.

ICANN’sCompliance Department is in contact with registrars to resolve issues before escalated compliance notices become necessary. The Compliance staff noted to the RAPWG that “some registrars block incoming WHOIS queries traffic by IP address, and Compliance works with the registrars to get them unblocked when there may be a misunderstanding.” and, “Aside from metrics on informal outreach to resolve blocked Whois servers and incomplete, or ‘thin’, Whois data with registrars, which have been more than two dozen in the past 6-8 months, Compliance could provide bi-weekly statistics to the WG from here on out on the number of registrars that showed a pattern of restricting access to their Whois server over a Port 43 connection. These statistics have not been published before.”

So, it appears that some contractual violations are cured in an amicable manner, and that public breach letters have apparently been used as a tool of last resort. It is unknown how many WHOIS accessibility issues have been discovered but not resolved.

The last timethat ICANN published WHOIS access compliance data was 2007.[10] That year, ICANN’s Compliance Department examined every ICANN-Accredited Registrar’s Web site, and did not examine port 43 access. [11]

The Compliance Department numbers indicate that WHOIS access problems are found regularly.Above and beyond those, the RAPWG research indicates that a notable percentage of registrars might not make WHOIS data available in a reliable, consistent, or predictable fashion.

7.3 Recommendations

Recommendation 1:

The GNSO should determine what additional research and processes may be needed to ensure that WHOIS data is accessible in an appropriately reliable, enforceable, and consistent fashion.

The GNSO Council should consider how such might be related to other WHOIS efforts, such as the upcoming review of WHOIS policy and implementation required by ICANN’s new Affirmation of Commitments. The Affirmation of Commitments says: “ICANN additionally commits to enforcing its existing policy relating to WHOIS, subject to applicable laws. Such existing policy requires that ICANN implement measures to maintain timely, unrestricted and public access to accurate andcomplete WHOIS information, including registrant, technical, billing, and administrative contact information. One year from the effective date of this document [30 September 2009] and then no less frequently than every three years thereafter, ICANN will organize a review of WHOIS policy and its implementation to assess the extent to which WHOIS policy is effective and its implementation meets the legitimate needs of law enforcement and promotes consumer trust.”[12]

The WG achieved unanimous consensus on the above recommendation. In favour (14): Aaron (RySG), Amadoz (RySG), Bladel (RrSG), Cobb (CBUC), Felman (MarkMonitor), Neuman (RySG), O’Connor (CBUC), Queern (CBUC), Rasmussen (Internet Identity), Rodenbaugh (CBUC), Seltzer (NCSG), Shah (MarkMonitor),Sutton (CBUC), Young (RySG). Against, or alternate views: none.

Recommendation 2.

The GNSO should request that the ICANN Compliance Department publish more data about WHOIS accessibility, on at least an annual basis. This data should include a) the number of registrars that show a pattern of unreasonable restriction of access to their port 43 WHOIS servers, and b) the results of an annual compliance audit of compliance with all contractual WHOIS access obligations.

The WG achieved unanimous consensus on the above recommendation. In favour (13): Aaron (RySG), Amadoz (RySG), Bladel (RrSG), Cobb (CBUC), Felman (MarkMonitor), Neuman (RySG), O’Connor (CBUC), Queern (CBUC), Rasmussen (Internet Identity), Rodenbaugh (CBUC), Shah (MarkMonitor), Sutton (CBUC), Young (RySG). Abstentions (1): Seltzer (NCSG). Against, or alternate views:none.

[1] “Draft Initial Report on the Post-Expiration Domain Name Recovery Policy Development Process”: https://st.icann.org/data/workspaces/post-expiration-dn-recovery-wg/attachments/post_expiration_domain_name_recovery_wg:20100112125658-0-27743/original/Draft%20Initial%20Report%20-%20PEDNR%20PDP%20-%2012%20January%202010.doc

[2] “Draft Final Report on the Inter-Registrar Transfers Policy - Part A Policy Development Process”: https://st.icann.org/data/workspaces/irtp_jun08_pdp-wg/attachments/irtp_part_a_pdp_wg_pdp_jun08:20090318145458-1-14319/original/Draft%20Final%20Report%20-%20IRTP%20Part%20A%20-%2018%20March%202009.doc%20%5BCompatibility%20Mode%5D.pdf

[3] “Law Enforcement Recommended RAA Amendments and ICANN Due Diligence”, November 2009, https://st.icann.org/raa-related/index.cgi/LawEnforcementRAArecommendations%20(2).doc?action=attachments_download;page_name=05_january_2010;id=20091118185109-0-21002

[4] “Issues in Using DNS Whois Data for Phishing Site Take Down,” http://www.antiphishing.org/reports/APWG_MemoOnDomainWhoisTake-Downs.pdf

[5] http://www.icann.org/en/tlds/monthly-reports/

[6] “VeriSign Domain Name Industry Brief,” September 2009, http://www.verisign.com/domain-name-services/domain-information-center/domain-name-resources/domain-name-report-dec09.pdf

[7] http://www.icann.org/en/registrars/agreements.html

[8] See: “SAC 023: Is the WHOIS Service a Source for

Email Addresses for Spammers?”: http://www.icann.org/en/committees/security/sac023.pdf

[9] http://forum.icann.org/lists/gnso-rap-dt/msg00454.html

[10] http://forum.icann.org/lists/gnso-rap-dt/msg00454.html

[11] http://www.icann.org/en/compliance/reports/contractual-compliance-audit-report-18oct07.pdf

[12] http://www.icann.org/en/announcements/announcement-30sep09-en.htm