The Domain Name System

The Internet boom of recent years has contributed to thousands of domain name registrations at entities such as Network Solutions and Register.com. Prices for registering a domain name have fallen to as low as $20 per year. The abundance of choices available has made registering domain names a bit more confusing, but it is still a simple enough process for the average computer-savvy person. Domain names grew out of a need to translate the IP address scheme into a more understandable format. But before delving into the privacy issues associated with domain names, let's take a quick look at how it all works.

The Domain Name System enables the mapping of domain names and IP addresses. It also enables the easy conversion of system names (which are easy for humans to remember) to numerical IP addresses (which are required by machines but more difficult for humans to remember). An example is when a user types http://www.privacydefended.com in a Web browser. The machine must convert that text string to a numerical IP address (192.168.1.200) so that the request can be properly routed to the appropriate Web server. Therefore, a domain name is actually an alias for an IP address. Multiple domains can point to the same IP address, but a domain has only one IP address.

Registering a Domain

To claim domain names, you must register with a registrar. The bulk of domain name registrations made have been at Network Solutions (http://www.networksolutions.com), but a growing number of registrars are now appearing due to the ending of Network Solutions' monopoly over domain name registration. Register.com (http://www.register.com) is an example of another registrar. The Shared Registration System (SRS) prevents a domain registered at one registrar from being registered again at another registrar.

When a user decides to register a domain, she must provide data that might be considered sensitive, such as name, address, phone number, and e-mail address (see Figure 6.4). Additional information, such as who to contact for administrative, technical, and billing issues, also might be provided to the registrar. This information can either be fake or real. We'll look at why this is important after discussing the registration process.

Data supplied during domain registration is information most people are comfortable with disclosing to the registrar, but it is important to realize that this type of information is also available to the general public. So, even if you've chosen to have an unlisted phone number, for example, there is no such equivalent when it comes to domain name registrations. For home user registrations, people usually complete the application by providing their home addresses, as opposed to business registrations, where business addresses are provided.

DNS Information Retrieval

It's surprisingly easy for someone to retrieve your domain name information. There are multitudes of ways to retrieve this data via Web interfaces and programs. They all basically use the WHOIS program, which is essentially a database-like program that, when sent a domain name, responds with the corresponding registration data.

Because multiple registrars exist, a properly functioning WHOIS program first queries the shared domain registry to determine which registrar has reserved the domain. The program then queries that specific registrar's database for the correct domain information. Most—but not all—WHOIS programs do that automatically. As mentioned earlier, this information can be fake.

Several Web sites let you conveniently perform WHOIS queries:

• http://www.networksolutions.com

• http://www.register.com

• http://www.betterwhois.com

They all provide a convenient Web-based form in which the query can be made, as shown in Figure 6.5.

If the domain lookup you are performing involves domains that are not the typical .com, .net, and so on—for example, .co.uk (for an address in the United Kingdom)—you might have to query alternative databases. European-based queries should be directed to the Rèseaux IP Europèens Network Coordination Centre, commonly referred to as RIPE (http://www.ripe.net). Figure 6.6 shows the RIPE WHOIS domain name query Web site.

Asian-based queries should be directed to the Asia Pacific Network Information Centre, commonly referred to as APNIC (http://www.apnic.net). Figure 6.7 shows the APNIC WHOIS domain name query Web site.

In addition, several other tools automatically query the appropriate database. Two such sites are Allwhois.com (http://www.allwhois.com), shown in Figure 6.8, and GeekTools (http://www.geektools.com), shown in Figure 6.9. Both are excellent sites from which to perform WHOIS queries.

The most convenient way to get WHOIS information is probably via the Web sites noted previously. However, the same information can be obtained by using any one of the many freeware, shareware, or commercial utilities that run on your PC. Most of the software download sites, such as Tucows (http://www.tucows.com), have these utilities available.

One of our favorites is Northwest Performance Software's NetScan Tools (http://www.netscantools.com), shown in Figure 6.10. The basic version is inexpensive, costing approximately $40. The application is actually a suite of utilities primarily aimed at the networking professional. Among many other things, it can perform WHOIS lookups, automatically querying the appropriate WHOIS database.

Note that, so far, we have performed only WHOIS domain name lookups. You also can query a WHOIS database for information by means other than by domain. You can have it provide information about hosts, IP addresses, the registrant's name, and contact names. This is usually done by prepending the query with the appropriate query type, as shown in Figure 6.11, which shows the Network Solutions Web site. Table 6.1 lists the query types available on the Network Solutions WHOIS interface.

All the queries can also be performed via a command-line WHOIS client in Unix. Windows-based operating systems do not come with a built-in WHOIS program. In Unix, the commands take the following form:

# whois "query-type search-text"@whois-server
						

where query-type can be the handle, name, host, mail, or domain (default); search-text is the text string the query should be made against; and whois-server is the registar's WHOIS server (for example, whois.networksolutions.com).

Here's an example:

[root@minimelin]# whois "domain foundstone.com"@whois.networksolutions.com 
[whois.networksolutions.com]

Registrant:
Foundstone, Inc (FOUNDSTONE4-DOM)
   7 Century Drive
   Parsippany, NJ 07054
   US

   Domain Name: FOUNDSTONE.COM

   Administrative Contact, Billing Contact:
      McClure, Stuart  (SM22550)  [email protected]
      26012 Marguerite Pkwy
      Suite H, #105
      Mission Viejo, CA 92692
      408-738-2852 (FAX) 949-367-1681
   Record last updated on 06-Feb-2001.

   Record expires on 10-Mar-2003.
   Record created on 10-Mar-2000.
   Database last updated on 25-Jun-2001 11:18:00 EDT.

   Domain servers in listed order:

   NS1.FOUNDSTONE.COM           206.135.57.173

Going in Reverse

Now that you have seen how IP addresses are used, let's try to go in reverse and see what data we can gather when the only information available is the IP address. A scenario where this might occur was illustrated earlier when you saw an IP address appearing in the Web server's log. A second scenario is when you see in your personal firewall logs only an IP address trying to contact your home system. If you find an IP address in your Web server log files or personal firewall log files, you can search for the owner using the IP and get contact information such as a phone number or e-mail address to learn more about the user(s) behind that IP address. (Recall the information you submitted when you registered your own domain name. Some of that information was contact phone number and e-mail address.) For corporate sites, finding this information is a frequent necessity to track down attackers who are launching exploits or port scans against your company firewall or Web server.

The administration and assignment of IP addresses in North America, South America, the Caribbean, and sub-Saharan Africa falls under the auspices of the American Registry for Internet Numbers (ARIN). RIPE and APNIC not only administer domain names for their respective countries, but they also provide IP registration services. By querying ARIN, you can begin to learn more about the IP address itself. Much like WHOIS searching, you can gather this information by using a Web interface over the Internet, using a Windows graphical client, or via the Unix command line.

The ARIN Web site (http://www.arin.net/whois) enables you to enter an IP address and determine the owner of it. Using ARIN, if we search for the owner of the IP address 216.182.6.84, we find it is owned by Tellurian Networks, as shown in Figure 6.12.

Note the range information that was returned in Figure 6.12. The IP address 216.182.6.84 falls in a range owned by Tellurian Networks: 216.182.0.0–216.182.63.255.

We can retrieve system owner information using NetScan Tools Pro (see Figure 6.13).

Using Unix, you can also determine the owner of an IP address with the built-in whois command. By specifying the IP address and specifying that site whois.arin.net, you can retrieve the contact information shown in the following code fragment. Note that in terms of syntax, it is almost identical to that of a whois query. However, instead of querying a WHOIS server like Network Solutions, we are querying ARIN (as indicated by the name after the @ symbol):

[root@minimelin]# whois "216.182.6.84"@whois.arin.net 
[whois.arin.net]
Tellurian Networks (NET-TN-1-NET)
   172 Spring Street
   Newton, NJ 07860
   US
   Netname: TN-1-NET
   Netblock: 216.182.0.0 - 216.182.63.255
   Maintainer: TELL
   Coordinator:
      Boyle, Robert [Network Engineer]  (RB590-ARIN)  [email protected]
      973-300-9211 (FAX) 973-579-3643
   Domain System inverse mapping provided by:
   GATE.TELLURIAN.NET           216.182.1.1
   NTBOX.TELLURIAN.NET          216.182.1.2
   DNS3.TELLURIAN.NET           216.182.4.5
   Record last updated on 28-Feb-2001.
   Database last updated on 23-Jun-2001 23:00:43 EDT.

In most cases, it is unlikely that IP addresses can be traced all the way to an individual. You will usually find that registrations are traced to an ISP or a large corporation. After you try to contact the ISP, you will find it to be unresponsive, in another country, or incapable of tracking down the user because dynamic IP addresses are used.

Protecting Your Contact Information

After performing several of these searches, you can begin to see the wealth of information stored in these ARIN and WHOIS databases. As illustrated previously, an abundance of tools is available that can be used to gather this information. As you take a look at the data being requested and being displayed, you should come to the conclusion that you can at least hide this data a bit more. For example, when registering the domain name, a fictitious or innocuous name can be provided. Your mailing address can be a post office box, and e-mail addresses provided can be from one of the many available free e-mail sites on the Internet, such as Hotmail (http://www.hotmail.com) or Yahoo! (http://mail.yahoo.com).

Note

Be sure you log in to free e-mail accounts on a monthly basis at a minimum. Some of these free e-mail sites close down mail accounts if they remain inactive for long periods of time.

If you do not want others to know that information, employ techniques such as pseudonyms, post office boxes, and so on to help maintain your privacy.