Skip to content

Rogue WHOIS server gives researchers superpowers no one should ever have

    Rogue WHOIS server gives investigators superpowers no one should ever have

    Aurich Lawson | Getty Images

    It’s not every day that a security researcher is given the ability to generate fake HTTPS certificates, monitor email activity, and execute code of his choosing on thousands of servers, all in a single fell swoop that only cost $20 and a few minutes to land. But that’s exactly what happened to Benjamin Harris recently.

    Harris, the CEO and founder of security firm watchTowr, did all this by registering the domain dotmobilregistry.net. The domain was once the official home of the authoritative WHOIS server for .mobi, a top-level domain used to indicate that a website is optimized for mobile devices. At some point—it's not clear exactly when—this WHOIS server, which serves as the official directory for any domain ending in .mobi, was moved from whois.dotmobiregistry.net to whois.nic.mobi. When Harris retreated to his Las Vegas hotel room during last month's Black Hat security conference in Las Vegas, he noticed that the previous owners of dotmobiregistry.net had let the domain expire. He then snagged it and set up his own .mobi WHOIS server on it.

    Misplaced trust

    To Harris's surprise, within a few hours of setting it up, his server was receiving queries from just over 76,000 unique IP addresses. Over the course of five days, he was receiving approximately 2.5 million queries from approximately 135,000 unique systems. The entities behind the systems querying his outdated domain included a who's who of Internet heavyweights, including domain registrars, online security tool providers, U.S. and global governments, universities, and certificate authorities, the entities that issue the TLS certificates trusted by browsers that enable HTTPS to function.

    “watchTowr's research has shown that the trust that governments and authorities worldwide place in this process must be considered misplaced at this time, [our] opinion,” Harris wrote in a post documenting his investigation. “watchTowr remains concerned about the basic reality: watchTowr discovered this on a whim in a hotel room while escaping the Vegas heat around Black Hat, while well-funded and focused nation states search for loopholes like this every day. In watchTowr’s view, they are likely not the last to find unforgivable flaws in such a crucial process.”

    WHOIS has played an important role in Internet governance since its early days, when it was called ARPANET. Elizabeth Feinler, an information scientist working for the Augmentation Research Center, became the principal investigator for NIC, short for the Network Information Center project, in 1974. Under Feinler's leadership, NIC developed the top-level domain naming system and the official host table, and published the ARPANET Directory, which served as a directory of telephone numbers and e-mail addresses for all network users. The directory eventually evolved into the WHOIS system, a query-based server that provided a comprehensive list of all Internet host names and the entities that registered them.

    Despite its outdated look and feel, WHOIS is still a vital resource with huge implications today. Lawyers pursuing copyright or libel claims use it to determine the owner of a domain or IP address. Spam services rely on it to determine the real owner of email servers. Certificate authorities rely on it to determine the official administrative email address of a domain. The list goes on.