IETF Logo Mail Archive

Re: [weirds] I-D Action: draft-hollenbeck-dnrd-ap-query-00.txt

Dave Piscitello <dave.piscitello@icann.org> Tue, 01 May 2012 14:49 UTC

Return-Path: <dave.piscitello@icann.org>
X-Original-To: weirds@ietfa.amsl.com
Delivered-To: weirds@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B33821E80BD for <weirds@ietfa.amsl.com>; Tue, 1 May 2012 07:49:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G0-YBMui90rn for <weirds@ietfa.amsl.com>; Tue, 1 May 2012 07:49:17 -0700 (PDT)
Received: from EXPFE100-2.exc.icann.org (expfe100-2.exc.icann.org [64.78.22.237]) by ietfa.amsl.com (Postfix) with ESMTP id CC61221E808A for <weirds@ietf.org>; Tue, 1 May 2012 07:49:17 -0700 (PDT)
Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-2.exc.icann.org ([64.78.22.237]) with mapi; Tue, 1 May 2012 07:49:17 -0700
From: Dave Piscitello <dave.piscitello@icann.org>
To: Andy Newton <andy@hxr.us>
Date: Tue, 01 May 2012 07:49:16 -0700
Thread-Topic: [weirds] I-D Action: draft-hollenbeck-dnrd-ap-query-00.txt
Thread-Index: Ac0nqZVDbNlKglE5QrOzRdeT1bvATA==
Message-ID: <B1466110-5ED2-49E9-90A3-7041D4AB3405@icann.org>
References: <20120501024631.97808.qmail@joyce.lan> <6DAAECD8-30D3-4195-BE44-C95D0EE3ECE3@icann.org> <AC14FC70-A653-4204-9A78-E40AB68B3228@hxr.us>
In-Reply-To: <AC14FC70-A653-4204-9A78-E40AB68B3228@hxr.us>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: John Levine <johnl@iecc.com>, "weirds@ietf.org" <weirds@ietf.org>
Subject: Re: [weirds] I-D Action: draft-hollenbeck-dnrd-ap-query-00.txt
X-BeenThere: weirds@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "WHOIS-based Extensible Internet Registration Data Service \(WEIRDS\)" <weirds.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/weirds>, <mailto:weirds-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/weirds>
List-Post: <mailto:weirds@ietf.org>
List-Help: <mailto:weirds-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/weirds>, <mailto:weirds-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 May 2012 14:49:18 -0000

On May 1, 2012, at 8:49 AM, Andy Newton wrote:

> 
> On May 1, 2012, at 8:03 AM, Dave Piscitello wrote:
> 
>> +1
>> 
>> In a searchable world, sometimes all you have is the IP of the name server that's resolving the malicious/harmful domain. So asking "what other domains host zone files at this IP?", "who registered those domains?", and "what registrar is sponsoring the registrations?" are all useful crumbs that often help you identify names used by in a campaign, or the registrant names used in association with a criminal enterprise. 
> 
> Are you gonna hit up every registry or registrar in the world looking for your answer? I'm a little fuzzy on the use case.

This would be inefficient. As I said in a subsequent email, at least some of the use cases I'm familiar with are databases of whois records associated with malicious registrations or domains associated with criminal activities. However, I wouldn't discount hitting up the "top suspects" if I were investigating a campaign that seemed to concentrate on a small number of registries. Sampling might fall within scale, too.

> And does this feature already exist in many registry Whois servers?

Few I imagine. I know of some research and private applications where this feature is either present or would be attractive. 

Are we only interested in replicating what exists today?

v2.38.3 | Report a Bug | By Email | System Status