IETF Logo Mail Archive

Re: [weirds] I-D Action: draft-hollenbeck-dnrd-ap-query-00.txt

Dave Piscitello <dave.piscitello@icann.org> Tue, 01 May 2012 12:03 UTC

Return-Path: <dave.piscitello@icann.org>
X-Original-To: weirds@ietfa.amsl.com
Delivered-To: weirds@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 658EA21F88AA for <weirds@ietfa.amsl.com>; Tue, 1 May 2012 05:03:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8T8hEOzTWJKX for <weirds@ietfa.amsl.com>; Tue, 1 May 2012 05:03:48 -0700 (PDT)
Received: from EXPFE100-1.exc.icann.org (expfe100-1.exc.icann.org [64.78.22.236]) by ietfa.amsl.com (Postfix) with ESMTP id 9455B21F88D0 for <weirds@ietf.org>; Tue, 1 May 2012 05:03:48 -0700 (PDT)
Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-1.exc.icann.org ([64.78.22.236]) with mapi; Tue, 1 May 2012 05:03:48 -0700
From: Dave Piscitello <dave.piscitello@icann.org>
To: John Levine <johnl@iecc.com>
Date: Tue, 01 May 2012 05:03:47 -0700
Thread-Topic: [weirds] I-D Action: draft-hollenbeck-dnrd-ap-query-00.txt
Thread-Index: Ac0nkncCfWQ6jGyLTjOCFF88bCuVbg==
Message-ID: <6DAAECD8-30D3-4195-BE44-C95D0EE3ECE3@icann.org>
References: <20120501024631.97808.qmail@joyce.lan>
In-Reply-To: <20120501024631.97808.qmail@joyce.lan>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "weirds@ietf.org" <weirds@ietf.org>
Subject: Re: [weirds] I-D Action: draft-hollenbeck-dnrd-ap-query-00.txt
X-BeenThere: weirds@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "WHOIS-based Extensible Internet Registration Data Service \(WEIRDS\)" <weirds.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/weirds>, <mailto:weirds-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/weirds>
List-Post: <mailto:weirds@ietf.org>
List-Help: <mailto:weirds-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/weirds>, <mailto:weirds-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 May 2012 12:03:50 -0000

+1

In a searchable world, sometimes all you have is the IP of the name server that's resolving the malicious/harmful domain. So asking "what other domains host zone files at this IP?", "who registered those domains?", and "what registrar is sponsoring the registrations?" are all useful crumbs that often help you identify names used by in a campaign, or the registrant names used in association with a criminal enterprise. 

On Apr 30, 2012, at 10:46 PM, John Levine wrote:

>> I find the notion of asking a domain registrar for information about an
>> IP address to be confusing.  Is the user expecting to know who they
>> should contact about that IP address, are they expecting to find all the
>> possible mappings of labels to that IP address , or are they expecting
>> to have the domain query service perform a reverse lookup for them? 
> 
> For a name registry or registrar, I'd be thrilled to get a list of
> name servers they know about that resolve to that IP.  A common bad
> guy trick is to register a bunch of names, stick them all on the same
> servers, but use a different subdomain name for each one, e.g. foo.biz
> has name server ns1.foo.biz and bar.biz has ns1.bar.biz , but they're
> really the same IP.
> 
> R's,
> John
> _______________________________________________
> weirds mailing list
> weirds@ietf.org
> https://www.ietf.org/mailman/listinfo/weirds

v2.38.3 | Report a Bug | By Email | System Status