January 14, 2025
It’s a dark whois world
It’s a dark whois world

Introduction

A recent study by Interisle[1],[2] has highlighted the prevalence of a lack of identifying contact information in the registration records of gTLD (generic top-level domain) domain names, with the claim that almost 90% of records are devoid of such information[3]. This trend is a familiar one following the introduction of the General Data Protection Regulation (GDPR) in 2018, in response to which much of the available contact information was redacted, but is arguably just a continuation of a pattern which was anyway becoming more common; use of privacy and proxy services is attractive to many registrants desiring online anonymity, and can be of particular appeal to infringers.

The study by Interisle considers a set of 3,000 domain names and also includes a focus on attempting to identify contact details on any associated hosted websites. In this article, we consider an analysis of a broader dataset of gTLD names, but focusing just on the information in the whois records themselves (which are explicitly covered by an ICANN regulation requiring the provision of accurate contact information to the registrar[4] – even if the registrar then ‘masks’ this information publicly), with a view to assessing the extent and implications of ‘dark’ whois records within the domain landscape.

 

Methodology and overview

The analysis considers a sample set of 500 domain names[5] from each of the 100 largest gTLD zone files, giving a total dataset of 50,000 domains, and considers only those whois records which are available via an automated look up (focusing specifically on the registrant name / organisation and e-mail address fields as given in the record).

In the study, we look to determine the prevalence of each of a series of whois record ‘categories’ corresponding to the degree of privacy protection or redaction used, and mirroring the definitions used by ICANN[6]:

  • Use of a proxy service – this is where no explicit information to the ‘real’ registrant is given in the name or e-mail address field of the record. Proxy service providers use their own contact details in the whois record and, technically, are in each case the legal registered owner of the domain, acting as a licensor of the name to the end customer.
  • Use of a privacy service – in this case, the customer is the registered owner of the domain, and is featured in the registrant name field of the whois record, although other contact details may be absent (often in place of forwarding e-mail addresses supplied by the service provider).
  • Redaction – this definition is taken to be where the term “redacted” explicitly appears in the whois record in place of one of the other fields normally present. In this study, redacted records are subdivided into those where a specific identifiable registrant is named, and those where this is not the case. Note that this category includescases where an explicit contact e-mail address may also be given (which, according to some definitions, might be considered to be ‘open’ records).
  • ‘Open’ – these are cases where an explicit owner name and contact e-mail address is given. It is worth noting that this is a relatively strict definition, and excludes cases where the e-mail address is that of the underlying registrar or other service provider (taken in this analysis to be privacy-protected records).

Why is this issue important? Fundamentally, the absence of personal identifying information in a domain whois record makes it more difficult for brand owners to launch enforcement actions against infringers – particularly where ‘real-world’ escalation routes may be required – and can therefore be amenable to a scenario which is advantageous for bad actors. Although in some cases it may be possible to serve a notice requesting that a registrar reveals the underlying contact information they hold (and where provably inaccurate information can be grounds for domain suspension), levels of compliance and documentary requirements by registrars can be highly variable.

Furthermore, a dark whois landscape makes it more difficult for brand protection initiatives to be able to prioritise and cluster together domain results based on shared characteristics, making the execution of efficient bulk takedowns a more complex prospect, and increasing the difficulty in demonstrating bad faith activity by serial infringers.

 

Findings

Of the 50,000 domains in the dataset, only 14,908 (29.8%) have whois records which are available via automated look-up (noting that 51 of the 100 gTLDs do not return any information in response to automated queries), though noting that this is the dataset on which the remainder of the analysis is based. 36 of the 100 gTLDs do return whois records for at least half of the domains queried.

Overall, only 110 of the domains in the dataset (0.74%) were classified as having ‘open’ whois records – an extremely small proportion, but perhaps unsurprising in view of the strict definition used, and potentially best viewed as a conservative estimate. These domains are spread across fifteen different TLDs: .africa (3 domains), .agency (1), .art (1) .best (4), .bond (3), .cam (1), .christmas (7), .com (14), .company (1), .fun (5), .icu (14), .net (5), .pics (33), .tech (9) and .website (9).

The full statistics are shown in Table 1.

 

Category

No. domains

%

Proxy

9,384

62.95 %

Privacy

524

3.51 %

Redaction

3,377

22.65 %

Redaction (with named registrant)

1,513

10.15 %

‘Open’

110

0.74 %

TOTAL

14,908

100.00 %

 

Table 1: Numbers of domains with each category of whois record

 

The prevalence of use of proxy services is striking – accounting for almost two-thirds of domains in the dataset – but also shows significant variability between TLDs. In total, the samples of domains from eight of the TLDs in the dataset showed an adoption rate of proxy services of greater than 80%: .today (94.72%; N = 417), .shop (94.71%; N = 170), .christmas (93.13%; N = 495), .one (86.84%; N = 38); .cam (85.13%; N = 417), .zone (84.96%; N = 419), .media (84.90%; N = 384), .art (81.25%; N = 208) (where N is the number of domains (out of 500) in each case for which a whois record was returned by the automated look-up) (see also Appendix A).

It is also informative to consider the most commonly-used proxy service providers, and contact e-mail addresses given in privacy-protected records (Tables 2 and 3).

 

Registrant name

No. domains

%

Domains By Proxy, LLC

2,788

29.71 %

Privacy service provided by Withheld for Privacy ehf

2,374

25.30 %

None

1,066

11.36 %

Super Privacy Service LTD c/o Dynadot

968

10.32 %

Private by Design, LLC

360

3.84 %

Whois Privacy Protection Service, Inc.

285

3.04 %

Privacy Protect, LLC (PrivacyProtect.org)

241

2.57 %

Contact Privacy Inc. Customer []

214

2.28 %

PrivacyGuardian.org llc

194

2.07 %

See PrivacyGuardian.org

180

1.92 %

 

Table 2: Most common ‘registrant organisation’ fields given in domains using proxy services

 

Email address

No. domains

%

domainabuse@service.aliyun.com

188

30.37 %

abuse@name.com

59

9.53 %

abuse@reg.ru

41

6.62 %

abuse@dns.business

32

5.17 %

abuse@domains.co.za

31

5.01 %

domainabuse@netim.net

20

3.23 %

whois@domain-mgmt.net

10

1.62 %

abuse@key-systems.net

10

1.62 %

abuse@59.cn

10

1.62 %

abuse@wdomain.com

10

1.62 %

 

Table 3: Most common contact e-mail addresses[7] given in privacy-protected records

 

Discussion

The paucity of ‘real-world’ contact details given in domain whois records is, in part, a construct of an environment where the appeal of anonymity is great, and is generating an online ecosystem which is advantageous for infringers and can be increasingly problematic for brand owners. This does not, of course, mean that nothing can be done from an enforcement point of view – requests for unmasking of contact details held by registrars can be successful in many cases where proof of wrongdoing is available. Even in the absence of registrant contact details, there is a range of enforcement approaches – such as hosting provider and registrar level notices – which are available. At the other end of the spectrum, for the highest priority infringements, a full formal domain dispute procedure can also serve as a means for obtaining registrant contact details.

In many cases, it may also be possible to build a picture of an infringer’s activity by using a range of online and offline open-source intelligence (OSINT) investigation approaches, often using data-points taken from the website content itself, or information taken from historical whois databases, as a start point.

The introduction of schemes such as the Registration Data Request Service (RDRS) by ICANN, offering a simplified and standardised process for requesting registrant information[8], may also be a step in the right direction. It is also worth noting that the whois protocol itself, lacking many up-to-date technical attributes, is scheduled to be phased out in 2025 in favour of the more standardised Registration Data Access Protocol (RDAP), which has an improved underlying technology.

Going forward, it may transpire that the balance between demands for privacy and online protection forces a push back towards the previous environment of requiring a greater degree of accountability for website owners, and forcing a move towards more comprehensive whois databases. Adoption of mandates such as the Network and Information Security (NIS2) Directive, requiring registries and registrars to collect and provide free access to detailed (‘thick’ whois) information[9], may be part of this picture.

 

Appendix A: Numbers of domains with each category of whois record, by TLD

(N = number of  domains for which a whois record was returned by the automated look-up)

 

TLD

Proxy

Privacy

Redaction

Redaction (with named registrant)

‘Open’

N

pics

77.20 %

2.80 %

12.00 %

1.40 %

6.60 %

500

christmas

93.13 %

1.62 %

3.43 %

0.40 %

1.41 %

495

xyz

63.41 %

6.91 %

29.67 %

0.00 %

0.00 %

492

africa

53.66 %

28.46 %

14.02 %

3.25 %

0.61 %

492

com

70.19 %

5.59 %

19.67 %

1.66 %

2.90 %

483

icu

27.67 %

19.92 %

49.48 %

0.00 %

2.94 %

477

asia

42.00 %

0.00 %

39.78 %

18.22 %

0.00 %

450

fun

55.01 %

12.25 %

30.29 %

1.34 %

1.11 %

449

bond

42.76 %

2.45 %

43.88 %

10.24 %

0.67 %

449

zone

84.96 %

0.00 %

6.68 %

8.35 %

0.00 %

419

today

94.72 %

0.00 %

3.12 %

2.16 %

0.00 %

417

cam

85.13 %

1.68 %

10.79 %

2.16 %

0.24 %

417

best

48.19 %

1.69 %

46.51 %

2.65 %

0.96 %

415

photography

58.72 %

0.00 %

30.47 %

10.81 %

0.00 %

407

services

72.87 %

0.00 %

12.14 %

14.99 %

0.00 %

387

solutions

77.72 %

0.00 %

11.40 %

10.88 %

0.00 %

386

website

69.69 %

6.48 %

19.95 %

1.55 %

2.33 %

386

media

84.90 %

0.26 %

9.11 %

5.73 %

0.00 %

384

rocks

51.77 %

0.00 %

33.79 %

14.44 %

0.00 %

367

academy

60.38 %

0.00 %

21.86 %

17.76 %

0.00 %

366

global

60.11 %

0.27 %

19.67 %

19.95 %

0.00 %

366

net

61.62 %

4.76 %

30.53 %

1.68 %

1.40 %

357

link

71.55 %

0.00 %

20.85 %

7.61 %

0.00 %

355

systems

51.14 %

0.28 %

23.58 %

25.00 %

0.00 %

352

social

61.78 %

0.00 %

25.00 %

13.22 %

0.00 %

348

care

54.33 %

0.30 %

25.37 %

20.00 %

0.00 %

335

rest

79.39 %

0.00 %

19.39 %

1.21 %

0.00 %

330

consulting

43.96 %

0.31 %

28.79 %

26.93 %

0.00 %

323

llc

67.30 %

0.00 %

12.26 %

20.44 %

0.00 %

318

digital

64.08 %

0.32 %

23.62 %

11.97 %

0.00 %

309

wtf

70.82 %

0.00 %

18.36 %

10.82 %

0.00 %

305

company

45.92 %

1.02 %

23.81 %

28.91 %

0.34 %

294

games

55.48 %

0.34 %

29.45 %

14.73 %

0.00 %

292

info

59.44 %

1.05 %

21.33 %

18.18 %

0.00 %

286

agency

66.90 %

1.76 %

19.01 %

11.97 %

0.35 %

284

email

38.85 %

0.00 %

30.58 %

30.58 %

0.00 %

278

tech

52.99 %

21.37 %

19.23 %

2.56 %

3.85 %

234

art

81.25 %

7.69 %

10.10 %

0.48 %

0.48 %

208

shop

94.71 %

0.00 %

5.29 %

0.00 %

0.00 %

170

org

37.95 %

0.00 %

30.12 %

31.93 %

0.00 %

166

cloud

21.85 %

0.00 %

40.34 %

37.82 %

0.00 %

119

wiki

69.01 %

0.00 %

8.45 %

22.54 %

0.00 %

71

ink

22.58 %

0.00 %

27.42 %

50.00 %

0.00 %

62

amsterdam

33.33 %

0.00 %

54.17 %

12.50 %

0.00 %

48

one

86.84 %

0.00 %

13.16 %

0.00 %

0.00 %

38

top

29.41 %

0.00 %

70.59 %

0.00 %

0.00 %

17

app

50.00 %

0.00 %

0.00 %

50.00 %

0.00 %

2

tel

0.00 %

0.00 %

50.00 %

50.00 %

0.00 %

2

page

0.00 %

0.00 %

100.00 %

0.00 %

0.00 %

1

autos

-

-

-

-

-

0

bayern

-

-

-

-

-

0

bet

-

-

-

-

-

0

bio

-

-

-

-

-

0

biz

-

-

-

-

-

0

blog

-

-

-

-

-

0

business

-

-

-

-

-

0

buzz

-

-

-

-

-

0

cfd

-

-

-

-

-

0

click

-

-

-

-

-

0

club

-

-

-

-

-

0

cyou

-

-

-

-

-

0

design

-

-

-

-

-

0

dev

-

-

-

-

-

0

eus

-

-

-

-

-

0

family

-

-

-

-

-

0

fyi

-

-

-

-

-

0

group

-

-

-

-

-

0

homes

-

-

-

-

-

0

ing

-

-

-

-

-

0

lat

-

-

-

-

-

0

life

-

-

-

-

-

0

live

-

-

-

-

-

0

lol

-

-

-

-

-

0

love

-

-

-

-

-

0

ltd

-

-

-

-

-

0

mobi

-

-

-

-

-

0

mom

-

-

-

-

-

0

name

-

-

-

-

-

0

network

-

-

-

-

-

0

news

-

-

-

-

-

0

nrw

-

-

-

-

-

0

online

-

-

-

-

-

0

ovh

-

-

-

-

-

0

pro

-

-

-

-

-

0

realtor

-

-

-

-

-

0

sbs

-

-

-

-

-

0

site

-

-

-

-

-

0

skin

-

-

-

-

-

0

space

-

-

-

-

-

0

store

-

-

-

-

-

0

studio

-

-

-

-

-

0

swiss

-

-

-

-

-

0

team

-

-

-

-

-

0

tokyo

-

-

-

-

-

0

vip

-

-

-

-

-

0

wang

-

-

-

-

-

0

win

-

-

-

-

-

0

work

-

-

-

-

-

0

world

-

-

-

-

-

0

zip

-

-

-

-

-

0

 

 

 

[1] https://dnib.com/articles/interisle-report-examines-domain-name-contact-data-availability

[2] https://circleid.com/posts/new-data-on-domain-name-contact-availability-and-privacy

[3] Strictly, the study relates to the Registration Data Directory Services (RDDS) system(s) offered by registries and registrars for providing access to registration data, of which the familiar whois service is a subset – see https://www.icann.org/resources/pages/whois-rdds-2023-11-02-en

[4] https://www.icann.org/resources/pages/wdrp-2012-02-25-en

[5] The sample comprises every 25th domain in the order in which they appear in the zone file (generally alphabetical), until 500 have been extracted – this value was selected as all 100 of the zone files analysed contain at least 12,500 domain names

[6] https://www.icann.org/resources/pages/pp-services-2017-08-31-en

[7] Note that this may actually be the abuse contact e-mail address for the registrar; this may be the only explicit e-mail address given in the whois record in many cases.

[8] https://www.linkedin.com/posts/stobbs_rdrs-activity-7212106221485531136-Rr7B

[9] https://www.uschamber.com/technology/domain-name-data-why-its-disappearing-and-why-you-should-care

Tags
Online Brand Enforcement

Found this article interesting today?
Send us your thoughts: