Jump to content

Who Is Screwing With Whois ?


plazmatron

Recommended Posts

So I was tinkering around with domain name lookups and such in preperation for an exam, and happened to do a whois on google.com. In the search results, I get things like this:

Server Name: GOOGLE.COM.ZZZZZZZZZZZZZZZZZZZZZZZZZZZ.LOVE.AND.TOLERANCE.THE-WONDERBOLTS.COM

IP Address: 50.62.130.9

Registrar: GODADDY.COM, LLC

Whois Server: whois.godaddy.com

Referral URL: http://registrar.godaddy.com

Server Name: GOOGLE.COM.ZZZZZZZZZZZZZZZZZZZZZZZZZZ.HAVENDATA.COM

IP Address: 50.23.75.44

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM

Whois Server: whois.PublicDomainRegistry.com

Referral URL: http://www.PublicDomainRegistry.com

Server Name: GOOGLE.COM.ZZZZZZZZZZZZZ.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COM

IP Address: 209.126.190.70

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM

Whois Server: whois.PublicDomainRegistry.com

Referral URL: http://www.PublicDomainRegistry.com

Server Name: GOOGLE.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM

IP Address: 69.41.185.195

Registrar: TUCOWS.COM CO.

Whois Server: whois.tucows.com

Referral URL: http://domainhelp.opensrs.net

Server Name: GOOGLE.COM.ZOMBIED.AND.HACKED.BY.WWW.WEB-HACK.COM

IP Address: 217.107.217.167

Registrar: DOMAINCONTEXT, INC.

Whois Server: whois.domaincontext.com

Referral URL: http://www.domaincontext.com

Server Name: GOOGLE.COM.PEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEENIS.COM

IP Address: 8.8.8.8

Registrar: DOMAIN.COM, LLC

Whois Server: whois.domain.com

Referral URL: http://www.domain.com

Server Name: GOOGLE.COM.PE

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM

Whois Server: whois.PublicDomainRegistry.com

Referral URL: http://www.PublicDomainRegistry.com

Server Name: GOOGLE.COM.PAVLINOFF-55-11-44.COM

IP Address: 64.29.154.69

Registrar: HOSTOPIA.COM INC. D/B/A APLUS.NET

Whois Server: whois.names4ever.com

Referral URL: http://www.aplus.net

Server Name: GOOGLE.COM.MY

Registrar: WILD WEST DOMAINS, LLC

Whois Server: whois.wildwestdomains.com

Referral URL: http://www.wildwestdomains.com

Server Name: GOOGLE.COM.MX

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM

Whois Server: whois.PublicDomainRegistry.com

Referral URL: http://www.PublicDomainRegistry.com

Server Name: GOOGLE.COM.LASERPIPE.COM

IP Address: 209.85.227.106

Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM

Whois Server: whois.PublicDomainRegistry.com

Referral URL: http://www.PublicDomainRegistry.com

Server Name: GOOGLE.COM.IS.NOT.HOSTED.BY.ACTIVEDOMAINDNS.NET

IP Address: 217.148.161.5

Registrar: ENOM, INC.

Whois Server: whois.enom.com

Referral URL: http://www.enom.com

Who is screwing with the whois records, and how is it done??

Link to comment
Share on other sites

Guess it depends on 1, what DNS servers your ISP uses and if you did the lookups locally, or 2, the remote site that does the lookups, had its DNS cache poisoned, which sadly to say, is still possible with nearly any site still today.

http://whois.domaint....com/google.com shows the real deal, but at one time, even they had showed messed with data. Its a matter of how DNS works in general, and just about any site can fall victim to it. I believe DNSSEC is supposed to help prevent some of this from manipulating the IP addresses being pointed to rouge domains or IP's, but not sure how that effects actual WhoIS lookups. The internet in general is full of holes. DNS is just one of them, where, its not a flaw so much as its default behavior and a feature, just like ARP poisoning and MITM attacks, the protocols work as designed, even if designed to allow attacks. To fix it, would mean reinventing all of it from the ground up, so "fixes" or simple work around that don't break the current systems in place, are setup, like DNSSEC for example.

If its a computer, and wired to anything, its more than likely vulnerable to something. That just goes with the territory.

Another thing you can do, is nslookups from your local machine, and see what the name resolves to for IP info, then do an nslookup on the IP, and make sure they match relatively to the same systems. In doing so, your system should also tell you the DNS servers you are using. I personally use OpenDNS, just because they tend to be a little bit more accurate, and can also safeguard against some of these kinds of attacks, but won't prevent your local system from being tampered with and what DNS servers its told to use.

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...