Introduction
A recent study by Interisle[1,2] has highlighted the prevalence of a lack of identifying contact information in the registration records of gTLD (generic top-level domain) domain names, with the claim that almost 90% of records are devoid of such information[3]. This trend is a familiar one following the introduction of the General Data Protection Regulation (GDPR) in 2018, in response to which much of the available contact information was redacted, but is arguably just a continuation of a pattern which was anyway becoming more common; use of privacy and proxy services is attractive to many registrants desiring online anonymity, and can be of particular appeal to infringers.
The study by Interisle considers a set of 3,000 domain names and also includes a focus on attempting to identify contact details on any associated hosted websites. In this article, we consider an analysis of a broader dataset of gTLD names, but focusing just on the information in the whois records themselves (which are explicitly covered by an ICANN regulation requiring the provision of accurate contact information to the registrar[4] - even if the registrar then 'masks' this information publicly), with a view to assessing the extent and implications of 'dark' whois records within the domain landscape.
Methodology and overview
The analysis considers a sample set of 500 domain names[5] from each of the 100 largest gTLD zone files, giving a total dataset of 50,000 domains, and considers only those whois records which are available via an automated look up (focusing specifically on the registrant name / organisation and e-mail address fields as given in the record).
In the study, we look to determine the prevalence of each of a series of whois record 'categories' corresponding to the degree of privacy protection or redaction used, and mirroring the definitions used by ICANN[6]:
- Use of a proxy service - this is where no explicit information to the 'real' registrant is given in the name or e-mail address field of the record. Proxy service providers use their own contact details in the whois record and, technically, are in each case the legal registered owner of the domain, acting as a licensor of the name to the end customer.
- Use of a privacy service - in this case, the customer is the registered owner of the domain, and is featured in the registrant name field of the whois record, although other contact details may be absent (often in place of forwarding e-mail addresses supplied by the service provider).
- Redaction - this definition is taken to be where the term "redacted" explicitly appears in the whois record in place of one of the other fields normally present. In this study, redacted records are subdivided into those where a specific identifiable registrant is named, and those where this is not the case. Note that this category includes cases where an explicit contact e-mail address may also be given (which, according to some definitions, might be considered to be 'open' records).
- 'Open' - these are cases where an explicit owner name and contact e-mail address is given. It is worth noting that this is a relatively strict definition, and excludes cases where the e-mail address is that of the underlying registrar or other service provider (taken in this analysis to be privacy-protected records).
Why is this issue important? Fundamentally, the absence of personal identifying information in a domain whois record makes it more difficult for brand owners to launch enforcement actions against infringers - particularly where 'real-world' escalation routes may be required - and can therefore be amenable to a scenario which is advantageous for bad actors. Although in some cases it may be possible to serve a notice requesting that a registrar reveals the underlying contact information they hold (and where provably inaccurate information can be grounds for domain suspension), levels of compliance and documentary requirements by registrars can be highly variable.
Furthermore, a dark whois landscape makes it more difficult for brand protection initiatives to be able to prioritise and cluster together domain results based on shared characteristics, making the execution of efficient bulk takedowns a more complex prospect, and increasing the difficulty in demonstrating bad faith activity by serial infringers.
Findings
Of the 50,000 domains in the dataset, only 14,908 (29.8%) have whois records which are available via automated look-up (noting that 51 of the 100 gTLDs do not return any information in response to automated queries), though noting that this is the dataset on which the remainder of the analysis is based. 36 of the 100 gTLDs do return whois records for at least half of the domains queried.
Overall, only 110 of the domains in the dataset (0.74%) were classified as having 'open' whois records - an extremely small proportion, but perhaps unsurprising in view of the strict definition used, and potentially best viewed as a conservative estimate. These domains are spread across fifteen different TLDs: .africa (3 domains), .agency (1), .art (1) .best (4), .bond (3), .cam (1), .christmas (7), .com (14), .company (1), .fun (5), .icu (14), .net (5), .pics (33), .tech (9) and .website (9).
The full statistics are shown in Table 1.
| Category |
No. domains |
% |
|---|---|---|
| Proxy | 9,384 | 62.95 % |
| Privacy | 524 | 3.51 % |
| Redaction | 3,377 | 22.65 % |
| Redaction (with named registrant) | 1,513 | 10.15 % |
| 'Open' | 110 | 0.74 % |
| TOTAL | 14,908 | 100.00 % |
Table 1: Numbers of domains with each category of whois record
The prevalence of use of proxy services is striking - accounting for almost two-thirds of domains in the dataset - but also shows significant variability between TLDs. In total, the samples of domains from eight of the TLDs in the dataset showed an adoption rate of proxy services of greater than 80%: .today (94.72%; N = 417), .shop (94.71%; N = 170), .christmas (93.13%; N = 495), .one (86.84%; N = 38); .cam (85.13%; N = 417), .zone (84.96%; N = 419), .media (84.90%; N = 384), .art (81.25%; N = 208) (where N is the number of domains (out of 500) in each case for which a whois record was returned by the automated look-up) (see also Appendix A).
It is also informative to consider the most commonly-used proxy service providers, and contact e-mail addresses given in privacy-protected records (Tables 2 and 3).
| Registrant name |
No. domains |
% |
|---|---|---|
| Domains By Proxy, LLC | 2,788 | 29.71 % |
| Privacy service provided by Withheld for Privacy ehf | 2,374 | 25.30 % |
| None | 1,066 | 11.36 % |
| Super Privacy Service LTD c/o Dynadot | 968 | 10.32 % |
| Private by Design, LLC | 360 | 3.84 % |
| Whois Privacy Protection Service, Inc. | 285 | 3.04 % |
| Privacy Protect, LLC (PrivacyProtect.org) | 241 | 2.57 % |
| Contact Privacy Inc. Customer [] | 214 | 2.28 % |
| PrivacyGuardian.org llc | 194 | 2.07 % |
| See PrivacyGuardian.org | 180 | 1.92 % |
Table 2: Most common 'registrant organisation' fields given in domains using proxy services
| E-mail address |
No. domains |
% |
|---|---|---|
| domainabuse@service.aliyun.com | 188 | 30.37 % |
| abuse@name.com | 59 | 9.53 % |
| abuse@reg.ru | 41 | 6.62 % |
| abuse@dns.business | 32 | 5.17 % |
| abuse@domains.co.za | 31 | 5.01 % |
| domainabuse@netim.net | 20 | 3.23 % |
| whois@domain-mgmt.net | 10 | 1.62 % |
| abuse@key-systems.net | 10 | 1.62 % |
| abuse@59.cn | 10 | 1.62 % |
| abuse@wdomain.com | 10 | 1.62 % |
Table 3: Most common contact e-mail addresses[7] given in privacy-protected records
Discussion
The paucity of 'real-world' contact details given in domain whois records is, in part, a construct of an environment where the appeal of anonymity is great, and is generating an online ecosystem which is advantageous for infringers and can be increasingly problematic for brand owners. This does not, of course, mean that nothing can be done from an enforcement point of view - requests for unmasking of contact details held by registrars can be successful in many cases where proof of wrongdoing is available. Even in the absence of registrant contact details, there is a range of enforcement approaches - such as hosting provider and registrar level notices - which are available. At the other end of the spectrum, for the highest priority infringements, a full formal domain dispute procedure can also serve as a means for obtaining registrant contact details.
In many cases, it may also be possible to build a picture of an infringer's activity by using a range of online and offline open-source intelligence (OSINT) investigation approaches, often using data-points taken from the website content itself, or information taken from historical whois databases, as a start point.
The introduction of schemes such as the Registration Data Request Service (RDRS) by ICANN, offering a simplified and standardised process for requesting registrant information[8], may also be a step in the right direction. It is also worth noting that the whois protocol itself, lacking many up-to-date technical attributes, is scheduled to be phased out in 2025 in favour of the more standardised Registration Data Access Protocol (RDAP), which has an improved underlying technology.
Going forward, it may transpire that the balance between demands for privacy and online protection forces a push back towards the previous environment of requiring a greater degree of accountability for website owners, and forcing a move towards more comprehensive whois databases. Adoption of mandates such as the Network and Information Security (NIS2) Directive, requiring registries and registrars to collect and provide free access to detailed ('thick' whois) information[9], may be part of this picture.
Appendix A: Numbers of domains with each category of whois record, by TLD
(N = number of domains for which a whois record was returned by the automated look-up)
| TLD |
Proxy |
Privacy |
Redaction |
Redaction (with named registrant) |
Open |
N |
|---|---|---|---|---|---|---|
| pics | 77.20 % | 2.80 % | 12.00 % | 1.40 % | 6.60 % | 500 |
| christmas | 93.13 % | 1.62 % | 3.43 % | 0.40 % | 1.41 % | 495 |
| xyz | 63.41 % | 6.91 % | 29.67 % | 0.00 % | 0.00 % | 492 |
| africa | 53.66 % | 28.46 % | 14.02 % | 3.25 % | 0.61 % | 492 |
| com | 70.19 % | 5.59 % | 19.67 % | 1.66 % | 2.90 % | 483 |
| icu | 27.67 % | 19.92 % | 49.48 % | 0.00 % | 2.94 % | 477 |
| asia | 42.00 % | 0.00 % | 39.78 % | 18.22 % | 0.00 % | 450 |
| fun | 55.01 % | 12.25 % | 30.29 % | 1.34 % | 1.11 % | 449 |
| bond | 42.76 % | 2.45 % | 43.88 % | 10.24 % | 0.67 % | 449 |
| zone | 84.96 % | 0.00 % | 6.68 % | 8.35 % | 0.00 % | 419 |
| today | 94.72 % | 0.00 % | 3.12 % | 2.16 % | 0.00 % | 417 |
| cam | 85.13 % | 1.68 % | 10.79 % | 2.16 % | 0.24 % | 417 |
| best | 48.19 % | 1.69 % | 46.51 % | 2.65 % | 0.96 % | 415 |
| photography | 58.72 % | 0.00 % | 30.47 % | 10.81 % | 0.00 % | 407 |
| services | 72.87 % | 0.00 % | 12.14 % | 14.99 % | 0.00 % | 387 |
| solutions | 77.72 % | 0.00 % | 11.40 % | 10.88 % | 0.00 % | 386 |
| website | 69.69 % | 6.48 % | 19.95 % | 1.55 % | 2.33 % | 386 |
| media | 84.90 % | 0.26 % | 9.11 % | 5.73 % | 0.00 % | 384 |
| rocks | 51.77 % | 0.00 % | 33.79 % | 14.44 % | 0.00 % | 367 |
| academy | 60.38 % | 0.00 % | 21.86 % | 17.76 % | 0.00 % | 366 |
| global | 60.11 % | 0.27 % | 19.67 % | 19.95 % | 0.00 % | 366 |
| net | 61.62 % | 4.76 % | 30.53 % | 1.68 % | 1.40 % | 357 |
| link | 71.55 % | 0.00 % | 20.85 % | 7.61 % | 0.00 % | 355 |
| systems | 51.14 % | 0.28 % | 23.58 % | 25.00 % | 0.00 % | 352 |
| social | 61.78 % | 0.00 % | 25.00 % | 13.22 % | 0.00 % | 348 |
| care | 54.33 % | 0.30 % | 25.37 % | 20.00 % | 0.00 % | 335 |
| rest | 79.39 % | 0.00 % | 19.39 % | 1.21 % | 0.00 % | 330 |
| consulting | 43.96 % | 0.31 % | 28.79 % | 26.93 % | 0.00 % | 323 |
| llc | 67.30 % | 0.00 % | 12.26 % | 20.44 % | 0.00 % | 318 |
| digital | 64.08 % | 0.32 % | 23.62 % | 11.97 % | 0.00 % | 309 |
| wtf | 70.82 % | 0.00 % | 18.36 % | 10.82 % | 0.00 % | 305 |
| company | 45.92 % | 1.02 % | 23.81 % | 28.91 % | 0.34 % | 294 |
| games | 55.48 % | 0.34 % | 29.45 % | 14.73 % | 0.00 % | 292 |
| info | 59.44 % | 1.05 % | 21.33 % | 18.18 % | 0.00 % | 286 |
| agency | 66.90 % | 1.76 % | 19.01 % | 11.97 % | 0.35 % | 284 |
| 38.85 % | 0.00 % | 30.58 % | 30.58 % | 0.00 % | 278 | |
| tech | 52.99 % | 21.37 % | 19.23 % | 2.56 % | 3.85 % | 234 |
| art | 81.25 % | 7.69 % | 10.10 % | 0.48 % | 0.48 % | 208 |
| shop | 94.71 % | 0.00 % | 5.29 % | 0.00 % | 0.00 % | 170 |
| org | 37.95 % | 0.00 % | 30.12 % | 31.93 % | 0.00 % | 166 |
| cloud | 21.85 % | 0.00 % | 40.34 % | 37.82 % | 0.00 % | 119 |
| wiki | 69.01 % | 0.00 % | 8.45 % | 22.54 % | 0.00 % | 71 |
| ink | 22.58 % | 0.00 % | 27.42 % | 50.00 % | 0.00 % | 62 |
| amsterdam | 33.33 % | 0.00 % | 54.17 % | 12.50 % | 0.00 % | 48 |
| one | 86.84 % | 0.00 % | 13.16 % | 0.00 % | 0.00 % | 38 |
| top | 29.41 % | 0.00 % | 70.59 % | 0.00 % | 0.00 % | 17 |
| app | 50.00 % | 0.00 % | 0.00 % | 50.00 % | 0.00 % | 2 |
| tel | 0.00 % | 0.00 % | 50.00 % | 50.00 % | 0.00 % | 2 |
| page | 0.00 % | 0.00 % | 100.00 % | 0.00 % | 0.00 % | 1 |
| autos | - | - | - | - | - | 0 |
| bayern | - | - | - | - | - | 0 |
| bet | - | - | - | - | - | 0 |
| bio | - | - | - | - | - | 0 |
| biz | - | - | - | - | - | 0 |
| blog | - | - | - | - | - | 0 |
| business | - | - | - | - | - | 0 |
| buzz | - | - | - | - | - | 0 |
| cfd | - | - | - | - | - | 0 |
| click | - | - | - | - | - | 0 |
| club | - | - | - | - | - | 0 |
| cyou | - | - | - | - | - | 0 |
| design | - | - | - | - | - | 0 |
| dev | - | - | - | - | - | 0 |
| eus | - | - | - | - | - | 0 |
| family | - | - | - | - | - | 0 |
| fyi | - | - | - | - | - | 0 |
| group | - | - | - | - | - | 0 |
| homes | - | - | - | - | - | 0 |
| ing | - | - | - | - | - | 0 |
| lat | - | - | - | - | - | 0 |
| life | - | - | - | - | - | 0 |
| live | - | - | - | - | - | 0 |
| lol | - | - | - | - | - | 0 |
| love | - | - | - | - | - | 0 |
| ltd | - | - | - | - | - | 0 |
| mobi | - | - | - | - | - | 0 |
| mom | - | - | - | - | - | 0 |
| name | - | - | - | - | - | 0 |
| network | - | - | - | - | - | 0 |
| news | - | - | - | - | - | 0 |
| nrw | - | - | - | - | - | 0 |
| online | - | - | - | - | - | 0 |
| ovh | - | - | - | - | - | 0 |
| pro | - | - | - | - | - | 0 |
| realtor | - | - | - | - | - | 0 |
| sbs | - | - | - | - | - | 0 |
| site | - | - | - | - | - | 0 |
| skin | - | - | - | - | - | 0 |
| space | - | - | - | - | - | 0 |
| store | - | - | - | - | - | 0 |
| studio | - | - | - | - | - | 0 |
| swiss | - | - | - | - | - | 0 |
| team | - | - | - | - | - | 0 |
| tokyo | - | - | - | - | - | 0 |
| vip | - | - | - | - | - | 0 |
| wang | - | - | - | - | - | 0 |
| win | - | - | - | - | - | 0 |
| work | - | - | - | - | - | 0 |
| world | - | - | - | - | - | 0 |
| zip | - | - | - | - | - | 0 |
References
[1] https://dnib.com/articles/interisle-report-examines-domain-name-contact-data-availability
[2] https://circleid.com/posts/new-data-on-domain-name-contact-availability-and-privacy
[3] Strictly, the study relates to the Registration Data Directory Services (RDDS) system(s) offered by registries and registrars for providing access to registration data, of which the familiar whois service is a subset - see https://www.icann.org/resources/pages/whois-rdds-2023-11-02-en
[4] https://www.icann.org/resources/pages/wdrp-2012-02-25-en
[5] The sample comprises every 25th domain in the order in which they appear in the zone file (generally alphabetical), until 500 have been extracted - this value was selected as all 100 of the zone files analysed contain at least 12,500 domain names
[6] https://www.icann.org/resources/pages/pp-services-2017-08-31-en
[7] Note that his may actually be the abuse contact e-mail address for the registrar; this may be the only explicit e-mail address given in the whois record in many cases.
[8] https://www.linkedin.com/posts/stobbs_rdrs-activity-7212106221485531136-Rr7B
[9] https://www.uschamber.com/technology/domain-name-data-why-its-disappearing-and-why-you-should-care
This article was first published on 14 January 2025 at:
No comments:
Post a Comment