Stories with Tag Domain Name System

• Launching RDAP; sunsetting WHOIS

  permalink

  Posted: 2025-03-17 00:48:48

  Verbose tl;dr

  ICANN is transitioning from the WHOIS protocol to the Registration Data Access Protocol (RDAP) for accessing domain name registration data. RDAP offers improved access control, internationalized data, and a structured, extensible format, addressing many of WHOIS's limitations. While gTLD registry operators were required to implement RDAP by 2019, ICANN's focus now shifts to encouraging its broader adoption and eventual replacement of WHOIS. Although no firm date is set for WHOIS's complete shutdown, ICANN aims to cease supporting the protocol once RDAP usage reaches sufficient levels, signaling a significant shift in how domain registration information is accessed.

  The Internet Corporation for Assigned Names and Numbers (ICANN) has announced a significant shift in how domain name registration data is accessed, moving from the legacy WHOIS protocol to the Registration Data Access Protocol (RDAP). This transition, formally announced on January 27, 2025, marks the culmination of a multi-year effort to modernize and improve the system for retrieving information about domain name registrants.

  WHOIS, a long-standing system, has served as the primary method for accessing registration data. However, its limitations in terms of data accuracy, consistency, and privacy have become increasingly apparent. It also lacks standardized output formats and internationalization capabilities, presenting challenges for users and developers. Furthermore, its design predates modern data privacy regulations like GDPR, making compliance difficult.

  RDAP, in contrast, is designed to address these shortcomings. It offers a more structured and standardized approach to data access, employing extensible data fields and supporting internationalized character sets. RDAP also incorporates robust access control mechanisms, allowing for differentiated access to registration data based on user roles and policy requirements. This enables better protection of personal data while still allowing legitimate access for purposes such as law enforcement investigations, intellectual property rights protection, and network operations.

  ICANN’s announcement highlights the completion of the technical development and deployment of the RDAP system across all generic Top-Level Domains (gTLDs). This signifies a readiness to fully transition away from WHOIS. While the exact date for complete cessation of WHOIS services has not been definitively established, the announcement reinforces ICANN's commitment to sunsetting the outdated protocol. The eventual decommissioning of WHOIS will mark a significant milestone in the evolution of internet governance, bringing the domain name system into greater alignment with current data privacy best practices and technological advancements. This transition encourages stakeholders to adopt RDAP as the preferred method for accessing registration data moving forward. ICANN recognizes the importance of this change and is committed to supporting users and providers throughout the transition process.

  • ICANN
  • RDAP
  • Whois
  • Domain Name System
  • dns
  • Internet Governance
  • Data Accuracy
  • privacy
  • Security
  • Protocol
  • Transition
  • deprecation
  • Registration Data Access Protocol
  • WHOIS Lookup
  • Domain Information
  • Internet Protocol
  • IP address
  • network administration
  • Policy

  Summary of Comments ( 273 )
  https://news.ycombinator.com/item?id=43384069

  Verbose tl;dr

  Hacker News commenters largely express frustration and skepticism about the transition from WHOIS to RDAP. They see RDAP as more complex and less accessible than WHOIS, hindering security research and anti-abuse efforts. Several commenters point out the lack of a unified, easy-to-use RDAP client, making bulk queries difficult and requiring users to navigate different authentication mechanisms for each registrar. The perceived lack of improvement over WHOIS and the added complexity lead some to believe the transition is driven by GDPR compliance rather than actual user benefit. Some also express concern about potential information access restrictions and the impact on legitimate uses of WHOIS data.

  The Hacker News post "Launching RDAP; sunsetting WHOIS" discussing ICANN's plan to replace WHOIS with RDAP has generated a moderate amount of discussion, with a focus on the practical implications and perceived shortcomings of the transition.

  Several commenters express skepticism about RDAP's purported benefits, particularly regarding data accessibility. One user highlights the increased complexity of querying RDAP compared to WHOIS, noting the requirement for specific queries for each top-level domain (TLD) and the varied responses that can make parsing difficult. This complexity is contrasted with the simplicity of WHOIS, which offered a single point of access. The user expresses doubt that RDAP will be as widely adopted or as useful as WHOIS.

  Building on this theme, another commenter points out the lack of a comprehensive, unified RDAP interface, leading to fragmentation and increased difficulty in obtaining domain information. They argue that this lack of a centralized system negates the benefits of a structured data format, making RDAP less practical than WHOIS for many users. They lament the potential loss of a useful tool and the added complexity introduced by RDAP.

  Another commenter questions the actual improvements offered by RDAP, highlighting the potential for similar abuse and privacy issues despite the structured data format. They point to the existing challenges with WHOIS data accuracy and the possibility of similar inaccuracies persisting in RDAP.

  One user expresses concern about the impact on security researchers and incident responders who rely on WHOIS data. They note the ease of automating WHOIS lookups and worry that the distributed nature of RDAP will hinder efficient data gathering for security purposes.

  The discussion also touches upon the internationalization aspects of RDAP, with one user praising the support for internationalized domain names and other languages. However, another commenter questions the enforcement of accuracy in internationalized data, suggesting that this aspect might introduce further complexities.

  Finally, a couple of comments reflect a more accepting stance towards the transition. One user simply acknowledges the change, while another points out the limited utility of WHOIS even before its deprecation, hinting at the potential for RDAP to offer improvements, albeit with challenges.

  In summary, the comments on Hacker News largely express concerns about the practical usability and effectiveness of RDAP as a replacement for WHOIS. The primary themes include increased complexity, lack of a unified interface, potential for similar data accuracy issues, and the impact on security researchers. While some acknowledge the potential benefits of structured data and internationalization, the prevailing sentiment appears to be one of skepticism and apprehension regarding the transition.

• Ask HN: How did the internet discover my subdomain?

  permalink

  Posted: 2025-03-06 22:34:54

  Verbose tl;dr

  A user is puzzled by how their subdomain, used for internal documentation and not linked anywhere publicly, was discovered and accessed by an external user. They're concerned about potential security vulnerabilities and are seeking explanations for how this could have happened, considering they haven't shared the subdomain's address. The user is ruling out DNS brute-forcing due to the subdomain's unique and unguessable name. They're particularly perplexed because the subdomain isn't indexed by search engines and hasn't been exposed through any known channels.

  The author of the Hacker News post expresses bewilderment over how their subdomain, specifically something.theirdomain.com, was discovered and subsequently accessed by external users. They articulate that this subdomain hosts an internal application, intentionally not linked from anywhere publicly accessible on their main domain, theirdomain.com. Furthermore, they emphasize that the subdomain is not indexed by any search engines, nor have they shared its address in any public forum or communication. This leads them to question the possible mechanisms by which external parties could have learned of its existence and successfully navigated to it. The author is particularly curious to understand if there are common vulnerabilities or overlooked aspects of web server configurations that might inadvertently expose subdomains meant to remain private. They are seeking insights from the Hacker News community regarding potential explanations for this unexpected discovery, hoping to understand how it occurred and implement measures to prevent similar occurrences in the future. The author implicitly indicates a desire to maintain the privacy of this internal application while acknowledging its current, unintended visibility.

  • Internet
  • subdomain
  • discovery
  • dns
  • Domain Name System
  • networking
  • Security
  • privacy
  • Hacker News
  • Ask HN
  • Web Development
  • website administration

  Summary of Comments ( 188 )
  https://news.ycombinator.com/item?id=43285725

  Verbose tl;dr

  The Hacker News comments discuss various ways a subdomain might be discovered, focusing on the likelihood of accidental discovery rather than malicious intent. Several commenters suggest DNS brute-forcing, where automated tools guess subdomains, is a common occurrence. Others highlight the possibility of the subdomain being included in publicly accessible configurations or code repositories like GitHub, or being discovered through certificate transparency logs. Some commenters suggest checking the server logs for clues, and emphasize that finding a subdomain doesn't necessarily imply anything nefarious is happening. The general consensus leans toward the discovery being unintentional and automated.

  The Hacker News post "Ask HN: How did the internet discover my subdomain?" generated several comments offering various explanations and suggestions to the original poster (OP).

  Several commenters focused on the likelihood of DNS propagation. They explained that even though the OP believed they hadn't publicly exposed their subdomain, the very act of configuring it within their DNS settings likely triggered its propagation across DNS servers. This means the subdomain became visible to parts of the internet, potentially through DNS queries made by various entities, including search engine crawlers, security scanners, or even malicious bots actively scanning for new domains.

  Another popular theory revolved around misconfigured services or exposed APIs. Commenters suggested the possibility of a service running on the subdomain being inadvertently accessible from the public internet, perhaps due to a firewall misconfiguration or overly permissive access rules. They also suggested checking for publicly accessible APIs that might have revealed the subdomain's existence.

  Some comments touched upon the possibility of certificate transparency logs. These logs publicly record SSL/TLS certificates issued for websites, and if the OP had obtained a certificate for their subdomain, it would be logged and thus discoverable.

  A few commenters mentioned the potential role of link rot analysis tools and web crawlers. These tools constantly scan the web for broken links, and if a link to the OP's subdomain existed somewhere, even if obscure or unintended, it could have been discovered this way. Likewise, generic web crawlers might have stumbled upon the subdomain through various means and indexed it.

  Several users offered practical advice to the OP, recommending using tools like dig to trace DNS records and identify potential points of exposure. Others advised checking server logs for any unusual activity that might indicate how the subdomain was discovered.

  A more speculative, but still plausible suggestion, involved the possibility of the subdomain being guessed or brute-forced. While less likely for a complex or randomly generated subdomain name, it is not impossible, particularly if the name is based on common patterns or easily guessable words.

  Finally, some comments highlighted the inherent difficulty of fully controlling information propagation on the internet. Once something is even briefly exposed, it can be difficult to completely erase its trace. They emphasized the importance of proactive security measures and careful configuration to minimize unintended exposure.

• Evolution of Whois Protocol to RDAP (2019)

  permalink

  Posted: 2025-02-10 10:04:46

  Verbose tl;dr

  ICANN's blog post details the transition from the legacy WHOIS protocol to the Registration Data Access Protocol (RDAP). RDAP offers several advantages over WHOIS, including standardized data formats, internationalized data, extensibility, and improved data access control through different access levels. This transition is necessary for WHOIS to comply with data privacy regulations like GDPR. ICANN encourages everyone using WHOIS to transition to RDAP and provides resources to aid in this process. The blog post highlights the key differences between the two protocols and reassures users that RDAP offers a more robust and secure method for accessing registration data.

  The Internet Corporation for Assigned Names and Numbers (ICANN) blog post, "Evolution of WHOIS Protocol to RDAP - What You Need to Know," published on October 23, 2019, details the transition from the legacy WHOIS protocol to the Registration Data Access Protocol (RDAP) for accessing registration data related to domain names, IP addresses, and Autonomous System Numbers (ASNs). The post emphasizes that this shift represents a significant modernization effort, offering numerous advantages over the aging WHOIS system.

  WHOIS, having served the internet community for many years, suffers from limitations in terms of data format standardization, internationalization support, and extensibility. This has led to inconsistencies in data presentation and accessibility, hindering efficient and reliable data retrieval. RDAP, designed as a successor to address these shortcomings, provides a structured, standardized, and extensible mechanism for accessing registration data. It leverages a RESTful web service, utilizing well-defined data formats like JSON and XML, allowing for more predictable and machine-readable responses. This facilitates automated data processing and integration with other systems, promoting greater efficiency in various applications.

  A key advantage of RDAP is its inherent support for internationalization, accommodating different languages and scripts. This is a crucial improvement over WHOIS, which predominantly relied on ASCII text, often posing challenges for users and systems dealing with non-Latin characters. Furthermore, RDAP offers enhanced data access control mechanisms, enabling registrars and registries to implement specific access policies based on data types and user roles. This granular control enhances data privacy and security, addressing concerns associated with the open nature of WHOIS data.

  The blog post highlights the gradual transition from WHOIS to RDAP, with ICANN encouraging stakeholders to adopt RDAP and progressively phase out reliance on the legacy system. It underscores the benefits of RDAP's structured data format, enabling more efficient querying and analysis, and its support for different data types, allowing for comprehensive access to registration information. The post also emphasizes the improved security and privacy features offered by RDAP through access control mechanisms, allowing for more granular control over data dissemination.

  The post concludes by reiterating ICANN's commitment to facilitating the transition and providing resources to assist stakeholders in adopting RDAP. It encourages users to familiarize themselves with the protocol and its capabilities, recognizing it as the future of registration data access and a critical component of a more secure and efficient internet infrastructure. This transition represents a significant step forward in modernizing the management and access of critical internet resource registration information.

  • ICANN
  • Whois
  • RDAP
  • Domain Name System
  • dns
  • Internet Governance
  • Data Accuracy
  • privacy
  • Security
  • Protocol
  • Transition
  • Registration Data Access Protocol
  • Domain Name Registration
  • 2019

  Summary of Comments ( 3 )
  https://news.ycombinator.com/item?id=42998737

  Verbose tl;dr

  Several Hacker News commenters discuss the shift from WHOIS to RDAP. Some express frustration with the complexity and inconsistency of RDAP implementations, noting varying data formats and access methods across different registries. One commenter points out the lack of a simple, unified tool for RDAP lookups compared to WHOIS. Others highlight RDAP's benefits, such as improved data accuracy, internationalization support, and standardized access controls, suggesting the transition is ultimately positive but messy in practice. The thread also touches upon the privacy implications of both systems and the challenges of balancing data accessibility with protecting personal information. Some users mention specific RDAP clients they find useful, while others express skepticism about the overall value proposition of the new protocol given its added complexity.

  The Hacker News post titled "Evolution of Whois Protocol to RDAP (2019)" has several comments discussing the transition from the legacy Whois protocol to the newer Registration Data Access Protocol (RDAP). Many commenters express frustration and skepticism about the supposed improvements of RDAP.

  One recurring theme is the increased complexity of RDAP compared to Whois. Commenters point out that Whois, despite its flaws, was simple and easy to use, even scriptable. RDAP, with its structured data and reliance on specific query formats, is seen as more difficult to work with, particularly for casual users or those accustomed to the simplicity of Whois. This added complexity is viewed as a barrier to access, potentially hindering security research and transparency efforts.

  Some commenters highlight the issue of rate limiting and access restrictions implemented by various registries. They argue that these limitations, often justified under the guise of privacy or abuse prevention, make it harder to gather information necessary for legitimate purposes like security research or investigating spam. The perception is that RDAP makes it easier for registrars to control and restrict access to registration data.

  There's a sense of disappointment that RDAP hasn't delivered on its promise of improved privacy and security. While acknowledging that RDAP offers better privacy features in theory, commenters observe that many registrars still expose much of the same information, effectively negating the potential benefits. Some even argue that the added complexity of RDAP makes it harder to understand what data is being collected and shared.

  The perceived lack of standardization in RDAP implementations is also a source of frustration. Commenters mention inconsistencies in data formats and query responses across different registries, making it difficult to develop tools that work universally. This lack of interoperability is seen as undermining the potential benefits of a standardized protocol.

  Finally, several comments express cynicism about the motivations behind the transition to RDAP. Some speculate that it's driven more by the desire for greater control over data access and revenue generation rather than genuine improvements in privacy or security. The overall sentiment in the comments section leans towards viewing RDAP as a more complex and less accessible replacement for Whois, failing to deliver on its promised benefits and potentially hindering legitimate uses of registration data.

• Mastercard DNS error went unnoticed for years

  permalink

  Posted: 2025-01-22 15:25:57

  Verbose tl;dr

  A misconfigured DNS record for Mastercard went unnoticed for an estimated two to five years, routing traffic intended for a Mastercard authentication service to a server controlled by a third-party vendor. This misdirected traffic included sensitive authentication data, potentially impacting cardholders globally. While Mastercard claims no evidence of malicious activity or misuse of the data, the incident highlights the risk of silent failures in critical infrastructure and the importance of robust monitoring and validation. The misconfiguration involved an incorrect CNAME record, effectively masking the error and making it difficult to detect through standard monitoring practices. This situation persisted until a concerned individual noticed the discrepancy and alerted Mastercard.

  Brian Krebs, in a post titled "Mastercard DNS error went unnoticed for years" on KrebsOnSecurity, reports on a significant yet surprisingly long-lived DNS misconfiguration affecting Mastercard that persisted undetected for an estimated two to five years. This error, stemming from a typographical mistake in a single digit within a critical DNS record, directed traffic intended for Mastercard's payment gateway to an internal server. This internal server, ill-equipped to handle the massive volume of external requests, silently discarded these transactions without logging or alerting relevant parties.

  The misconfiguration specifically impacted a domain crucial for processing “Click to Pay” transactions, Mastercard's online checkout system designed for seamless and secure online purchases. While the primary Mastercard payment gateway remained unaffected, the erroneous DNS record meant that any merchant utilizing this particular “Click to Pay” domain experienced transaction failures. This resulted in a substantial but unquantified number of failed payments for customers attempting to use the service through affected merchants.

  Remarkably, the error went unnoticed for an extended period due to several compounding factors. Primarily, the silent failure mode of the internal server meant no error messages or notifications were generated. This lack of feedback combined with a potential lack of robust monitoring and alerting systems around “Click to Pay” transactions created a blind spot where the issue could persist undetected. Furthermore, the affected domain appears to have been less commonly used than the primary payment gateway, further reducing the visibility of the problem.

  The issue was ultimately discovered and reported by a security researcher who prefers to remain anonymous. This individual, after encountering repeated payment failures, investigated the DNS records and identified the single-digit typo. Upon notification, Mastercard swiftly rectified the error, restoring functionality to the affected domain. While the financial impact of the failed transactions remains undisclosed, the incident highlights the potential consequences of even minor DNS misconfigurations, especially within critical financial infrastructure, and emphasizes the importance of comprehensive monitoring and alerting mechanisms. The incident also underscores the crucial role security researchers play in identifying and reporting vulnerabilities, even those as seemingly mundane as a typographical error. The silent nature of the failure raises concerns about the potential for similar undetected issues to exist within complex online systems.

  • Mastercard
  • dns
  • Error
  • Security
  • Cybersecurity
  • DNSSEC
  • Domain Name System
  • Outage
  • Vulnerability
  • Internet Infrastructure
  • Financial Services
  • Technology
  • KrebsOnSecurity
  • Brian Krebs

  Summary of Comments ( 171 )
  https://news.ycombinator.com/item?id=42793783

  Verbose tl;dr

  HN commenters discuss the surprising longevity of Mastercard's DNS misconfiguration, with several expressing disbelief that such a basic error could persist undetected for so long, particularly within a major financial institution. Some speculate about the potential causes, including insufficient monitoring, complex internal DNS setups, and the possibility that the affected subdomain wasn't actively used or monitored. Others highlight the importance of robust monitoring and testing, suggesting that Mastercard's internal processes likely had gaps. The possibility of the subdomain being used for internal purposes and therefore less scrutinized is also raised. Some commenters criticize the article's author for lacking technical depth, while others defend the reporting, focusing on the broader issue of oversight within a critical financial infrastructure.

  The Hacker News post titled "Mastercard DNS error went unnoticed for years" has generated several comments discussing the implications of the KrebsOnSecurity article about Mastercard's long-standing DNS misconfiguration.

  Several commenters express surprise and concern over the length of time – reportedly years – that this misconfiguration persisted. Some speculate about the potential reasons for this oversight, including a lack of proper monitoring or alerting systems, complacency, and insufficient testing procedures. One commenter highlights the irony of a financial giant like Mastercard experiencing such a basic infrastructure issue.

  The discussion touches on the potential consequences of this DNS error. While Krebs' article doesn't mention any specific negative impacts, commenters suggest possibilities like performance degradation or even potential security vulnerabilities. One commenter raises the possibility that Mastercard may have relied on other mechanisms for internal communication, minimizing the impact of the faulty external DNS.

  The conversation also delves into the technical aspects of the issue, with commenters discussing the intricacies of DNSSEC, CAA records, and other DNS-related technologies. Some commenters point out the importance of redundant DNS servers and robust monitoring practices to prevent similar issues. One commenter speculates about the specific tools and processes Mastercard likely uses for DNS management.

  A few commenters question the accuracy or completeness of Krebs' reporting, suggesting that there might be more to the story than what's been revealed. Others offer alternative explanations for the observed behavior, positing that the misconfiguration might have been intentional or related to specific testing or staging environments.

  Several comments also highlight the broader implications of this incident for the industry, emphasizing the need for better DNS management practices and increased awareness of potential vulnerabilities. One commenter points to the increasing complexity of modern IT infrastructure and the challenges of maintaining reliable and secure systems.

  Finally, some commenters offer humorous takes on the situation, poking fun at Mastercard's apparent oversight and the potential consequences of such a basic error.