Monday, June 30, 2008

Defeating Private Domain Registration

The concept of private domain registration has probably been around longer than I think it has, but if I had to guess its rise in popularity coincides approximately with the rise in identity theft, spam and other Internet-related annoyances. Actually, you can just ask one of the largest providers of private domain registration,
$  whois |egrep " on( |:)"
    Created on: 15-Jan-02
    Expires on: 15-Jan-17
    Last Updated on: 05-Sep-07
The idea, for those who are not familiar with private domain registration, is that you allow a third party to register or take ownership of a domain name that you are interested in, and then they give you some level of control over it. The benefit here is that the various bits of contact information typically associated with WHOIS data -- registrant, technical, billing, administrative -- are now that of the third party who now owns that domain on your behalf. Had you not used a private registration of one form or another, you'd either have to leave your "docs" at the mercy of the general public, or simply put in some bogus data and hope nobody notices. Which is worse? You be the judge.

The risks of not masking your WHOIS data in one way or another are fairly common knowledge, but to summarize, the following will likely become a problem for you at one point or another:

  • Identity theft
  • Domain theft or abuse
  • Stalkers
  • SPAM
  • Verne Troyer getting mad at you because you posted his sex tape
Nearly every registrar, no matter how seemingly small or insignificant, is offering private registration as an option lately. Just Google it and you'll see. I have some good news and some bad news, and it just so happens that it is the same bit of news. So whether this is good or bad really depends on what side you are on.

Private domain registration works.

Of course, like many things in security, the devil is in the details and things usually get tripped up in implementation rather than in specification. If you simply want to register a domain and possibly put up some witty content also hosted by the private registrar, then you'll probably be safe. However, in nearly all situations that I know of or have heard about, private domain registration is used because the owner of the domain wants to take full advantage of the domain instead of cowering in a corner. Yes, that means talking shit and/or making a buck.

What this means is that at some point you are going to start offering or utilizing some services that are oh so vital, typically HTTP, SMTP or DNS. You gotta post content, you gotta send/receive email and without a DNS server somewhere to handle all of this for you, you'd be dead in the water.

There are secure and proper ways to utilize private domain registration, offer common services like HTTP, SMTP and DNS and still not leave your goods out there for everyone to ogle. Unfortunately, this means you are probably going to have to limit yourself to the services offered by your registrar. The result is that the services will either be expensive, featureless or both. You'll get some bastardized webmail system with limited functionality and a WYSIWYG HTML editor for your site, maybe PHP-Nuke if you are lucky.

And this is where things go wrong and the point of my post begins. You've got a domain private registered somewhere but decide to actually use it. You stand up an HTTP and SMTP server somewhere and point DNS accordingly and before you know it your efforts to stay private have taken a giant leap back towards square one.

What use to be a relatively private setup is now becoming increasingly more public. The three services that most any domain needs to survive -- HTTP, SMTP and DNS -- are now the soft spot in your otherwise secure underbelly.

Off the top of my head, the following are some potential points of disclosure for each of the above services. This list is by no means comprehensive, and excludes the usual gamut of security best practices for each service. Furthermore, organizations continually find new and rofl-able ways of screwing this up. That said:


  • Putting sensitive information in your "contact page"
  • Hosting your web content on a site who's forward or reverse DNS somehow link back to you
  • Improperly handling non HTTP/1.1 requests and disclosing private information such as the server name
  • Disclosing your true(r) identity in an SMTP greeting
  • Sending information-filled NDRs for bounced or otherwise undeliverable email
  • Disclosing your anti-spam efforts by way of SPF TXT records (hint: `host -t txt`)
  • Making some DNS server that can be tied back to you (forward or reverse DNS, WHOIS) authoritative for one or more records in your domain
  • Publishing a DNS record that resolves by way of forward or reverse DNS to something that can be tied to you.

I honestly find DNS related issues the most relevant here, and if you don't have access to something like dnsstuff, your local DNS friends host(1) and nslookup(1) can start getting you some dirt. Of particular interest is anything that has intelligence and or some brute forcing capabilities built into it. Fierce is arguably the best tool for this particular task.

I have seen some organizations that do seemingly everything right, however most of them inevitably have a dirty history that can be had for $39.99 by any number of organizations that offer historical WHOIS or DNS data. If their dirty laundry has been aired in the past, it can be had for a nominal fee. In most situations where this sort of research is warranted, the cost of getting a membership to such a service (if you don't already have one ;)) is insignificant compared to the cost of winning whatever battle it is you happen to be in.

It should be mentioned that there a number of privately registered domains that do seemingly everything correct, however those domains are backed by some combination of well paid and extremely technically savvy staff, a crack legal team and SEO zealots.

Well played, sir.