[Dshield] Whois Issues

Johannes Ullrich jullrich at euclidian.com
Wed Sep 10 17:14:16 GMT 2003

We got about a dozen posts about this. Sorry for rejecting most of them
as duplicates. Here a brief summary on this issue:

The domain "whois" (=internic) contains not only information regarding
who owns what domain, but also information regarding domain name servers
('hosts') which resolve these domains.

Lets say you own "dshield.org". In order for it to resolve, you need DNS
servers, and you need to register them. If you don't already have some,
you set up new DNS servers. Usually, you call them something like 
"ns1.dshield.org" and "ns2.dhsield.org". 

However, you could name them anything, as long as they are valid host
names within any domain you own.

For example, I could register 

A lot of people register these names for the fun of it. Nothing
"malicious" about it. Registering a host name like this will not
do anything bad to Microsoft.

'whois' will return all records with the word 'microsoft.com' in it.
The exact result will depend on the whois server you query. They use a
slightly different query language. 

ok... finally for the 'dig' artists:

dig homepc.org +trace | grep microsoft

Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net

More information about the list mailing list