When it comes to researching a target on the internet and doing so from public sources by applying OSINT techniques, many users may come to a question after some time spent digging around the net, this question is usually What is Whois? and this is because, making queries through the Whois protocol is a method of obtaining information that has been used since your grandmother was born (not so much but it really is quite old) and, in this article you will learn what it is and, if it is currently useful to you in your role in cybersecurity.
What is Whois?
Whois is a protocol based on another protocol, TCP, which was created in 1982 with the purpose of serving as a massive database that would contain the most relevant information of the users that registered domains, which it still does today, basically allowing any person to consult its database and know the information regarding the owner of a domain, which in those days was not really relevant, but nowadays, it can even be considered a violation of certain data protection policies, we will talk about this later on.
How does Whois work?
The functioning of the Whois protocol is simple, when a user registers a domain on any platform that allows it, they must provide certain information, their name, surname, physical address, means of contact and so on, as you can see, it is quite personal information but, as we said, in its day it was not such a serious matter and in fact, it was quite useful for organisations and companies, It was quite useful for organisations and companies, since many script kiddies and other users inexperienced in cybersecurity, when they tried to commit a cybercrime using a domain to connect to it, with a quick search in the Whois protocol database, it was enough to know at least the owner of the domain used to carry out the cyberattacks.
Why does Whois no longer work?
Whois was a great soldier, what happens today is that, making a query to this database, will give you little or no useful information that you can use in your cybersecurity work, this due to the arrival of the glorious RGPD (and we say glorious in a good way) because, currently it is not allowed to obtain so much information at a public level all the information of the registrant of a domain, it is not that you can not consult, you can, only that the information that will give you is very scarce and almost useless, we are talking about only being able to see data such as when the domain was registered and when it will expire, the name servers that are configured in it and little more.
Does this mean that Whois no longer works? Well yes and no, Whois can currently help you get very basic information about a domain but don’t expect it to be like it used to be, of course it doesn’t hurt to make a brief query during, for example, the passive reconnaissance phase of a pentesting, but don’t expect to get much, in fact, before the RGDP swept the floor with the Whois protocol, users could already (sometimes for a fee) configure their data to be private for Whois database queries when registering a domain, so this is not something new, the decline of this protocol has been coming for years.
This has more advantages than disadvantages, really if you are going to make OSINT to a target, the Whois query was only a minimal part of the procedure and, as a cybersecurity professional, you know that if you can’t find a way, you create it and if not you invent it, but you can’t depend on services out of your control 100%, besides it is clear that by preventing anyone can query the information of a domain and get as much data as before, The risk of users with bad intentions (and almost always with little knowledge) trying to intimidate others with this data is reduced, so this decision by the RGPD in our opinion, was the right one, we will see in the coming years how other information collection techniques will change within the legal frameworks of computer security.