CentralOps, Hexillion, and the mobi
Whois server
On 2024-09-11, watchTowr posted a blog entry about how they were able to register the previous, abandoned domain name for the mobi
registry (dotmobiregistry.net
) and set up their own Whois server at whois.dotmobiregistry.net
. This put them in a position to potentially exploit any Whois clients still using that old Whois server name. WatchTowr provided a partial list of sites discovered to be using the old server name, and CentralOps.net was on the list.
What you need to know
-
Hexillion provides a Whois API that holds a list of Whois servers and queries them automatically. Our popular Domain Dossier tool at CentralOps.net uses this API for its Whois queries. WatchTowr’s findings do not apply to these tools. Our Whois API has been using the correct
mobi
Whois server for years. -
WatchTowr apparently put CentralOps.net on the list because of the Domain Check tool. This tool checks to see whether a domain is available for registration by using both DNS and Whois queries. The implementation at the time was quite old, pre-dated our Whois API, and was unable to use the Whois API. Instead, it had its own, simple list of Whois servers, and that was the list with the out-of-date
mobi
Whois server.As of 2024-09-23, we’ve rewritten Domain Check to enable it to use our Whois API.
For what it’s worth, the security implications for Domain Check were relatively minor:
- It is defended against the remote code execution that watchTowr is seeking.
- It can’t be used for obtaining TLS certificates, as in the watchTower blog post.
- It’s used far less than Domain Dossier and the Whois API.
The greatest threat was likely just incorrect domain availability assessments in certain cases.
-
WatchTowr’s blog post actually demonstrates the importance of our Whois API. The Whois system has long been a mess, and though RDAP tries to solve a number of the issues, it’s an incomplete solution with headaches of its own. Hexillion’s Whois API relieves its users of the burden of keeping up (with server name changes, format changes, protocol changes, etc.) and presents them with the closest thing to an ideal Whois service. The other sites named in the blog post wouldn’t have been named if they were using our service.
One can argue that Whois and RDAP are inadequate for security-related purposes, but security is one of their reasons for existence. And there’s no real alternative to them at present.