26 Whois

Prototypical answer:

1. INTRODUCTION

The Registry Operator will outsource WHOIS service as a part of Full Registry Solution to an external subcontractor, namely, JSC Technical Center Internet (hereinafter referred to as Registry Service Provider or RSP).

About the Technical Center of Internet (TCI)

The Technical Center of Internet, JSC (incorporated in Russian Federation, Primary State Registration Number (OGRN): 1097746536117, Taxpayer Identification Number (INN): 7702714697) is one of the largest worldwide and the only Russian technical centers to service registry operators. A legitimate successor to Russian Institute for Public Networks, the Technical Center of Internet has a 20 year-long background and is already two years in operation in its current status. TCI provides Full Registry Solution and DNS service with DNSSEC support to 2 ccTLD registry operators, supporting a total of 4.5m plus second level domains in ccTLDs .SU, .RU (5th worlwide) and .РФ (1st worldwide IDN ccTLD). TCI serves 26 registrars, among them several ICANN-accredited ones. TCI is in possession of a number of scattered worldwide DNS nodes, the geographically distributed fully redundant state-of the-art infrastructure and highly qualified staff.

The WHOIS service provides a free public access to information about domain names, registrars, nameservers of the TLD concerned. It handles the query in accordance with RFC 3912 via port 43; besides, there is a Web-form to place a WHOIS query and display results on the Web site.

Being a publicly accessible resource, WHOIS service has to meet the most rigorous standards with respect to reliability, accessibility and capacity.

The Registry Service Provider uses combination of architecture, hardware and software to meet requirements set out in Specifications No 4 and 10 to the Registry Agreement (hereinafter Specification 4 and Specification 10 correspondingly). The Registry Service Provider maintains the centralized WHOIS database. Modifications introduced by registrars into the registry are promptly (in no more than 10 minutes) displayed in the WHOIS database.

The Web-based format is intended for a user’s placement of a query to the WHOIS service. The query is checked for consistency with Registryʹs appropriate data format and channeled to the WHOIS service via port 43. The final response is displayed for the user on the Web site.

2. COMPLIANCE WITH RFC 3912

The WHOIS service handles the query in compliance with RFC 3912:
- WHOIS server listens on TCP port 43 for requests;
- The user accesses the server using TCP protocol (port 43);
- The user submits the query – the line of text;
- The query ends - with CR+LF symbols.

The program module forms and sends the response to the user and then closes the TCP connection.

3. WHOIS QUERY

The user enters letters or other symbols representing the domain name, the registrar name, the nameserver or an IP address. Once entered, the query is checked for the type of object matching the name entered. It is possible to place queries with regard to data of the following three types of objects: domain object, registrar object and nameserver object. Domains and registrars may be queried by the domain name and the registrar name, respectively. Nameservers may be queried by nameserver name or by one of nameserver IP addresses.

For accurate indication of the type of an object, the following keys can be used:
- ‘registrar’ indicates that the search by registrar is needed;
- ‘nameserver’ indicates that the search by the NS server’s name or IP address is needed.

Queries without a key suggest search by domain name or registrar’s name.

The search is performed by exact match and case insensitive.

4. WHOIS RESPONSE

According to requirements of the Specification 4, the response is given in text format followed by a blank line and a legal disclaimer specifying rights of the Registry Operator and the user who is submitting the query.

The provisional content of the legal disclaimer:
The WHOIS service is granted for information purposes and may be used only to obtain information regarding domain names and contact persons. By applying to the WHOIS service User agrees that he⁄she:
- will use the Data obtained only for lawful purposes
- under no circumstances will use the Data to support transmission by e-mail, facsimile or telephone of any unsolicited information
- will not enable high volume queries exceeding established limits.
It is forbidden:
- to make any changes in the Data obtained from the WHOIS service in the case of its further distribution for information purposes;
- to generate a further distribution of the Data obtained for commercial purposes.

Each data object is represented as a combination of a key and value in the following format:
- key;
- colon space delimiter;
- value.

For fields comprising several values (for example, the list of nameservers, telephone numbers), multiple key⁄value pairs with the same key are used.

The first key⁄value pair following the blank line is considered to be the start of a new entry and an identifier of the said entry.

The following fields are provided for domains:
- Domain Name;
- Domain ID;
- WHOIS Server;
- Referral URL;
- Updated Date;
- Creation Date;
- Expiry Date;
- Sponsoring Registrar;
- Sponsoring Registrar IANA ID;
- Domain Status;
- Registrant ID, Registrant Name, Registrant Organization, Registrant Street, Registrant City, Registrant State⁄Province, Registrant Postal Code, Registrant Country, Registrant Phone, Registrant Phone Ext, Registrant Fax, Registrant Fax Ext, Registrant Email;
- Admin ID, Admin Name, Admin Organization, Admin Street, Admin City, Admin State⁄Province, Admin Postal Code, Admin Country, Admin Phone, Admin Phone Ext, Admin Fax, Admin Fax Ext, Admin Email;
- Tech ID, Tech Name, Tech Organization, Tech Street, Tech City, Tech State⁄Province, Tech Postal Code, Tech Country, Tech Phone, Tech Phone Ext, Tech Fax, Tech Fax Ext, Tech Email;
- Nameserver;
- DNSSEC.

For registrars, the following fields are provided:
- Registrar Name;
- Street;
- City;
- State⁄Province;
- Postal Code;
- Country;
- Phone Number;
- Fax Number;
- Email;
- WHOIS Server;
- Referral URL;
- Admin Contact, Phone Number, Fax Number, Email;
- Technical Contact, Phone Number, Fax Number, Email.

For NS servers:
- Server Name;
- IP Address;
- Registrar;
- WHOIS Server;
- Referral URL.

The format of the following fields complies with the RFC for Extensible Provisioning Protocol (EPP, RFC 5730-5734) standards, as follows:
- Domain status – can contain several values (see RFC 5731 and answer to Evaluation Question #27.);
- Individual’s name (corporation’s name) – the symbol string in 7-bit ASCII, limited by length (min 1 symbol, max 255 symbols, see RFC 5733);
- Address (physical address) – symbol string in 7-bit ASCII, consists of information about the street (optional), city, state⁄province (optional), postal code (optional), country code (see RFC 5733);
- City, state⁄province – symbol string in 7-bit ASCII, limited by length (min 1 symbol, max 255 symbols, see RFC 5733);
- Postal code – symbol string, limited by length (min 1 symbol, max 16 symbols, see RFC 5733);
- Country – two-letter country code (ISO3166-1);
- Phone (fax) number – symbol ‘+’, the country code according to ITU.E164.2005, symbol ‘.’, sequence of digits (see RFC 5733);
- E-mail address – according to RFC 5322;
- Date and time – represented in UTC, capitalized ‘T’ and ‘Z’ are used to display time for the data containing date and time, e.g. 2012-01-12T08:15:00Z;
- The WHOIS service provides all data in 7-bit ASCII.

The content, order and format of the response fields can be modified by the System Administrator in accordance with the effective procedure without suspending operation of WHOIS services.

5. WHOIS SERVICE PERFORMANCE

5.1. WHOIS Service Architecture

The delivery of WHOIS service will be ensured by three independent servers. Two servers are located within the main facilities in Moscow and St.Petersburg (Russia). The third will be installed as a part of a node that is currently under construction in Frankfurt (Germany).

Each server operates a local database, which is a replica of the Primary database. Update from the Primary database is taking place every 5 minutes for an individual WHOIS server. Thus, all tree WHOIS servers update their database every 15 minutes. For more details regarding WHOIS service geographical distribution refer to the answer to Evaluation Question #34.

Server management and provision of the service is carried out through different interfaces to ensure access to the server under a high load on the service. To perform service management there are serial connection to the WHOIS server and secured VLAN connection.

Servers are Linux OS enabled with PostgreSQL v.9.1 database software. Domain name records changes in the Primary database are replicated to the WHOIS database once in five minutes. For data delivery there is Dblink software in use over secure connection.

The access to WHOIS service is provided by means of Anycast technology through a single Anycast cloud. The Firewall assigns access policy for port 43. The geographical separation and Anycast access to the WHOIS services ensures 24x7x365 redundancy. The diagram of the WHOIS architecture is displayed in Figure Q26_WHOISServiceArchitecture. In Moscow and St.Petersburg it consists of two Cisco routers and switches, PDUs for power reset functions, console router to access devices via serial ports and a WHOIS server. The WHOIS server is connected to both routers to ensure accessibility of the service. Where the connectivity between the WHOIS Server and either router has been disrupted, the accessibility of the service is secured through the other one. Where the WHOIS server located at either SRS node is down, the other node will secure the accessibility of the service. In Moscow, St.Petersburg and Frankfurt facilities, the network devices, such as routers, switches, PDUs and console routers are shared with other registry servers. WHOIS server at every node is connected to its own VLAN segment for security reasons. This is shown in the respective figures of the answer to Evaluation Question #32. In Frankfurt, as a part of backup facility there are one router and one switch connected to WHOIS server.
The updates from Primary Database takes place over secure connection. The service is constantly monitored as described in the answer to Evaluation Question #42. To check WHOIS service accessibility and performance parameters, test queries are sent to the WHOIS servers every 5 minutes.

The data flow of WHOIS service is shown in Figure Q26_WHOISDataFLow.
WHOIS service is performed in full compliance with Specification 10 parameters. Presently, the average (workload) for a single WHOIS server, which services 3 TLDs (.RU, .SU and .РФ) with a total of roughly 4.5m of domains, is 500 queries per second, while the peak one – 5,000 ones, and individual query processing time accounting for some 2 ms.

Thus, taking into account the planned expansion of TLD .TATAR, the RDDS query round-trip time (RTT) for no less than 95 percent of queries will be ensured at a level of 2,000 ms.

5.2. Hardware

The specification of the hardware used for WHOIS service provisioning is the following:
(i) Moscow location: CPU Intel Xeon E5405⁄ASUS 1U RS162-E4-RX4 (LGA771,i5000P,SVGA,DVD,SAS RAID,4xHotSwap, SAS⁄SATA, 2xGbLAN, 32DDRII FBDIMM, 700⁄HDD2x250 GB SATA-II⁄ DDR-II 8x4GB FB-DIMM 5300⁄API5FS22
(ii) St.Petersburg location: CPU Intel Xeon E5405⁄ASUS 1U RS162-E4-RX4 (LGA771,i5000P,SVGA,DVD,SAS RAID,4xHotSwap SAS⁄SATA, 2xGbLAN, 12DDRII FBDIMM, 700⁄HDD2x250 GB SATA-II⁄ DDR-II 8x4GB FB-DIMM 5300⁄API5FS22
(iii) Frankfurt location: the server configuration will be similar to the one in St.Petersburg.

5.3. Software

The WHOIS software was developed by Registry Service Provider and has been in use for several years without a single failure.

Data from SRS are being loaded to WHOIS servers every 5 minutes. The response to a user’s query is formed on the basis of data in the WHOIS local database. Each WHOIS server is equipped with a sufficient RAM capacity to have the basic data from the database be cached therein.

Its main components are:
- PostgreSQL database;
- the ‘WHOIS3D’ program. It listens on TCP port 43, controls the query queue, filters out those users who exceed the query frequency limits, forwards queries to the local database in several threads and maintains the logfile;
- the database “stored procedure” designated for generation of the text of the response to a user’s query;
- a set of scripts to launch, suspend, restart the WHOIS3D module, as well as to handle log files daily;
- the procedure of synchronization with the registry database.

Queries are handled continuously in a multithread mode. When the module that generates responses by the database is overloaded, the incoming queries are queued for processing. The denial of service is possible only once the queue is overflown.

6. THE EXTENDED SEARCH

The advanced search by WHOIS database is carried out via the Web-form (see Figure Q26_DomainSearchScreenshot).

The service is available to authorized customers under the service agreement.

The service enables to search data by a partial match, using the following fields:
- domain name;
- contact person’s name;
- registrant’s name;
- the contact person and registrant’s postal address, including all the sub-fields specified in EPP.

Symbol ‘%’ stands for an arbitrary symbol sequence.

The service enables data search by exact match using the following fields:
- registrar’s ID;
- registration date (date or an interval between dates);
- last update (date or an interval between dates);
- nameserver;
- IP address.

Additional bitwise operators are in use for the fields ‘domain name’, ‘nameserver’, ‘registrar identifier’:
- bitwise operator ‘OR’ (searched-for words are separated by the blank space);
- bitwise operator ‘NOT’ ( symbol ‘!’ precedes the searched-for word).

Search results include domain names relevant to all the search criteria (bitwise operator ‘AND’).

7. ABUSES AND REMEDIES

Potential abuses are:
- fetching a large number of domains for formation of one’s own database and its use for illegitimate purposes;
- flooding the WHOIS service with a large amount of queries and, as a consequence, deceleration of processing of other users’ queries;
- usage of the WHOIS contact data for spam purposes.

To preclude the abuses the following measures have been taken:
- bot protection in the Web interface;
- running a log to record incoming queries and results of their execution;
- blocking users who exceeded a certain threshold with regard to the number of queries per minute.

The queries rate from an individual IP address is limited. Where a certain threshold (100 queries in 3 minutes) value has been exceeded, a subsequent query is not processed until the expiration of the said 3-minute time slot and the following notification is communicated to the user instead: ”You have exceeded the allowed queries rate. Please try to connect later”. Where the user has repetitiously (4 times within a 15 minute-long period) exceeded the query rate limit, his every subsequent query submitted within the next hour is not processed. The following notification is communicated: ”You are not allowed to connect”.

The System Administrator may edit the list of IP addresses exempt from the said restrictions or for which those restrictions are eased.

The provisioning of extended search service via Web-form might cause additional abuses, including:
- fetching of a large number of domains for formation of one’s own database and its use for illegitimate purposes;
- flooding WHOIS service with ‘hard’ queries, and, as a consequence, deceleration of processing of other users’ queries;
- use of contact data for spam purposes.

The following measures are taken to prevent the abuses:
- access to the search form is executed using the https protocol;
- access is granted only from the IP addresses included in a certain access list ;
- authentication (entering the name and the password) is required;
- data delivery is limited by the number of domains (no more than 100);
- a log collected for incoming queries for analysis.

8. PERSONNEL

The following staff roles are engaged in implementation and maintenance of the WHOIS service:

(i) Initial implementation:
- Database Developer (Registry Services Department, R&D Group), 2 persons;

(ii) Ongoing maintenance:
- Database Administrator (Registry Services Department, RS Support), 2 persons.
- The Database Developer’s responsibilities include: development and enhancement of WHOIS software; implementations of WHOIS database; performing debugging and intermediate testing.
- The Database Administrator responsibilities include: installation and setup of WHOIS database and application; setup of access privileges; review of ongoing performance characteristics.

9. CONCLUSION

The applicant is absolutely confident that the technology of building a distributed WHOIS service with the use of three remote sites coupled with employment of Anycast technology ensures a high-quality and resilient service for Registrars and Internet users. The searchable Web-based WHOIS provides various methods of search: by domain name, registrant name, postal address, various contact properties, name servers and IP addresses. It supports Boolean searches. In order to protect privacy and implement anti-abuse measures, various mechanisms, such as limiting the number of requests from origin, are implemented.

The extended search capabilities are considered a very important tool for law- enforcement agencies and rights protection champions. The applicant will grant access to the extended search for such organizations after their identification and consultations with the ICANN.

Similar gTLD applications: (2)