It seems that the media has been trying to pin this one on ICANN, but there is no sign of DNS root server tampering, only GTLD root server tampering which is wholely administered by Verisign. Proof follows:
$ whois torrent-finder.com [Querying whois.verisign-grs.com] [Redirected to whois.godaddy.com] [Querying whois.godaddy.com] [whois.godaddy.com] The data contained in GoDaddy.com, Inc.'s WhoIs database, while believed by the company to be reliable, is provided "as is" with no guarantee or warranties regarding its accuracy. This information is provided for the sole purpose of assisting you in obtaining information about domain name registration records. Any use of this data for any other purpose is expressly forbidden without the prior written permission of GoDaddy.com, Inc. By submitting an inquiry, you agree to these terms of usage and limitations of warranty. In particular, you agree not to use this data to allow, enable, or otherwise make possible, dissemination or collection of this data, in part or in its entirety, for any purpose, such as the transmission of unsolicited advertising and and solicitations of any kind, including spam. You further agree not to use this data to enable high volume, automated or robotic electronic processes designed to collect or compile this data for any purpose, including mining this data for your own personal or commercial purposes. Please note: the registrant of the domain name is specified in the "registrant" field. In most cases, GoDaddy.com, Inc. is not the registrant of domain names listed in this database. Registrant: Torrent Finder 15 Alexandria St. N/A Alexandria, 55555 Egypt Registered through: GoDaddy.com, Inc. (http://www.godaddy.com) Domain Name: TORRENT-FINDER.COM Created on: 30-Dec-05 Expires on: 30-Dec-11 Last Updated on: 04-Oct-10 Administrative Contact: Gadelkareem, Waleed kurtubba@gmail.com Torrent Finder N/A N/A Alexandria, 55555 Egypt 20121578967 Fax -- 2034411838 Technical Contact: Gadelkareem, Waleed kurtubba@gmail.com Torrent Finder N/A N/A Alexandria, 55555 Egypt 20121578967 Fax -- 2034411838 Domain servers in listed order: NS51.DOMAINCONTROL.COM NS52.DOMAINCONTROL.COM $
Alright, the WHOIS information looks as if the domain hasn’t been seized by GoDaddy. So, we can write them off the list for this one (which is shocking, given the fact that GoDaddy has been more than happy to suspend domains in the past.) Lets try a DNS trace using a public DNS server (in this case, 4.2.2.1 hosted by Level3):
$ dig torrent-finder.com +trace @4.2.2.1 ; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13 <<>> torrent-finder.com +trace @4.2.2.1 ;; global options: +cmd . 33799 IN NS c.root-servers.net. . 33799 IN NS j.root-servers.net. . 33799 IN NS e.root-servers.net. . 33799 IN NS b.root-servers.net. . 33799 IN NS d.root-servers.net. . 33799 IN NS a.root-servers.net. . 33799 IN NS f.root-servers.net. . 33799 IN NS g.root-servers.net. . 33799 IN NS i.root-servers.net. . 33799 IN NS h.root-servers.net. . 33799 IN NS k.root-servers.net. . 33799 IN NS m.root-servers.net. . 33799 IN NS l.root-servers.net. ;; Received 228 bytes from 4.2.2.1#53(4.2.2.1) in 28 ms
4.2.2.1 is giving us exactly what we asked for here: the root-servers, which are maintained by IANA (part of ICANN), now lets query one of them:
com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. ;; Received 496 bytes from 128.8.10.90#53(d.root-servers.net) in 72 ms
When asked about a noncached response for ‘torrent-finder.com’, they redirected us to the gtld-servers, which are run by VeriSign, lets ask one of those servers now:
torrent-finder.com. 172800 IN NS ns1.seizedservers.com. torrent-finder.com. 172800 IN NS ns2.seizedservers.com. ;; Received 118 bytes from 192.43.172.30#53(i.gtld-servers.net) in 167 ms
Hmm, the GTLD-SERVERS are not replying with NS51.DOMAINCONTROL.COM and NS52.DOMAINCONTROL.COM, instead we get NS1.SEIZEDSERVERS.COM and NS2.SEIZEDSERVERS.COM:
torrent-finder.com. 86400 IN A 74.81.170.110 torrent-finder.com. 86400 IN NS ns1.torrent-finder.com. torrent-finder.com. 86400 IN NS ns2.torrent-finder.com. ;; Received 120 bytes from 74.81.170.108#53(ns2.seizedservers.com) in 78 ms $
Alright, it’s obviously not ICANN, but Verisign. Lets see what they say when asked directly about this:
$ nc whois.verisign-grs.com nicname torrent-finder.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: TORRENT-FINDER.COM Registrar: GODADDY.COM, INC. Whois Server: whois.godaddy.com Referral URL: http://registrar.godaddy.com Name Server: NS1.SEIZEDSERVERS.COM Name Server: NS2.SEIZEDSERVERS.COM Status: clientDeleteProhibited Status: clientRenewProhibited Status: clientTransferProhibited Status: serverDeleteProhibited Status: serverTransferProhibited Status: serverUpdateProhibited Updated Date: 24-nov-2010 Creation Date: 30-dec-2005 Expiration Date: 30-dec-2011 >>> Last update of whois database: Sun, 28 Nov 2010 07:28:43 UTC <<< $
Hmm, what does serverUpdateProhibited status mean? According to RFC2832bis:
SERVERUPDATEPROHIBITED: The registry sets the domain to this status. Requests to update the domain name (except to remove this status) MUST be rejected. The domain name can be transferred, renewed, or deleted. The domain SHALL be included in the zone when in this status if the domain has at least one delegated name server.
This means that the registry administrator (e.g. VeriSign) has locked the domain out. If it were ICANN, it would be blocked at the root-servers, not at the registry level, that is, it wouldn’t be making it to VeriSign-GRS at all.
I wonder what other domains are serverUpdateProhibited now.
Twitter