did icann really seize torrent-finder.com or was it verisign?

It seems that the media has been trying to pin this one on ICANN, but there is no sign of DNS root server tampering, only GTLD root server tampering which is wholely administered by Verisign.  Proof follows:

$ whois torrent-finder.com
[Querying whois.verisign-grs.com]
[Redirected to whois.godaddy.com]
[Querying whois.godaddy.com]
[whois.godaddy.com]
The data contained in GoDaddy.com, Inc.'s WhoIs database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy.  This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose is expressly forbidden without the prior written
permission of GoDaddy.com, Inc.  By submitting an inquiry,
you agree to these terms of usage and limitations of warranty.  In particular,
you agree not to use this data to allow, enable, or otherwise make possible,
dissemination or collection of this data, in part or in its entirety, for any
purpose, such as the transmission of unsolicited advertising and
and solicitations of any kind, including spam.  You further agree
not to use this data to enable high volume, automated or robotic electronic
processes designed to collect or compile this data for any purpose,
including mining this data for your own personal or commercial purposes. 

Please note: the registrant of the domain name is specified
in the "registrant" field.  In most cases, GoDaddy.com, Inc.
is not the registrant of domain names listed in this database.

Registrant:
 Torrent Finder
 15 Alexandria St.
 N/A
 Alexandria,  55555
 Egypt

 Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
 Domain Name: TORRENT-FINDER.COM
 Created on: 30-Dec-05
 Expires on: 30-Dec-11
 Last Updated on: 04-Oct-10

 Administrative Contact:
 Gadelkareem, Waleed  kurtubba@gmail.com
 Torrent Finder
 N/A
 N/A
 Alexandria,  55555
 Egypt
 20121578967      Fax -- 2034411838

 Technical Contact:
 Gadelkareem, Waleed  kurtubba@gmail.com
 Torrent Finder
 N/A
 N/A
 Alexandria,  55555
 Egypt
 20121578967      Fax -- 2034411838

 Domain servers in listed order:
 NS51.DOMAINCONTROL.COM
 NS52.DOMAINCONTROL.COM
$

Alright, the WHOIS information looks as if the domain hasn’t been seized by GoDaddy.  So, we can write them off the list for this one (which is shocking, given the fact that GoDaddy has been more than happy to suspend domains in the past.)  Lets try a DNS trace using a public DNS server (in this case, 4.2.2.1 hosted by Level3):

$ dig torrent-finder.com +trace @4.2.2.1

; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13 <<>> torrent-finder.com +trace @4.2.2.1
;; global options: +cmd
.            33799    IN    NS    c.root-servers.net.
.            33799    IN    NS    j.root-servers.net.
.            33799    IN    NS    e.root-servers.net.
.            33799    IN    NS    b.root-servers.net.
.            33799    IN    NS    d.root-servers.net.
.            33799    IN    NS    a.root-servers.net.
.            33799    IN    NS    f.root-servers.net.
.            33799    IN    NS    g.root-servers.net.
.            33799    IN    NS    i.root-servers.net.
.            33799    IN    NS    h.root-servers.net.
.            33799    IN    NS    k.root-servers.net.
.            33799    IN    NS    m.root-servers.net.
.            33799    IN    NS    l.root-servers.net.
;; Received 228 bytes from 4.2.2.1#53(4.2.2.1) in 28 ms

4.2.2.1 is giving us exactly what we asked for here: the root-servers, which are maintained by IANA (part of ICANN), now lets query one of them:

com.            172800    IN    NS    l.gtld-servers.net.
com.            172800    IN    NS    e.gtld-servers.net.
com.            172800    IN    NS    i.gtld-servers.net.
com.            172800    IN    NS    k.gtld-servers.net.
com.            172800    IN    NS    f.gtld-servers.net.
com.            172800    IN    NS    h.gtld-servers.net.
com.            172800    IN    NS    m.gtld-servers.net.
com.            172800    IN    NS    c.gtld-servers.net.
com.            172800    IN    NS    g.gtld-servers.net.
com.            172800    IN    NS    j.gtld-servers.net.
com.            172800    IN    NS    d.gtld-servers.net.
com.            172800    IN    NS    a.gtld-servers.net.
com.            172800    IN    NS    b.gtld-servers.net.
;; Received 496 bytes from 128.8.10.90#53(d.root-servers.net) in 72 ms

When asked about a noncached response for ‘torrent-finder.com’, they redirected us to the gtld-servers, which are run by VeriSign, lets ask one of those servers now:

torrent-finder.com.    172800    IN    NS    ns1.seizedservers.com.
torrent-finder.com.    172800    IN    NS    ns2.seizedservers.com.
;; Received 118 bytes from 192.43.172.30#53(i.gtld-servers.net) in 167 ms

Hmm, the GTLD-SERVERS are not replying with NS51.DOMAINCONTROL.COM and NS52.DOMAINCONTROL.COM, instead we get NS1.SEIZEDSERVERS.COM and NS2.SEIZEDSERVERS.COM:

torrent-finder.com.    86400    IN    A    74.81.170.110
torrent-finder.com.    86400    IN    NS    ns1.torrent-finder.com.
torrent-finder.com.    86400    IN    NS    ns2.torrent-finder.com.
;; Received 120 bytes from 74.81.170.108#53(ns2.seizedservers.com) in 78 ms

$

Alright, it’s obviously not ICANN, but Verisign.  Lets see what they say when asked directly about this:

$ nc whois.verisign-grs.com nicname
torrent-finder.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

 Domain Name: TORRENT-FINDER.COM
 Registrar: GODADDY.COM, INC.
 Whois Server: whois.godaddy.com
 Referral URL: http://registrar.godaddy.com
 Name Server: NS1.SEIZEDSERVERS.COM
 Name Server: NS2.SEIZEDSERVERS.COM
 Status: clientDeleteProhibited
 Status: clientRenewProhibited
 Status: clientTransferProhibited
 Status: serverDeleteProhibited
 Status: serverTransferProhibited
 Status: serverUpdateProhibited
 Updated Date: 24-nov-2010
 Creation Date: 30-dec-2005
 Expiration Date: 30-dec-2011

>>> Last update of whois database: Sun, 28 Nov 2010 07:28:43 UTC <<<
$

Hmm, what does serverUpdateProhibited status mean? According to RFC2832bis:

SERVERUPDATEPROHIBITED: The registry sets the domain to this status.
Requests to update the domain name (except to remove this status)
MUST be rejected. The domain name can be transferred, renewed, or
deleted. The domain SHALL be included in the zone when in this
status if the domain has at least one delegated name server.

This means that the registry administrator (e.g. VeriSign) has locked the domain out.  If it were ICANN, it would be blocked at the root-servers, not at the registry level, that is, it wouldn’t be making it to VeriSign-GRS at all.

I wonder what other domains are serverUpdateProhibited now.

3 Responses to “did icann really seize torrent-finder.com or was it verisign?”

  1. from says:

    using nc to query whois server: A+

    questions:

    why did the seizing party not ask the registrar to change its NS records for these domains?

    have they considered that if someone queries the registrar’s NS, ns51.domaincontrol.com, for torrent-finder.com they can still get the site’s IP and reach it without using DNS?

    and then there’s the issue of this info being cached in myriad recursive NS’s around the world, for as long the cache owners see fit.

    even more perplexing, that IP appears to be originating from the US, within the jurisdiction of the seizing party. if that’s correct, (mirrors notwithstanding) why not just seize the webserver(s)?

    there must be a lot more to this story behind the scenes.

  2. nenolod says:

    I’m not sure why ICE didn’t go to GoDaddy. GoDaddy has been more than willing to help out before…

    The 74.81.170.110 IP is a dedicated server belonging to probably ICE, I suppose. If you query it for any domain, it returns the same result, so I think there is a powerdns server there running a script to generate the appropriate replies.

    I don’t know what the IP is for torrent-finder itself right off the top of my head, but if it’s in the US, then you raise a valid point.

  3. Poop says:

    It’s pretty obvious that dhs simply served verisign with an order to rescind control of the dns registration.