What’s RDAP and Whereis Whois?
Why is Whois Being Sunset?
Domain registration data has been a long-standing asset for threat intelligence; correlating registration data across domains can uncover additional identifiers related to threat actors targeting companies, their employees, and their customers. Even with privacy redactions, registration data continues to be a critical source of information for threat analysts.
Whois has been the protocol to communicate domain registration for over 40 years. While the protocol is well understood, it’s dated; Whois records are text files that are easy for human reading but poor for machine processing. RDAP, or Registration Data Access Protocol, was introduced in 2015 to be a replacement for Whois. It was designed from the ground up to be machine readable and addresses many of the shortcomings of Whois.
ICANN has been encouraging registries and registrars working in TLDs under its purview to adopt RDAP with the goal of sunsetting Whois. Those registries and registrars have made solid progress, and many have RDAP services that provide parity data with their Whois services. We could now be approaching the end for Whois – at least partially. ICANN’s 2023 Global Amendment to the Base gTLD Registry Agreement includes provisions for sunsetting registry/registrar obligations to provide domain registration data via Whois after January 28, 2025. Assuming registrars indeed follow through, Whois could disappear for large portions of the global domain space in January 2025!
What is the Future of Whois?
Despite this, Whois won’t entirely disappear. TLDs outside of ICANN’s gTLDs are not obligated to adopt RDAP. Typical examples include “country code TLDs” like .ru or .it. There will likely be a long tail of registrars that do not adopt RDAP for some time.
The result of all of this is that tracking domain registration data will become more complex than ever – you will need to track data from both RDAP and Whois, depending on which protocol is used by registrars across different TLDs globally. And some registrars might publish both Whois and RDAP records, making the effort to streamline data collection and analysis more cumbersome.
The DomainTools enterprise products have now been updated to meet this important shift. We will continue to pull Whois records where we can, as long as they are available. And we are now gathering RDAP records from over 770 registries and registrars across more than 1,100 TLDs globally.
While those statistics may be impressive, we believe that in most cases, customers don’t really care about the protocol – you just want the data. We believe it is our job to make the process of using domain registration data as simple as we can, and don’t want you to have to figure out which domains use RDAP vs. Whois – you’ve got enough on your plate already!
RDAP in Domain and DNS Intelligence Tools
In Iris Investigate, Enrich and Detect, the collection of RDAP and Whois happens simultaneously. We track whether the registrar returned RDAP or Whois records and merge the results into singular domain registration data points in the Iris Platform for use across Iris Investigate, Enrich, and Detect – web UXs as well as the APIs. In cases where a registrar provides both RDAP and Whois, we will analyze the records to determine which record contains more data. That data will become the default registration data points in those products.
The benefit of this is that the registration data appears in the same places you are used to viewing or consuming via API – you don’t need to look at contact data in two places as everything is centralized. Querying registration data will be similarly seamless – you don’t need to be concerned about the protocol used by a domain’s registrar. To find larger patterns in malicious actor behavior, you can make reverse queries from current RDAP data and match Whois data for domains that have been inactive for years! This enables you to create holistic analysis for actor behavior over time and avoid having to take extra steps to bridge between Whois and RDAP.
While we believe most customers just want registration data, regardless of protocol, we also understand there could be exceptions. Because of this, Iris Investigate and Enrich will provide the protocol-specific values for both RDAP and Whois. The Investigate web application will also allow protocol-specific queries, meaning you can search for either Whois or RDAP as needed.
To learn more about RDAP in Iris Investigate, Enrich, and Detect, please contact us at [email protected]