GoDaddy and DomainTools scrap over Whois access
GoDaddy has seriously limited DomainTools’ access to its customers’ Whois records, pissing off DomainTools.
DomainTools CEO Tim Chen this week complained to DI that its access to Whois has been throttled back significantly in recent months, making it very difficult to keep its massive database of domain information up to date.
Chen said that DomainTools is currently only able to access GoDaddy’s Whois over port 43 at about 2% of the rate it had previously.
He said that this has been going on for about six months and that the market-leading registrar has been unresponsive to its requests to have previous levels restored.
“By throttling access to the data by 98% they’re defeating the ability of security practitioners to get data on GoDaddy domains,” Chen said. “It’s particularly troublesome because they [GoDaddy] are such a big part of DNS.”
“We have customers who say the quality of GoDaddy data is just degrading across the board, either through direct look-ups or in some of the DomainTools products themselves,” he said.
DomainTools customers include security professionals trying to hunt down the source of attacks and intellectual property interests trying to locate pirates and cybersquatters.
GoDaddy today confirmed to DI that it has been throttling DomainTools’ Whois access, and said that it’s part of ongoing anti-spam measures.
In recent years there’s been an increase in the amount of spam — usually related to web design, hosting, and SEO — sent to recent domain registrants using email addresses harvested from new Whois records.
GoDaddy, as the market-share leader in retail domain sales, takes a tonne of flak from customers who, unaware of standard Whois practice, think the company is selling their personal information to spammers.
This kind of Twitter exchange is fairly common on GoDaddy’s feed:
Being bombarded by web developers after purchasing domain frm @GoDaddy
I paid for that domain and u selling my personal info like anything.gotta switch frm godaddy.— Vikas Rawat (@VikasRa87555925) January 12, 2018
While GoDaddy is not saying that DomainTools is directly responsible for this kind of activity, throttling its port 43 traffic is one way the company is trying to counter the problem, VP of policy James Bladel told DI tonight.
“Companies like [DomainTools] present a challenge,” he said. “While we may know these folks, we don’t know who their customers are.”
But that’s just a part of the issue. GoDaddy was also concerned about the amount of resources DomainTools was consuming, and its own future legal responsibilities under the European Union’s forthcoming General Data Protection Regulation.
“When [Chen] says they’re down to a fraction or a percentage of what they had previously, well what they had previously was they were updating and archiving Whois almost in real time,” Bladel said. “And that’s not going to fly.”
“That is not only, we feel, not congruent with our responsibilities to our customers’ data, but it’s also, later on down the road, exactly the kind of thing that GDPR and other regulations are designed to stop,” he said.
GDPR is the EU law that, when it fully kicks in in May, gives European citizens much more rights over the sharing and processing of their private data.
Bladel added that DomainTools is still getting more Whois access than other parties using port 43.
“They have a level of access that is much, much higher than what they would normally have as a registrar,” he said, “but much lower than I think they want, because they want to effectively download and keep current the entirety of the Whois database.”
I’m not getting a sense from GoDaddy that it’s likely to backtrack on its changes.
Indeed, the company also today announced that it from January 25 it will start to “mask” key elements of Whois records when queried over port 43.
GoDaddy told high-value customers such as domainers today that port 43 queries will no longer return the registrant’s first name, last name, email address or phone number.
Bulk Whois users such as registrars (and, I assume, DomainTools) that have been white-listed via the “GoDaddy Port43 Process” will continue to receive full records.
Its web-based Whois, which includes a CAPTCHA gateway to prevent scraping, will continue to function as normal.
Bladel said that these changes are NOT related to GDPR, nor to the fact that ICANN said a couple months back that it would not enforce compliance with Whois provisions of the Registrar Accreditation Agreement, subject to certain conditions.
Why doesn’t DomainTools just “pay to play” with GoDaddy? You’re selling the data to your customers, DomainTools, so why shouldn’t you do a deal with GoDaddy to pay for unlimited access to whois data?
Or is Tim Chen saying that they (DomainTools) and anyone else should have unfettered access to all the whois data they want for whatever use they want? Even if it’s to resell it?
It’s not just DomainTools that is getting throttled by GoDaddy.
When transferring domains out of GoDaddy to Uniregistry, the time it takes to query these domains in order to generate the transfer confirmation is ridiculously long, up to 15 minutes for 20 domains.
I was told that Uniregistry can only do 4 queries per minute for GoDaddy domains.
I have no issues when transferring domains out of Fabulous, takes seconds to generate and receive the email.
This! I was wondering what was going on with the wonky mechanics of transferring from GD to Uniregistry.
Technically, all a contracted party needs to do in answer WHOIS queries and being in compliance is to do like this:
Registrant: Example Registrant
Anything above that, including actual registration records, is being answered as a common practice, not as a requirement.
And when things go south, like the current gTLD spam crisis or GDPR, WHOIS will become more like the letter of the contracts and less likely what people are used to.
I see that my criticism was edited out of the original article so I will write it here.
This is against ICANN rules. Period.
If anyone disagrees, including GoDaddy, let me know.
Of course we all know that no one with the slightest of power over many doesn’t care about these rules. And ICANN cares only about rules that pay money to this “institution”.
@Trev
Current whois data is free for all per ICANN rules.
@Rubens Kuhl
I would love to know how you came to this conclusion. There is only one WHOIS structure with a certain number of elements.
Providing only the registrant name is like selling a car without the engine.
Actually, there is provisions for registrars to make their complete whois available for $10K for bulk access.
Rubens is right
One needs to answer WHOIS query with required fields, plus optional fields, of the example.TLD domain, not the domain you actually queried. There is no functional description in the registry agreement explaining what should be answered, just an example with example. TLD, “Example Registrant” etc.
Hey domaintools, stop throttling *my* access to your whois records. I can only do a few lookups per day unless I pay. You are defeating the ability of security practitioners to get data.