Limiting Access to Domain Registration Data

Colin Strutt

Private sector investigators and law enforcement rely on timely and uniform access to domain registration data to respond to and mitigate (either through takedowns or blocklisting) cybercrimes including phishing, spam, and malware. In most first response situations, the registration data need not include contact data, which may contain personal data protected by privacy.

Researchers use these “non contact data” elements to identify where cybercriminals acquire resources for their attacks. For accurate, longitudinal results it is critical that researchers also be able to obtain this data before actions such as deregistration are taken by operators.

Interisle’s studies and quarterly public reporting of cybercrime activity relies on accurate data gathered by the Cybercrime Information Center (CIC). The Cybercrime Information Center, in turn relies on accurate data concerning phishing, malware, and spam gathered by various cybercrime feeds. But alone, this data is insufficient. The CIC also relies on other sources of data to augment the information from those feeds. Examples include DNS (to get information about IP addresses, which determines the hosting networks and hence the countries where cybercrime activity is taking place) and RDDS (Registration Data Directory Services) such as WHOIS and RDAP (to get information about the registrar through which the cybercrime domain name was registered as well as the date on which the domain name was registered).

Identifying the cybercrime domain registrar allows us to accurately identify the top registrars of cybercrime domains in our reporting. Knowing a domain creation date allows us to determine whether a domain was registered for the purpose of conducting cybercriminal activity (which factors into our determination of a malicious domain registration).

However, there are many occurrences where contacting the domain registry using WHOIS or RDAP does not yield an answer. One is where a registry blocks attempts to access any domain registration data. Another is where a registry imposes, sometime quite strict, rate-limits on the registration data requests to which it will respond.

Using WHOIS and RDAP are always assumed to be the way to obtain contact data for a domain as though this is the only use case. As previous Interisle studies have shown (e.g., Contact Data Study 2024 and Contact Data Study 2021), in fact contact data is becoming less and less available. However, the CIC does not need contact data. The CIC is only looking to gather information that identifies the domain registrar and domain creation date.

We have identified several registries that have blocked or restricted access to the RDDS data sought by CIC concerning domains identified as being involved in cybercrimes. We looked at the data for a single month – February 2025 – across the three cybercrimes we study: phishing, malware, and spam. If the CIC was unable to get DNS or RDDS data for a domain, we consider that domain no longer active (and probably deregistered). However, if the CIC was able to obtain DNS data (i.e., the domain name resolves) but not RDDS data, we consider that RDDS was either blocked or rate-limited – that is, we cannot identify the corresponding domain registrar and we have no domain creation date to determine malicious domain registration). We can therefore distinguish rate limiting or blocking from deregistration.

We looked at the domains reported for cybercrimes in the month of February 2025. For that month, there were a total of 1,832,960 gTLD cybercrime domains; of those 131,842 we determined had been deregistered (i.e., had no RDDS data or IP address); of the remaining domains, we were unable to retrieve RDDS data for 568,285 cybercrime domains (a third of all those domains!).

The following table shows the Registry Operators with the most cybercrime domains reported in February 2025 for which we could not ascertain domain registration data. While we show only the top eight, the problem affects many more Registry Operators and their gTLDs. Here we show the registry operators, their gTLDs in which cybercrimes were reported, the number of cybercrime domains, and the number and percentage of those domains for which we could not retrieve domain registration data:

Blocking and rate-limiting of RDDS data affects first response: investigators can’t identify the registrar. This operator is generally the first that investigators call. Parties with legitimate access can’t request contact data during the critical initial minutes and hours of an attack.

For researchers like the CIC and Interisle, timely access to certain domain registration data is important to the accurate reporting of cybercrime statistics. Where that data is unavailable, we have to rely on other sources (such as passive DNS) to be able to approximate cybercrime domain creation dates. But it remains impossible to identify the registrars responsible for allowing those cybercrime domain names to be registered – allowing them to fly under the radar.

Several operators have indicated that if law enforcement organizations or researchers contact them, they will make arrangements to whitelist them. However, making individual arrangements with Registry Operators and Registrars in order to gain access to RDDS data without rate limits is not really practical. With almost 600 distinct gTLD Registry Operators and close to 3,000 accredited gTLD Registrars, this is not a pragmatic solution across the breadth of TLDs that are being used for cybercrime domains.

Limiting access to RDDS data is a significant problem. It hinders the important work of private sector investigators and law enforcement as well as researchers who are all trying to limit the effects of cybercrime. The net effect of continuing to limit access to RDDS data is that it allows cybercrime to thrive and grow. The issue of RDDS access needs to be addressed during policy and regulatory discussions. Ideally, the solution will address uniform and timely access.