WHOIS ARIN – DNS entries and how to be a professional eCreep

LoriBeth Blair

Presented by: ​LoriBeth Blair

WHOIS ARIN – DNS entries and how to be a professional eCreep

A walk through of my process of gathering information about the email infrastructure a company is using based on their DNS records. As a freelance consultant, this was my prime tactic of knowing waaay too much about a prospect’s infrastructure. It also let me more accurately assess the probable risks involved with the engagement. Key takeaways 1. Which DNS Searches to use and how to use them?2. What types of information can be discerned via DNS entries?3. How to obscure information about your infrastructure.

About: LoriBeth Blair

Chef-School drop out with degrees in Spanish and Accounting. IT veteran with a wealth of experience working with high security requirement environments. My passion is solving problems using the scientific method and data analytics. I love designing tests that generate data that reveals more about the unique relationship between the sender, their recipients, and their inbox providers.

Hello, everyone, thank you. Thanks for joining me today, I’ve got just a quick session here prepared for us on WHOIS ARIN and how to eat creep like a pro. So the situation that I imagine some of you found yourself in previously, is you’re you come on to a new job or a new project. And there’s almost no handover of information. So you’re trying to figure everything out, you’re having to essentially rebuild the wheel from from nothing. And that’s what this presentation is here to help you with is how to figure out what information you can find out about a domain, just based on what’s publicly available. And what that tells us. So I’m going to check out, I’m going to check out the domain for my new employer validity, because I’m trying to get a handle on how they use email potentially in case it’s relevant to my role. So the first thing that I’m going to do is I’m going to do a who is look up, you can do this on who is domain tools calm, there are lots of other resources available for this. So I don’t endorse any particular one, all of them should pull up the same information. So we can see here is who is provides you UI for the information of what’s really a TXT record, if we look down here, we can see that it’s just a TXT record. But I’m going to go to the little bit more formatted UI, because that makes it a little easier to see. So we can see here that validity has this domain registered. We can, which is not really any surprise, we can see that their domain registrar is Network Solutions, LLC, we can see that this domain is 9208 days old, which is pretty cool. My opinion, we can see it was registered back in 1995, we can see where the name servers are. This is useful information in case maybe you’re onboarding a new provider and you need to make changes to the DNS. This can help point you as to what that DNS host is. I think also really importantly, here we have the technical contact information. It’s registered as infrastructure at validity calm. Oh, yeah, I will definitely, I will definitely show an example that shows that. This is, so Kent makes an excellent point that in a lot of cases, it’s not possible to see this information as it’s been redacted for GDPR. We can see here that the validity actually has all of the information filled out, which I think helps identify the domain is theirs and the traffic is theirs. So looking here, we can see and this technical contact, maybe if you found a problem on the website, and you want to say who can I reach out to to let them know that there’s an issue with the website, this technical contact information would be a good place to start. So to show an example of what Kent was talking about there, if we go to my domain, LoriBeth Blair.com we can actually see that the information here is redacted due to privacy. It’s not based on mine isn’t redacted due to GDPR. But in a lot of cases, you’ll see a lot of this information will say that it’s not available due to GDPR. But as you can see here, I have mine behind a privacy screen. The reason I do this is otherwise I end up getting a lot of spam, both telephone, web and direct mail even. So for my personal domains I tend to keep I tend to keep mine straight. You can I can I tend to keep mine. A secured like this, you can see that my domain is hosted at Google domains here based on where the name servers are. And still you have a contact email in case you noticed a technical issue with my site. Or if you noticed any other issues, you could reach out to this email address and it would eventually get back to me. So the next thing that I’m going to check out For the domain validity is I’m going to check the a record. This is going to tell us where the website content is hosted. So if we go ahead and submit this, we’re kind of following this chain of information, we can see that a record IP address here, three, five, dot two to two dot 180209. Now this in and of itself doesn’t tell us too much. But when we combine this with an MRI in search, the American registry for internet numbers, IP addresses, we combine this with an error and search, we’re not we can actually see a bit more information. So we can see that this IP address belongs to Google Cloud. So that can tell us reasonably that the validity website application is hosted somewhere in the Google Cloud. The other really important information that you can find on an air ion search that might be relevant to most of you, is again, the compliance contact, the compliance or the abuse contact. If you’re receiving a lot of spam from an IP address, you could go search the ARIN record number and see who that IP addresses ultimately registered to and reach out to them to let them know their IP is sending spam, because there’s a chance they’re not even aware of it. Or you can also indicate I’ve also seen this useful in cases where you’re looking in your DMARC reporting, and you see the consistently, there’s an IP address that sending spoofed mail traffic on behalf of your domain, and say that you know, for a certainty that this IP address is not one that you want to be sending on behalf of your domain, you might come and do an error and search to look up who the contact is for that IP and let them know that you’re seeing unauthorised mail on behalf of your domain coming from their IP address. So erion can be a very useful tool when you’re in the sending infrastructure. And you’re dealing with IP addresses, sending and web hosting infrastructure, which is why I show both of those examples. The other thing, another thing that I always like to check. And this is especially probably relevant to you marketers, you may want to check what the SPF record is, we check this by doing a TXT record search. You want to search here. And it’s going to be the TXT record that starts with V equals SPF one. And we have a few txt records here. So it’s just taken a second to load. And if we look here, we can see that there is in fact, a TXT record here that begins with V equals SPF one. We can tell a lot, there’s a lot of information in this SPF record. So looking here, I see net blocks from mime cast. Now I just happen to know that usually when somebody includes mimecast in their SPF record, it means that that’s their spam filter, and I’m going to show you how to check that with the MX record here in just a moment. We can also see that they include Salesforce, so we can say that they probably send mail. So if I’m a marketer coming into the situation, I can say okay, they send some mail on behalf of Salesforce, I can look here and see where they’ve included Zendesk. And I can say okay, they probably use Zendesk for their support ticketing in case that’s relevant to my role. I can look here and see that for marketing, it looks like they use Marketo, because they’ve got marchetto, his IP addresses included in their SPF record by including marquetta Mk to males SPF record, we can see they’ve got some IP addresses from Amazon sts included, we can see they’ve got some from Atlassian. And we can see that they’ve got a couple of individual IP addresses. So this is another case where you might want to say, Hmm, I don’t recognise that IP address. Let me do an MRI in search to see if I can determine where you know what’s going on with this IP address what it might be sending. I’m just going to do a quick search here. And we can see that this belongs to CRM fusion. And that is not a surprise as a product under the validity suite. So looking here, we can see that it’s hosted at Rackspace. So that IP address that sending whatever server is there is hosted somewhere at Rackspace. And again, we’ve got the email contact in case we need it hostmaster@rackspace.com if we see any weird behaviour coming from this IP address so that tells us a little bit more information about it and the next thing that I would typically check so we’ve checked the SPF record Next thing that I would want to check is the MX record in case this is maybe in case I’m trying to reach out to someone from validity, and I’m having trouble getting my email through their server, I might want to check and see. And here we have confirmation that they do, in fact, use the mimecast spam filter to filter their incoming email. So this is helpful because in, and this is a really helpful search that I do if somebody tells me, Hey, I’m sending mail to this domain. And it’s not getting they’re telling me they’re not receiving it. Because there are only a few possibilities. Either the server never sent the mail, or the server sent the mail. And it was put in a quarantine folder, or the server sent the mail and the mail was bounced back. So we know if we get a bounce back that the mail wasn’t delivered. But in the situation where the mail gets quarantined, we don’t exactly know what happened to it. But one way to find a direction to research in is to look up the MX record for the domain. So for example, I’m trying to reach somebody at validity, they’re telling me they’re not getting the mail, I’m going to look up and I’m going to say my, I’m going to see this mimecast spam filter. So at the very least I can look at this and say, Hey, I know that my system sent you the mail, I didn’t get a bounce back message. Why don’t you check with whoever administrates the MIME cast spam folder for your company. And that way, now they’ve got a direction to go in, they’ve got somebody that they can count, hopefully contact and figure out where that mail went. And this would be in a case where maybe you’ve tried sending someone something multiple times and it’s still not getting through. And then the last thing that I typically check would be looking for a DMARC record. Now this one is going to be a little bit different. It is a TXT record. But the DMARC record is always stored at underscore d mark.so. I’m going to look on this subdomain to see where the DMARC record is. And we can see here that this is in case this is relevant to my role, and I need to find my login to the reporting software. I can see here that they have their DMARC reports pointed to validity calm a validity.com address. Let’s check another example. Let’s check my website where I’ve got mine pointed to 250OK, KS reporting addresses. And let’s see what that looks like. And here we can see that I’ve got, you know, both the aggregate and the forensic addresses pointed to DMARC dot 250OK.net which means that any reports that are sent back to me by Gmail, Yahoo, Comcast, etc, are going to be sent back to this Reporting Service. So that’s where I need to look, if I want to find that reporting information. So that is all the content that I had prepared for this. I wanted to see if anybody in the audience had any domains that they needed some questions answered about. I’m happy to pull up some examples live or I’m happy to just be available here to answer any questions in the chat.