Hacker News new | past | comments | ask | show | jobs | submit login

Why are tools using hardcoded lists of WHOIS servers?

Seems there is a standard (?) way of registering this in DNS, but just from a quick test, a lot of TLDs are missing a record. Working example:

    dig _nicname._tcp.fr SRV +noall +answer

    _nicname._tcp.fr. 3588 IN SRV 0 0 43 whois.nic.fr.
Edit:

There's an expired Internet Draft for this: https://datatracker.ietf.org/doc/html/draft-sanz-whois-srv-0...




A plain

  mobi.whois.arpa. CNAME whois.nic.mobi
could've already solved the issue. But getting everyone to agree and adopt something like that is hard.

Although as fanf2 points out below, it seems you could also just start with the IANA whois server. Querying https://www.iana.org/whois for `mobi` will return `whois: whois.nic.mobi` as part of the answer.


The reality of life is that there are way more hardcoded strings than you imagine or there should be.


I have a feeling whois is way older than the concept of SRV records even


The first WHOIS db was created in early 70s, according to Wikipedia. So, older than DNS itself.


because people build these tools as part of one time need, publish it for others (or in case they need to reference it themselves). Other "engineers" copy and paste without hesitating. Then it gets into production and becomes a CVE like discussed.

Developer incompetence is one thing, but AI-hallucination will make this even worse.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: