I am looking for a domain name registrant. Where can I look it up?
The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.
On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.
I would like to transfer my domain name to another registrar. What is the procedure?
To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.
The details registered about me/my company are incorrect or out of date. How can I get them updated?
To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.
Why is my domain name in quarantine?
When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.
One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.
Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?
Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.
What conditions do I have to meet as a registrar?
Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.
For users in the US, Firefox now sends DNS traffic to Cloudflare's resolvers using DNS-over-HTTPS (DoH). The policy has met considerable disapproval from network operators concerned about losing control of their networks and about the privacy implications. In response, Firefox has made it possible for network operators to disable DoH routing of DNS traffic to Cloudflare. In this blog post we consider whether network operators are actually using the opt-out mechanism at their disposal.
DNS-over-HTTPS (DoH) is a protocol for the encryption of DNS traffic. Since 2018, Mozilla has been experimenting with the use of DoH in their Firefox internet browser. Although DoH is a good way of protecting sensitive DNS traffic, the way Mozilla has chosen to implement the protocol has drawn a lot of adverse comment. The bone of contention being that Mozilla's approach involves routing DNS traffic to Cloudflare's DNS resolvers effectively by default. That means bypassing local network resolvers and the resolvers operated by access providers, such as KPN and Ziggo. The main reason for departing from conventional practice is that network operators and internet service providers (ISPs) can analyse or even sell the DNS traffic that they process, without obtaining the users' consent – practices common in the US.
Opponents of the approach have two main concerns. First, potentially sensitive DNS traffic will be diverted to a US-based service provider. Second, local controls – aimed at blocking phishing websites or processing certain types of traffic locally – will be circumvented. Where that second point is concerned, it's important to remember that the DNS isn't merely a mechanism for obtaining a website's IP address. It also enables operators to monitor internet traffic on their networks. Operators will lose that control if Firefox stops sending DNS queries to the local network's resolver, and sends it to Cloudflare instead.
More control for network operators
In response to the reception its plans received, Mozilla made various changes. First, it decided that DoH would initially be rolled out only to users in the US. Second, it set up a 'canary domain', use-application-dns.net.
The canary domain works as follows. Firefox tries to look up the IP address for the domain name. If it can't find it, the browser doesn't send any DNS traffic to Cloudflare using DoH, but relies on the resolver defined in the operating system's settings. That will usually be the local network's resolver. So operators can ensure that DNS traffic still follows the conventional route by blocking use-applition-dns.net.
From angry social media posts and furious letters sent by American ISPs, we know that there is plenty of annoyance with the way that Mozilla is implementing DoH. However, that is not the same thing as knowing how much active resistance there is to Mozilla’s approach. For that, we would need to determine how many resolvers actually block the canary domain use-application-dns.net.
Fortunately, the public RIPE Atlas measurement network enables us to do just that. The network consists of more than ten thousand probes, which the team here at SIDN Labs has been using to send DNS queries to the canary domain. The queries were sent to the resolvers configured for the local network. RIPE Atlas's probes are located in networks all over the world, but weighted towards Europe and the US. They are therefore useful for gauging active resistance in the two regions.
Blocking is more common in the US
When we started measuring in September 2019, only about 4 per cent of resolvers blocked the canary domain. By this week, the proportion was up to 9 per cent, as shown in Figure 1.
Figure 1: Probes whose resolvers block the canary domain.
At the end of February, there was a clear upturn in the number of blocking resolvers. That's when Mozilla announced it was starting to activate DoH for users in the US. Until then, the protocol was active only for a small number of people using developer versions of Firefox. Not surprisingly, therefore, the proportion of resolvers that block the canary domain is highest in North America: nearly 13 per cent.
Figure 2: Probes whose resolvers block the canary domain, by continent.
Nevertheless, as Figure 2 shows, even in Europe, 9.5 per cent of resolvers block the domain name. That's perhaps surprising, given that Mozilla hasn't activated DoH by default in Europe, and currently has no plans to do so.
Who's blocking DoH?
In Europe, French ISP Orange and Belgian ISP Telenet stand out. Both block the canary domain for their customers by default. In the US, it appears that COX – the country's third largest cable provider – is disabling Firefox's DoH. However, no Dutch ISPs appear to be doing any large-scale blocking.
In some cases, the canary domain isn't blocked by local network resolvers, but by resolver services. For example, OpenDNS provides a public resolver service, which won't route queries to certain domains that are known to be malicious. The service additionally blocks Mozilla's canary domain, because otherwise the protection provided by OpenDNS could be circumvented.
How effective is blocking?
In order to fully disable DoH in Firefox, a network operator needs to ensure that all the resolvers in their network prevent access to the canary domain. Many blocking networks aren't doing that, however. One in five networks with blocking resolvers also has at least one resolver that does permit queries to the canary domain. That could lead Firefox to conclude that such a network does allow DoH via Cloudflare, when that may not be the case. Network operators' efforts to block the canary domain are not always effective, therefore.
Conclusions
Is opposition to Mozilla’s DoH plans as strong as the reactions on the internet would suggest?
Our measurements indicate that some DNS operators, particularly in the US, want to prevent DNS traffic bypassing their resolvers. However, the great majority are not actively resisting Mozilla's approach, at least not yet.
Various possible explanations come to mind. One is that many US users' privacy will actually be enhanced if Firefox normally routes their DNS queries to Cloudflare, rather than to their own ISPs. The American users in question therefore stand to gain from DoH being enabled by default. On the other hand, Firefox's share of the US browser market is only about 9 per cent. Consequently, the impact of Mozilla enabling DoH for all users by default is relatively small. That may explain why the majority of ISPs haven't (yet) blocked the canary domain.
Opposition has been voiced in Europe too, even though Mozilla hasn't activated DoH here. In contrast to the US, Europe doesn't allow the use of DNS data for other purposes. European users are also probably more distrustful of American service providers such as Cloudflare. That may be why a significant proportion of European resolvers already block the canary domain. Some ISPs might also be concerned about being prevented from monitoring their DNS traffic for operational purposes, as evidenced by the way Orange and Telenet have responded. Indeed, the data for both regions underlines the continuing importance of the DNS as a tool for filtering and managing network traffic: 9 per cent of resolvers in our study use DNS filtering technology to block the canary domain.
Meanwhile, Mozilla has announced plans to monitor for abuse of the canary domain. If the domain is blocked on a large scale – to enable the continued sale of DNS traffic, for example – Mozilla may consider disabling the canary domain check. Clearly, then, the canary domain isn't a complete solution. Mozilla is apparently seeking to protect end users against unscrupulous network operators. Yet the organisation is providing those very operators with a mechanism for disabling the protection that's provided. We therefore intend to keep a watchful eye on developments.
Data is in the public domain
The measurement data referred to in this blog is publicly available. It's also worth noting that SIDN Labs isn't the only team researching this topic. One of our research partners, the Information Sciences Institute at the University of Southern California, has published some similar measurements.
And if you’re now interested in experimenting with DoH, then you should check out our own DoH resolver service as well.
