Chose your color

Frequently visited

Frequently asked questions

  • I am looking for a domain name registrant. Where can I look it up?

    The Whois is an easy-to-use tool for checking the availability of a .nl domain name. If the domain name is already taken, you can see who has registered it.

    On the page looking up a domain name you will find more information about what a domain name is, how the Whois works and how the privacy of personal data is protected. Alternatively, you can go straight to look for a domain name via the Whois.

  • I would like to transfer my domain name to another registrar. What is the procedure?

    To get your domain name transferred, you need the token (unique ID number) for your domain name. Your existing registrar has the token and is obliged to give it to you within five days, if you ask for it. The procedure for changing your registrar is described on the page transferring your domain name.

  • The details registered about me/my company are incorrect or out of date. How can I get them updated?

    To update the contact details associated with your domain name, you need to contact your registrar. Read more about updating contact details.

  • Why is my domain name in quarantine?

    When a domain name is cancelled, we aren't told the reason, so we can't tell you. You'll need to ask your registrar. The advantage of quarantine is that, if a name's cancelled by mistake, you can always get it back.

    One common reason is that the contract between you and your registrar says you've got to renew the registration every year. If you haven't set up automatic renewal and you don't renew manually, the registration will expire.

  • Ik heb een klacht over mijn provider/registrar. Kan ik daarvoor bij SIDN terecht?

    Wanneer je een klacht hebt over of een geschil met je registrar dan zijn er verschillende mogelijkheden om tot een oplossing te komen. Hierover lees je meer op pagina klacht over registrar. SIDN heeft geen formele klachtenprocedure voor het behandelen van een klacht over jouw registrar.

  • What conditions do I have to meet as a registrar?

    Would you like to be able to register domain names for customers or for your own organisation by dealing directly with SIDN? If so, you can become a .nl registrar. Read more about the conditions and how to apply for registrar status on the page becoming a registrar.

More frequently asked questions

VWS publishes OpenKAT vulnerability scanning tool as open-source software

Framework for the (forensic) security of test results

Close-up of a cat's head
  • Thursday 26 January 2023

Last summer, the Dutch Ministry of Public Health (VWS) published the OpenKAT vulnerability scanning tool as open-source software. OpenKAT is a software framework that combines existing security tools to boost the (forensic) security of test results.

Chain of custody

Portrait photo of Jan Klopper, project lead for OpenKAT at the Ministry of Health
Portrait photo of Jan Klopper, project leader for OpenKAT at the Ministry of Health

"When the pandemic hit 2 years ago, we had to develop about 20 applications in a very short space of time," recalls project leader Jan Klopper. "We were in a real hurry – every week counted – and we were operating in a high-risk field: the processing of medical data. What's more, policies were changing all the time, and the security of the applications was a very sensitive issue: in that period, any mistakes would have led to questions being asked in parliament."

What the VWS needed was a tool that not only performed the necessary scans, but also recorded the results in a verifiable form. A tool based on the concept of a chain of custody of the kind that investigative authorities use to secure material and findings for subsequent analysis and use as evidence.

Facts and findings

"Of course, we had numerous penetration testing and code auditing services available to us," continues Klopper, "and we did use them. However, none of the services or tools we looked at could provide quite what we needed at the time. They were all designed to perform fairly specific functions, and didn't do anything more than was needed for those functions [top-down]. The Internet.nl testing portal, which scores a domain on its support for modern internet standards, is a good example. Such tools are designed exclusively to reach a particular objective via the shortest possible route, and to draw immediate conclusions from the results."

"We had a more general question: 'Is and was that application secure?' First and foremost, we wanted to have all the underlying facts, as a basis for forming an opinion [bottom-up]. We didn't want to discard any findings or any information about the test environment that was used." In practical terms, that meant saving and timestamping details of the tools used (in the form of containers), the results and the way they were obtained. To that end, a Time Stamping Authority (a sort of digital notary) placed a digital signature under the entire body of data, including the date and time. That body of data could then serve as irrefutable proof of what was observed at a particular moment in time, and what tools and techniques were used to make the observations.

Compliance testing

"That kind of watertight documentation is important if someone unexpectedly says, 'No, it wasn't like that'," explains Klopper. "Suppose you report a problem, and the responsible party quickly fixes it and then claims there was never a problem in the first place. Conversely, our approach can be used to defend yourself against an accusation. Take the incident a couple of years ago, when the municipality of Hof van Twente was hacked. A penetration test had been done not long before, which later turned out to have been incomplete."

OpenKAT can also be used as a basis for security audits and compliance checks. "If you do your tests every day and record the results, then, at the end of the year, you can present the auditor with 365 reports to show that you were compliant all year. Those same results can also be used as input by the Chief Information Security Officer (CISO), who can see from them which hosts are running on the infrastructure, what certificates are in use, and what the software patch levels are."

According to Klopper, there aren't yet any standards for such digital evidencing of the compliance process, "but we're currently trying to organise something with NOREA (the IT auditors' trade association)."

Changes over time

One final advantage of the approach is that the recorded facts can be re-analysed later and changes over time tracked. For example, you can revisit a previous scan of a website with a Content Security Policy (CSP) that authorises other hosts to supply content for the site. If the domain name of one of the authorised hosts is cancelled or its registration expires, it could in principle be re-registered by someone else, potentially creating a malware hazard.

Something similar could be done with a mail domain's SPF records, which authorise external mail systems to send mail for the domain in question. If a malicious actor managed to hijack an authorised host (name), it could be used to launch a 'spear phishing' attack as a vector for whaling or CEO fraud.

Software architecture

OpenKAT's software architecture has 3 layers, each of which supports the plugin of external modules. From the bottom up, the layers are:

Villains: these gather information from the network and place it in the forensic datastore.

The plugins already available include a DICOM check, DNS lookup, DNSSEC validation, Fierce, an IPv6 name server and web server search tool, a Log4Shell check, nmap, Shodan, a TLS/certificate check and WPScan.

Whiskers: these are parsers that extract information from the forensic datastore and translate it into a standardised object format.

Bits: these are business rules that generate derived facts and findings on the basis of information in the standardised objects.

One big advantage of that architecture is that it enables you to make historical analyses at a later date. If, for example, you discover a cryptominer on one of your websites, you can write a Whisker to recognise the miner software in question. Then, by running the Whisker on your old web scan data, you can ascertain exactly when the miner was installed.

Collaboration

Klopper says that the software has attracted plenty of interest. "Z-CERT (cybersecurity in the health care sector) and Kennisnet (ICT in education) are both currently busy with pilots. The Association of Netherlands Municipalities (VNGRealisatie) has contributed as part of their Haven standard initiative (for cloud hosting). Other (commercial) actors involved in the development effort include Intermax (cloud sourcing provider) and BDO (accountants). The banking industry is also interested in using the OpenKAT framework for compliance checking.

"The open-source community is only just getting started," says Klopper. "The software has a steep learning curve because of all the complex tools incorporated into OpenKAT. Consequently, people are currently still learning and practising."

Open-source community

As the VWS's 'baby', OpenKAT will of course have continued support from the ministry. However, the end of the coronavirus technology initiative means that the focus has shifted from protection of the associated infrastructure to protection of the care sector. Naturally, Klopper believes that OpenKAT's open-source nature creates scope for the involvement of players such as NCSC and the Ministry of the Interior, which now has a State Secretary for Digitisation. The stakeholders are committed to further development of the software with each other and for each other, both through public-private partnerships involving the likes of Z-CERT, Kennisnet and various commercial actors, and through consortiums of government bodies.

"Other organisations face similar challenges," Klopper points out. "We are already collaborating with Z-CERT in various areas, for example. But I see the software as suitable for compliance testing in all sorts of settings. The crucial thing is to keep the existing partnerships going."