WHOIS
WHOIS, pronounced who is, is a simple protocol which can be used to identify the owner of a domain name or IP prefix. Similar to FTP and SMTP, WHOIS is a character-oriented protocol which can be used by hand over a Telnet connection. However, it is more practical to use a purpose-built WHOIS command line or web-based client. Most Linux and BSD systems come with a WHOIS client pre-installed, and free WHOIS clients are available for other platforms.
To get a sense for how simple the protocol is, let's look at an example using Telnet. We'll telnet to whois.crsnic.net (a well-known WHOIS server) on port 43.
$ telnet whois.crsnic.net 43 Trying 199.7.51.74... Connected to whois.crsnic.net. Escape character is '^]'. cisco.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: CISCO.COM Registrar: NETWORK SOLUTIONS, LLC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS1.CISCO.COM Name Server: NS2.CISCO.COM Status: ok Updated Date: 19-apr-2010 Creation Date: 14-may-1987 Expiration Date: 15-may-2011 >>> Last update of whois database: Thu, 10 Mar 2011 22:01:40 UTC <<< ...
That's it; we type the domain, and the server terminates the connection after providing its response. The output above tells us where to find the appropriate WHOIS server for the .com top-level domain: whois.networksolutions.com. This is referred to as a thin WHOIS model; other TLDs, most notably .org, operate a thick model wherein all domain information is maintained in a single central database.
Next, we telnet to whois.networksolutions.com and repeat the query.
$ telnet whois.networksolutions.com 43
Trying 205.178.188.12...
Connected to whois.networksolutions.com.
Escape character is '^]'.
cisco.com
NOTICE AND TERMS OF USE: You are not authorized to access or query our WHOIS
database through the use of high-volume, automated, electronic processes. The
...
Registrant:
Cisco Technology, Inc.
170 W. Tasman Drive
San Jose, CA 95134
US
Domain Name: CISCO.COM
Administrative Contact:
InfoSec MBITtransferadmin@melbourneitdbs.com
170 West Tasman Drive
San Jose, CA 95134
US
408-527-3842 fax: 408-526-4575
Technical Contact:
Network Services dns-info@CISCO.COM
170 W. Tasman Drive
San Jose, CA 95134
US
408-527-9223 fax: 408-526-7373
Record expires on 15-May-2011.
Record created on 14-May-1987.
Database last updated on 10-Mar-2011 17:04:16 EST.
Domain servers in listed order:
NS1.CISCO.COM 128.107.241.185
NS2.CISCO.COM 64.102.255.44
Dedicated WHOIS clients automate this process, automatically querying additional WHOIS servers as needed to find the desired record. The two queries above could be accomplished with the simple command whois cisco.com. WHOIS clients also come with well-known WHOIS servers compiled in, saving the user the trouble of looking up the appropriate server for a domain.
WHOIS can also be used to look up IP prefix information. These records are held not by domain registrars but by the five regional Internet registries (RIRs).
$ nslookup packetlife.net Server: 208.67.220.220 Address: 208.67.220.220#53 Non-authoritative answer: Name: packetlife.net Address: 174.143.213.184 $ whois 174.143.213.184 # # Query terms are ambiguous. The query is assumed to be: # "n 174.143.213.184" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=174.143.213.184?showDetails=true&showARIN=false # Slicehost RSPC-1246472891078100 (NET-174-143-212-0-1) 174.143.212.0 - 174.143.215.255 Rackspace Hosting RSCP-NET-4 (NET-174-143-0-0-1) 174.143.0.0 - 174.143.255.255
Here we see two records which match our query: Slicehost (174.143.212.0/22) and Rackspace Hosting (174.143.0.0/16). This indicates that Rackspace allocated a portion of its address space to Slicehost, which it recently acquired. (This is actually a bit misleading: packetlife.net is in fact hosted by Rackspace.)
To get more detail about these entries, we could reissue the WHOIS query with a plus sign prepended to the IP address; this instructs the ARIN WHOIS server to respond with detailed information about both records. (Note that some whois clients handle such requests better than others.) Alternatively, we could also try ARIN's web-based WHOIS interface mentioned in the reply.
About the Author
Jeremy Stretch is a freelance networking engineer, instructor, and the maintainer of PacketLife.net. He currently lives in Fairfax, Virginia, on the edge of the Washington, DC metro area. Although primarily an R&S guy, he likes to get into everything, and runs a free network training lab out of his basement for fun. You can contact him by email or follow him on Twitter.
Comments
you can also lookup AS numbers using whois
jens@oban:~$ whois as109 ... ASNumber: 109 ASName: CISCOSYSTEMS ASHandle: AS109 RegDate: 1987-05-06 Updated: 1997-05-20 ...
The smartest WHOIS server out there in my opinion is geektools which has been around for >10 years. Whether IP address or domain name or AS number, geektools just works and gets around annoying registrar query limits too.
whois -h whois.geektools.com
Also worth noting is our whois.pwhois.org if you mainly want routing related info for an IP address.
which is d best one for windows
cheers