WHOIS

By stretch | Friday, March 11, 2011 at 4:42 a.m. UTC

WHOIS, pronounced who is, is a simple protocol which can be used to identify the owner of a domain name or IP prefix. Similar to FTP and SMTP, WHOIS is a character-oriented protocol which can be used by hand over a Telnet connection. However, it is more practical to use a purpose-built WHOIS command line or web-based client. Most Linux and BSD systems come with a WHOIS client pre-installed, and free WHOIS clients are available for other platforms.

To get a sense for how simple the protocol is, let's look at an example using Telnet. We'll telnet to whois.crsnic.net (a well-known WHOIS server) on port 43.

$ telnet whois.crsnic.net 43
Trying 199.7.51.74...
Connected to whois.crsnic.net.
Escape character is '^]'.
cisco.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: CISCO.COM
   Registrar: NETWORK SOLUTIONS, LLC.
   Whois Server: whois.networksolutions.com
   Referral URL: http://www.networksolutions.com
   Name Server: NS1.CISCO.COM
   Name Server: NS2.CISCO.COM
   Status: ok
   Updated Date: 19-apr-2010
   Creation Date: 14-may-1987
   Expiration Date: 15-may-2011

>>> Last update of whois database: Thu, 10 Mar 2011 22:01:40 UTC <<<
...

That's it; we type the domain, and the server terminates the connection after providing its response. The output above tells us where to find the appropriate WHOIS server for the .com top-level domain: whois.networksolutions.com. This is referred to as a thin WHOIS model; other TLDs, most notably .org, operate a thick model wherein all domain information is maintained in a single central database.

Next, we telnet to whois.networksolutions.com and repeat the query.

$ telnet whois.networksolutions.com 43
Trying 205.178.188.12...
Connected to whois.networksolutions.com.
Escape character is '^]'.
cisco.com
NOTICE AND TERMS OF USE: You are not authorized to access or query our WHOIS
database through the use of high-volume, automated, electronic processes. The
...

Registrant:
Cisco Technology, Inc.
   170 W. Tasman Drive
   San Jose, CA 95134
   US

   Domain Name: CISCO.COM

   Administrative Contact:
      InfoSec       MBITtransferadmin@melbourneitdbs.com
      170 West Tasman Drive
      San Jose, CA 95134
      US
      408-527-3842 fax: 408-526-4575

   Technical Contact:
      Network Services      dns-info@CISCO.COM
      170 W. Tasman Drive
      San Jose, CA 95134
      US
      408-527-9223 fax: 408-526-7373

   Record expires on 15-May-2011.
   Record created on 14-May-1987.
   Database last updated on 10-Mar-2011 17:04:16 EST.

   Domain servers in listed order:

   NS1.CISCO.COM                128.107.241.185
   NS2.CISCO.COM                64.102.255.44

Dedicated WHOIS clients automate this process, automatically querying additional WHOIS servers as needed to find the desired record. The two queries above could be accomplished with the simple command whois cisco.com. WHOIS clients also come with well-known WHOIS servers compiled in, saving the user the trouble of looking up the appropriate server for a domain.

WHOIS can also be used to look up IP prefix information. These records are held not by domain registrars but by the five regional Internet registries (RIRs).

$ nslookup packetlife.net
Server:     208.67.220.220
Address:    208.67.220.220#53

Non-authoritative answer:
Name:   packetlife.net
Address: 174.143.213.184

$ whois 174.143.213.184
#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 174.143.213.184"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=174.143.213.184?showDetails=true&showARIN=false
#

Slicehost RSPC-1246472891078100 (NET-174-143-212-0-1) 174.143.212.0 - 174.143.215.255
Rackspace Hosting RSCP-NET-4 (NET-174-143-0-0-1) 174.143.0.0 - 174.143.255.255

Here we see two records which match our query: Slicehost (174.143.212.0/22) and Rackspace Hosting (174.143.0.0/16). This indicates that Rackspace allocated a portion of its address space to Slicehost, which it recently acquired. (This is actually a bit misleading: packetlife.net is in fact hosted by Rackspace.)

To get more detail about these entries, we could reissue the WHOIS query with a plus sign prepended to the IP address; this instructs the ARIN WHOIS server to respond with detailed information about both records. (Note that some whois clients handle such requests better than others.) Alternatively, we could also try ARIN's web-based WHOIS interface mentioned in the reply.

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in Tips and Tricks

Comments


james (guest)
March 11, 2011 at 5:53 a.m. UTC

which is d best one for windows

cheers


Jens Link (guest)
March 11, 2011 at 8:21 a.m. UTC

you can also lookup AS numbers using whois

jens@oban:~$ whois as109
...
ASNumber:       109
ASName:         CISCOSYSTEMS
ASHandle:       AS109
RegDate:        1987-05-06
Updated:        1997-05-20    
...

James (guest)
March 11, 2011 at 6:57 p.m. UTC

The smartest WHOIS server out there in my opinion is geektools which has been around for >10 years. Whether IP address or domain name or AS number, geektools just works and gets around annoying registrar query limits too.

whois -h whois.geektools.com

Also worth noting is our whois.pwhois.org if you mainly want routing related info for an IP address.


WoWfancy
March 24, 2011 at 6:44 a.m. UTC

I really like Packet Life,just as

Comments have closed for this article due to its age.