By stretch | Friday, March 11, 2011 at 4:42 a.m. UTC
WHOIS, pronounced who is, is a simple protocol which can be used to identify the owner of a domain name or IP prefix. Similar to FTP and SMTP, WHOIS is a character-oriented protocol which can be used by hand over a Telnet connection. However, it is more practical to use a purpose-built WHOIS command line or web-based client. Most Linux and BSD systems come with a WHOIS client pre-installed, and free WHOIS clients are available for other platforms.
To get a sense for how simple the protocol is, let's look at an example using Telnet. We'll telnet to whois.crsnic.net (a well-known WHOIS server) on port 43.
$ telnet whois.crsnic.net 43 Trying 184.108.40.206... Connected to whois.crsnic.net. Escape character is '^]'. cisco.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: CISCO.COM Registrar: NETWORK SOLUTIONS, LLC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS1.CISCO.COM Name Server: NS2.CISCO.COM Status: ok Updated Date: 19-apr-2010 Creation Date: 14-may-1987 Expiration Date: 15-may-2011 >>> Last update of whois database: Thu, 10 Mar 2011 22:01:40 UTC <<< ...
That's it; we type the domain, and the server terminates the connection after providing its response. The output above tells us where to find the appropriate WHOIS server for the .com top-level domain: whois.networksolutions.com. This is referred to as a thin WHOIS model; other TLDs, most notably .org, operate a thick model wherein all domain information is maintained in a single central database.
Next, we telnet to whois.networksolutions.com and repeat the query.
Dedicated WHOIS clients automate this process, automatically querying additional WHOIS servers as needed to find the desired record. The two queries above could be accomplished with the simple command
whois cisco.com. WHOIS clients also come with well-known WHOIS servers compiled in, saving the user the trouble of looking up the appropriate server for a domain.
WHOIS can also be used to look up IP prefix information. These records are held not by domain registrars but by the five regional Internet registries (RIRs).
$ nslookup packetlife.net Server: 220.127.116.11 Address: 18.104.22.168#53 Non-authoritative answer: Name: packetlife.net Address: 22.214.171.124 $ whois 126.96.36.199 # # Query terms are ambiguous. The query is assumed to be: # "n 188.8.131.52" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=184.108.40.206?showDetails=true&showARIN=false # Slicehost RSPC-1246472891078100 (NET-174-143-212-0-1) 220.127.116.11 - 18.104.22.168 Rackspace Hosting RSCP-NET-4 (NET-174-143-0-0-1) 22.214.171.124 - 126.96.36.199
Here we see two records which match our query: Slicehost (188.8.131.52/22) and Rackspace Hosting (184.108.40.206/16). This indicates that Rackspace allocated a portion of its address space to Slicehost, which it recently acquired. (This is actually a bit misleading: packetlife.net is in fact hosted by Rackspace.)
To get more detail about these entries, we could reissue the WHOIS query with a plus sign prepended to the IP address; this instructs the ARIN WHOIS server to respond with detailed information about both records. (Note that some whois clients handle such requests better than others.) Alternatively, we could also try ARIN's web-based WHOIS interface mentioned in the reply.
About the Author
Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.
Posted in Tips and Tricks
March 11, 2011 at 5:53 a.m. UTC
which is d best one for windows
March 11, 2011 at 8:21 a.m. UTC
you can also lookup AS numbers using whois
jens@oban:~$ whois as109 ... ASNumber: 109 ASName: CISCOSYSTEMS ASHandle: AS109 RegDate: 1987-05-06 Updated: 1997-05-20 ...
March 11, 2011 at 6:57 p.m. UTC
The smartest WHOIS server out there in my opinion is geektools which has been around for >10 years. Whether IP address or domain name or AS number, geektools just works and gets around annoying registrar query limits too.
whois -h whois.geektools.com
Also worth noting is our whois.pwhois.org if you mainly want routing related info for an IP address.
March 24, 2011 at 6:44 a.m. UTC